Re: Security Patterns - Military Models

[Peter Conrad <conrad () tivano de>]

Hi,

On Thu, Jul 22, 2004 at 08:34:49PM -0400, Mark Curphey wrote:
> I was introduced to this by some of my Foundstone work colleagues a few
> weeks ago and I think it's very cool indeed, so thought I would share it. 
>
> http://www.joeyoder.com/papers/patterns/Security/appsec.doc

interesting. Mostly because it's from '97 and still mostly valid. Also,
because some of the patterns have become de-facto standards of today's
web application servers. E. g. sessions are built-in to a wide variety
of web application languages / APIs like the Java Serlet API, PHP, ASP etc.
User roles are an integral part of J2EE.

I have also spotted one error:

When the "Limited View" pattern is applied to a web application, the
security checks cannot be performed "up front". That's because an attacker
can do much more than what the GUI allows, by manipulating HTTP requests.

In web application security it is a serious error to evaluate the security of
an application by looking at a browser GUI. The only correct point to look
at is the network interface of the server machine.

Bye,
        Peter
-- 
Peter Conrad                        Tel: +49 6102 / 80 99 072
[ t]ivano Software GmbH             Fax: +49 6102 / 80 99 071
Bahnhofstr. 18                      http://www.tivano.de/
63263 Neu-Isenburg

Germany