WebApp Sec mailing list archives
Re: web application access control research
From: Ray Stirbei <me () highentropy org>
Date: Tue, 22 Apr 2003 19:38:20 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Andy, The access control section of OWASP guide is in the process of an overhaul and you should check the CVS repository next week becuase it will address some of these issues. In terms of research, you'll find a great deal of papers here : http://citeseer.nj.nec.com/Security/AccessControl/ If you are building a web application, the general question to ask are: Should I use single sign on? What authentication model / authorization model? Should I build (ie. Java JAAS)? Should I purchase? (ie Tivoli, Access360, BMC, Courion, CA, Entact, etc) Pick what makes sense for your application and business requirements. If you are testing a web application you can use scripts to test HTTP Basic/Digest/Forms authentication or packaged tools like Brutus, Entry, BeatLM, Hydra, etc. I think the general trend in access and identity management is toward better integrated systems internally and towards federation externally. (Liberty Alliance / MS Passport). XML standards like SAML, XACML, XKMS DSML are critical here. Web based access management systems (like SiteMinder) are being increasingly used for centralized policy management. I'd be surprised if you can't Gartner (or other analysts) report on this topic. I found a synposis by Giga here while looking for something else: http://www.csoonline.com/analyst/report576.html Hope that helps ray On Tuesday 22 April 2003 06:46 pm, absmith () cerias purdue edu wrote:
All, Besides the OWASP Guide, can anyone point me to papers/articles that deal with the issues of access control of web applications? I am looking to do a survey paper on this topic. Basically, I am looking for references that talk about access control in regards to web applications: current trends, research, tools, software, ideas, etc. Any help would be great. Thanks in advance! - Andy
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+pdJwzejBliQ3SdsRAvBJAJsHRvf+9FC3WUzESOPIdFjtRitVIACcDkOr QcyGAMB3Ad8cqrTWGNsfx+M= =+kTV -----END PGP SIGNATURE-----
Current thread:
- web application access control research absmith (Apr 22)
- Re: web application access control research Ray Stirbei (Apr 22)
- Re: web application access control research George W. Capehart (Apr 22)
- RE: web application access control research Gunter (Apr 23)
- Re: web application access control research Gary Gwin (Apr 23)
- Re: web application access control research Jeff Williams @ Aspect (Apr 23)
- Re: web application access control research Ray Stirbei (Apr 23)