WebApp Sec mailing list archives
Re: Security Patterns - Military Models
From: Peter Conrad <conrad () tivano de>
Date: Fri, 23 Jul 2004 10:08:07 +0200
Hi, On Thu, Jul 22, 2004 at 08:34:49PM -0400, Mark Curphey wrote:
I was introduced to this by some of my Foundstone work colleagues a few weeks ago and I think it's very cool indeed, so thought I would share it. http://www.joeyoder.com/papers/patterns/Security/appsec.doc
interesting. Mostly because it's from '97 and still mostly valid. Also, because some of the patterns have become de-facto standards of today's web application servers. E. g. sessions are built-in to a wide variety of web application languages / APIs like the Java Serlet API, PHP, ASP etc. User roles are an integral part of J2EE. I have also spotted one error: When the "Limited View" pattern is applied to a web application, the security checks cannot be performed "up front". That's because an attacker can do much more than what the GUI allows, by manipulating HTTP requests. In web application security it is a serious error to evaluate the security of an application by looking at a browser GUI. The only correct point to look at is the network interface of the server machine. Bye, Peter -- Peter Conrad Tel: +49 6102 / 80 99 072 [ t]ivano Software GmbH Fax: +49 6102 / 80 99 071 Bahnhofstr. 18 http://www.tivano.de/ 63263 Neu-Isenburg Germany
Current thread:
- Security Patterns - Military Models Mark Curphey (Jul 22)
- Re: Security Patterns - Military Models Peter Conrad (Jul 23)
- Re: Security Patterns - Military Models Herman Stevens (Jul 23)
- RE: Security Patterns - Military Models Mark Curphey (Jul 23)
- RE: Security Patterns - Military Models Mark Curphey (Jul 23)
- Re: Security Patterns - Military Models Ivan Ristic (Jul 25)