1 / 10

Customising Web Application Security

Customising Web Application Security. Richard Wilson University of Melbourne, Australia Daniel Lowes University of Pretoria, South Africa. Structure. What’s the problem? Security on the Web Custom implementations Disadvantages Advantages Applicability. What’s the problem?.

alaqua
Download Presentation

Customising Web Application Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Customising Web Application Security Richard Wilson University of Melbourne, Australia Daniel Lowes University of Pretoria, South Africa

  2. Structure • What’s the problem? • Security on the Web • Custom implementations • Disadvantages • Advantages • Applicability

  3. What’s the problem? • Too many web applications reinvent the wheel • Limit applicability to a particular business / application / domain • Ignores benefits of standard(ised) solutions • Short-sighted development • Little thought of integration • No planning for extendibility

  4. Security on the Web • Two ways of implementing security: • Framework / middleware based • “Custom” • Framework • “Building Secure ASP.NET Web Applications” • .NET Roles • Principal Permission Demands • Declarative Checks

  5. What is a “custom” setup? • Independent of application framework • Eg: Written in C#, runs on Windows, *nix (Mono) • Standard model • Proven approaches to common issues • Tested for correctness • Optimised for performance • A Pattern… • Not? • A random piece of downloaded code

  6. Popular Disadvantages • Can the pattern be trusted? • That’s why it needs to be a pattern • TIME and effort taken to set up • Specialist knowledge / training • Degree of expertise required • But, cf. 600 pages of framework guidelines • COST of development • Support? Bug fixes? Patches? • Have to maintain it ourselves

  7. Advantages • Fine-grain control • Impossible to implement per-entity control in any existing framework • Choice of implementation – ACLs, capabilities • Independence • Less reliance on external vendor’s interfaces • Less maintenance • Flexible • Adapt to specific needs • Faster, easier to maintain, cheaper

  8. Does everyone need it? • There are always trade-offs in software engineering • A custom implementation will take more development time (though not as much as you might think) • The higher degree of control may not even be required • In which case: frameworks are the way

  9. Does anyone need it? • Implementing fine-grain security control in current frameworks is messy • Specific to particular applications, thus hard to generalise an implementation • But, the pattern can be applied across many domains • More comprehensive security = less headaches, less expenditure, less chaos

  10. In conclusion… • Software engineers like patterns… • Web application designers like security… • Managers want everything to be cheaper and faster… • Sound familiar? • A standardised, customised security model is an intersection of these three http://www.sagamedev.co.za http://sourceforge.net/projects/silvernode

More Related