Secure Coding mailing list archives
Bugs and flaws
From: gunnar at arctecgroup.net (Gunnar Peterson)
Date: Wed, 1 Feb 2006 16:53:02 -0600
Hi John,
Which of the following more aptly characterizes the problem?: IMPL. BUG: Insufficient security-constraint existed on the admin Servlet in the app's deployment descriptor. ARCH. FLAW: No fa?ade component gated privileged functionality -alternatively- ARCH. FLAW: Privileged functionality incapable of judging Principal's entitlement (both fine, one user changing another's password, or coarse, application functionality improperly accessed)
Clausewitz said to be strong, first in general, and then at the decisive point. Assuming you consider authentication and authorization on admin functions a decisive point, then this scenario is a failure in both instances. The question you raise is locating the responsibility to deal with this problem. In a distributed system, there are many potential areas to locate those controls. Problems do not necessarily have to be solved (and in some cases cannot be) at the same logical layer they were created (http:// 1raindrop.typepad.com/1_raindrop/2005/11/thinking_in_lay.html). Would an authenticating reverse proxy have prevented this problem? How about stronger identity protocols? -gp
Current thread:
- Bugs and flaws Gary McGraw (Jan 30)
- Bugs and flaws Crispin Cowan (Jan 31)
- Bugs and flaws John Steven (Feb 01)
- Bugs and flaws Crispin Cowan (Feb 01)
- Bugs and flaws Wall, Kevin (Feb 02)
- Bugs and flaws John Steven (Feb 02)
- Bugs and flaws Crispin Cowan (Feb 02)
- Bugs and flaws John Steven (Feb 01)
- Bugs and flaws Jeff Williams (Feb 02)
- Bugs and flaws Crispin Cowan (Jan 31)
- Bugs and flaws Gunnar Peterson (Feb 01)
- <Possible follow-ups>
- Bugs and flaws Steven M. Bellovin (Feb 01)
- Bugs and flaws Gary McGraw (Feb 02)
- Bugs and flaws Chris Wysopal (Feb 02)
- Bugs and flaws David Crocker (Feb 02)
- Bugs and flaws Chris Wysopal (Feb 02)
- Bugs and flaws Blue Boar (Feb 02)
- Bugs and flaws Al Eridani (Feb 03)
- Bugs and flaws Chris Wysopal (Feb 02)
- Bugs and flaws Gunnar Peterson (Feb 02)
- Bugs and flaws Kenneth R. van Wyk (Feb 03)