Web Security Constraints
satya - 6/11/2014 4:40:59 PM
All exceptions are not the same
A security exception is a special animal. Deal with it differently
satya - 6/11/2014 4:41:25 PM
Exceptions should be intercepted and translated prior to display
Exceptions should be intercepted and translated prior to display
satya - 6/11/2014 4:41:36 PM
Deal with security exceptions differently
Deal with security exceptions differently
satya - 6/11/2014 4:42:31 PM
Security exceptions should be environment aware (unit, test, prod)
Security exceptions should be environment aware (unit, test, prod)
satya - 6/11/2014 4:43:06 PM
All get and post URLs should have security constraints associated with them
All get and post URLs should have security constraints associated with them
satya - 6/11/2014 4:45:04 PM
Example of security constraints
NoConstraint: public
LoginConstraint: login required
UserConstraint: A specific user login required
RoleConstraint: A specific role required
ObjectAccessConstraint: A specific object constraint
ObjectState: A specific state in which that object is allowed to be read/updated.
satya - 6/11/2014 4:45:30 PM
The URL constraints should be verifiable
The URL constraints should be verifiable
satya - 6/11/2014 4:46:12 PM
All inputs to URLs validated
All inputs to URLs validated
satya - 6/11/2014 4:47:04 PM
All infused data should be validated
such as objects created out of database calls.
satya - 6/11/2014 8:19:22 PM
Examine every URL for client side and serverside division of variables
Examine every URL for client side and serverside division of variables
satya - 6/11/2014 8:19:50 PM
Show caution of using client side variables
Show caution of using client side variables
satya - 6/11/2014 8:23:31 PM
If you are using non-terminated values allow for terminations
like reading multiple lines in a properties file. You may leave something by mistake and you will not know the error.
satya - 6/11/2014 8:23:54 PM
This is less likely a problem in xml based configuration files but is in properties files
This is less likely a problem in xml based configuration files but is in properties files
satya - 6/11/2014 8:38:47 PM
Every developer should have a checklist on their desk
Every developer should have a checklist on their desk
satya - 6/11/2014 8:39:04 PM
Every developer should have an extra day just to do this
Every developer should have an extra day just to do this
satya - 6/11/2014 8:39:31 PM
Testing should get a list of all URLs and their constraints
Testing should get a list of all URLs and their constraints
satya - 6/11/2014 8:40:47 PM
I suspect that this check list (not the URLs) will be as high as 50 to a 100
I suspect that this check list (not the URLs) will be as high as 50 to a 100
satya - 6/11/2014 8:41:11 PM
This goes to show it is very very very time consuming to build a secure site from ground up!!
This goes to show it is very very very time consuming to build a secure site from ground up!!
satya - 6/11/2014 8:41:32 PM
A framework that captures and forces this metadata may be an option, like a typed language!
A framework that captures and forces this metadata may be an option, like a typed language!