Tag Archives: application security

Taking a Wider View of Application Security

Bookmark This (opens in new window)

As a software developer, you have a lot to worry about when writing and testing your code. But if you faithfully use secure coding guidelines from the Open Web Application Security Project (OWASP), test your code with security tools, and conduct peer code reviews, then your application will be secure, giving you worry-free sleep at night.

Wrong.

OK, sorry about that. I put that trap there for you, but I didn’t really expect you to step into it. I want to help you expand your thinking about application security.

Read rest of article here (redirects to softwaremag.com)

Logical access controls: subject and service access

Bookmark This (opens in new window)

Logical access controls are used to control whether and how subjects (usually persons) are able to access objects (usually data). Logical access controls work in a number of different ways, primarily:

  • Subject access. Here, a logical access control uses some means to determine the identity of the subject that is requesting access. Once the subject’s identity is known, the access control performs a function to determine if the subject should be allowed access the object. If the access is permitted, the subject is allowed to proceed; if the access is denied, the subject is not allowed to proceed. An example of this type of access control is an application that first authenticates a user by requiring a user ID and password before permitting the user to access the application.
  • Service access. Here, a logical access control is used to control the types of messages that are allowed to pass through a control point. The logical access control is designed to permit or deny messages of specific types (and possibly it will also permit or deny based upon origin and destination) to pass. An example of this type of access control is a firewall or screening router that makes pass/block decisions based upon the type of traffic, origin, and destination.

An analogy of these two types of access is a symphony hall with a parking garage. The parking garage (the “service access”) permits cars, trucks, and motorcycles to enter, but denies oversized vehicles from entering. Upstairs at the symphony box office (the “subject access”), persons are admitted if they possess a photo identification that matches a list of prepaid attendees.

Excerpt from CISA Certified Information Systems Auditor All-In-One Study Guide