Web Security Constraints

satya - 6/11/2014 4:40:59 PM

All exceptions are not the same

A security exception is a special animal. Deal with it differently

satya - 6/11/2014 4:41:25 PM

Exceptions should be intercepted and translated prior to display

Exceptions should be intercepted and translated prior to display

satya - 6/11/2014 4:41:36 PM

Deal with security exceptions differently

Deal with security exceptions differently

satya - 6/11/2014 4:42:31 PM

Security exceptions should be environment aware (unit, test, prod)

Security exceptions should be environment aware (unit, test, prod)

satya - 6/11/2014 4:43:06 PM

All get and post URLs should have security constraints associated with them

All get and post URLs should have security constraints associated with them

satya - 6/11/2014 4:45:04 PM

Example of security constraints


NoConstraint: public
LoginConstraint: login required
UserConstraint: A specific user login required
RoleConstraint: A specific role required
ObjectAccessConstraint: A specific object constraint
ObjectState: A specific state in which that object is allowed to be read/updated.

satya - 6/11/2014 4:45:30 PM

The URL constraints should be verifiable

The URL constraints should be verifiable

satya - 6/11/2014 4:46:12 PM

All inputs to URLs validated

All inputs to URLs validated

satya - 6/11/2014 4:47:04 PM

All infused data should be validated

such as objects created out of database calls.

satya - 6/11/2014 8:19:22 PM

Examine every URL for client side and serverside division of variables

Examine every URL for client side and serverside division of variables

satya - 6/11/2014 8:19:50 PM

Show caution of using client side variables

Show caution of using client side variables

satya - 6/11/2014 8:23:31 PM

If you are using non-terminated values allow for terminations

like reading multiple lines in a properties file. You may leave something by mistake and you will not know the error.

satya - 6/11/2014 8:23:54 PM

This is less likely a problem in xml based configuration files but is in properties files

This is less likely a problem in xml based configuration files but is in properties files

satya - 6/11/2014 8:38:47 PM

Every developer should have a checklist on their desk

Every developer should have a checklist on their desk

satya - 6/11/2014 8:39:04 PM

Every developer should have an extra day just to do this

Every developer should have an extra day just to do this

satya - 6/11/2014 8:39:31 PM

Testing should get a list of all URLs and their constraints

Testing should get a list of all URLs and their constraints

satya - 6/11/2014 8:40:47 PM

I suspect that this check list (not the URLs) will be as high as 50 to a 100

I suspect that this check list (not the URLs) will be as high as 50 to a 100

satya - 6/11/2014 8:41:11 PM

This goes to show it is very very very time consuming to build a secure site from ground up!!

This goes to show it is very very very time consuming to build a secure site from ground up!!

satya - 6/11/2014 8:41:32 PM

A framework that captures and forces this metadata may be an option, like a typed language!

A framework that captures and forces this metadata may be an option, like a typed language!