100 likes | 190 Views
Customising Web Application Security. Richard Wilson University of Melbourne, Australia Daniel Lowes University of Pretoria, South Africa. Structure. What’s the problem? Security on the Web Custom implementations Disadvantages Advantages Applicability. What’s the problem?.
E N D
Customising Web Application Security Richard Wilson University of Melbourne, Australia Daniel Lowes University of Pretoria, South Africa
Structure • What’s the problem? • Security on the Web • Custom implementations • Disadvantages • Advantages • Applicability
What’s the problem? • Too many web applications reinvent the wheel • Limit applicability to a particular business / application / domain • Ignores benefits of standard(ised) solutions • Short-sighted development • Little thought of integration • No planning for extendibility
Security on the Web • Two ways of implementing security: • Framework / middleware based • “Custom” • Framework • “Building Secure ASP.NET Web Applications” • .NET Roles • Principal Permission Demands • Declarative Checks
What is a “custom” setup? • Independent of application framework • Eg: Written in C#, runs on Windows, *nix (Mono) • Standard model • Proven approaches to common issues • Tested for correctness • Optimised for performance • A Pattern… • Not? • A random piece of downloaded code
Popular Disadvantages • Can the pattern be trusted? • That’s why it needs to be a pattern • TIME and effort taken to set up • Specialist knowledge / training • Degree of expertise required • But, cf. 600 pages of framework guidelines • COST of development • Support? Bug fixes? Patches? • Have to maintain it ourselves
Advantages • Fine-grain control • Impossible to implement per-entity control in any existing framework • Choice of implementation – ACLs, capabilities • Independence • Less reliance on external vendor’s interfaces • Less maintenance • Flexible • Adapt to specific needs • Faster, easier to maintain, cheaper
Does everyone need it? • There are always trade-offs in software engineering • A custom implementation will take more development time (though not as much as you might think) • The higher degree of control may not even be required • In which case: frameworks are the way
Does anyone need it? • Implementing fine-grain security control in current frameworks is messy • Specific to particular applications, thus hard to generalise an implementation • But, the pattern can be applied across many domains • More comprehensive security = less headaches, less expenditure, less chaos
In conclusion… • Software engineers like patterns… • Web application designers like security… • Managers want everything to be cheaper and faster… • Sound familiar? • A standardised, customised security model is an intersection of these three http://www.sagamedev.co.za http://sourceforge.net/projects/silvernode