Hosting Provided By

Re: web application access control research

From: Ray Stirbei <me(at)highentropy.org>
Date: Thu Apr 24 2003 - 00:51:09 EDT

I completely agree with Jeff and would just like to add: 1) the reference monitor (that deals to all references/requests to objects) is really the center of gravity for security. 2) the access control matrix is the focal point of an application's security policy. Things of less importance, but necessary, to think about in a policy: password length/aging/changes, what to do with inactive user ids, how to handle password compromise, etc. A comprehensive infosec policy (among other things) is what separates an amateur development team from the pros. 3) if an architect isn't very familiar with reference monitors, it might be best to buy instead of build. There are many competent commercial products in this space.
4) if it intent is to build regardless, one doesn't have to start from scratch; that is what design patterns are for. 'A system of patterns' (published by Wiley) is highly recommended and the patterns are platform independent. 'J2EE Design Patterns Applied' (published by Wrox) is obviously platform specific and includes source code. Look up the security patterns like 'single access point', 'check point', etc - they start on page 200.

Hope that helps

ray

On Wednesday 23 April 2003 08:30 pm, Jeff Williams @ Aspect wrote:
> Andy,
Received on Thu Apr 24 01:45:05 2003

This message: [ Message body ]
Next message: Shaji Sethu: "RE: Web app based on .net - best practice?"
Previous message: Gary Flynn: "Re: RES: Web app based on .net - best practice?"
In reply to Jeff Williams (at) Aspect: "Re: web application access control research"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:50 EDT