SEARCH RESULTS
 
Showing 1-10 of 56 records
 
Expand article

Authorization vs. Business Logic

2008-01-09 05:37:00 by Keith Brown in Security Briefs
 
...authorization logic. When you start thinking about this, you often end up in a big gray area: where does the "authorization" end and the "business logic" in your method begin? If there were some obvious distinction between the two, you could easily factor out the authorization logic and perhaps even centralize it If the authorization logic is...
 
Tags: business logic, logic, authorization, authorization logic, factor, method, easily factor, security context, security
 
 
 
 
Expand article

Audit/Monitor Controls or Audit/Monitor BEFORE Control?

The Article has images
2008-02-28 11:38:00 by Dr Anton Chuvakin in Anton Chuvakin Blog -
...authorization; 3) administration and 4) audit ." Note that audit which, in this case, broadly includes audit, monitoring and detection, comes last. It seems to be fairly in line with common sense: you audit the controls after you put them in place; you monitor after you have authentication and authorization taken care of and you detect the...
 
Tags: audit, broadly includes audit, broadly, includes, audit whatsoever, full-blown audit capability, paper, paper clarifies, controls
 
 
 
 
Expand article

Hannaford and Sweetbay supermarkets announce compromise of 4.2 million credit and debit cards

The Article has images
2008-03-18 00:07:06 by Evan Francen in The Breach Blog
...authorization Evan] Their information security is "among the strongest in the industry"? Here is a hint as to how the information was illegally obtained, "during transmission of card authorization The intrusion affected Hannaford stores, Sweetbay stores in Florida and certain independently-owned retail locations in the Northeast that carry...
 
Tags: credit, hannaford, breach description, breach, credit-card data breach, carry hannaford products, information, personal information, information security
 
 
 
 
Expand article

Another Strategy for Getting Started with Application Security

2008-01-09 19:50:00 by Security Retentive in Security Retentive
 
...authorization scheme across all of the applications. I managed to get them to settle on doing a quasi-RBAC with Siteminder, using it almost as an identity service as well Settling on one common high-quality authentication and authorization tool/framework had three effects It removed these services from the realm of development. They just...
 
Tags: security, application security, security program, authorization scheme, authorization, program, tool, approaches, perform risk assessments
 
 
 
 
Expand article

Web Email Exploitation Kit in the Wild

The Article has images
2008-04-16 13:42:23 by HASH0x8ab1c88 in Dancho Danchev's Blog - Mind Streams of Information Security Knowledge
...authorization to enter the mail. Thus the use of the script is that you choose a template-XSS (code obhodyaschy security filters for your desired mail server) on which the attack would take place, complete field for a minimum of sending letters (sender, recipient, the subject, message) and choose Type of stuffing: 1) your own yavaskript code...
 
Tags: xss vulnerabilities, vulnerabilities, kit, day xss vulnerabilities, xss exploitation kit, xss, xss exploitation, mail server, mail
 
 
 
 
Expand article

Notes from IEEE Web 2.0 Security and Privacy Workshop (W2SP2008)

2008-05-27 22:45:00 by Security Retentive in Security Retentive
 
...Authorization Daniel Sandler and Dan S. Wallach. must die Daniel presented some good idea on how to move password authentication into the browser chrome to improve our defenses against javascript malware such as javascript keyloggers, etc While the work Daniel did was quite cool in that it doesn't require any protocol modifications, to be...
 
Tags: browser, browser security models, browser project, browser security model, security models, browser security, security, web, security challenges
 
 
 
 
Expand article

SSO Summit Day One Morning Session

2008-07-24 13:35:02 by Gunnar Peterson in 1 Raindrop
 
...authorization. This is not a problem that vendors have historically attacked with relish. They are very happy to help you solve authentication, but they are perfectly happy to keep their authorization internal either for vendor lock in reasons and/or for sloppy authorization design. This will take a LIberty-esque consortium of enterprises to...
 
Tags: sso, sso history talk, sso summit, mainframe sso, sso options, sso protocols, real world, real world lessons, authorization internal
 
 
 
 
Expand article

Your Companies Biggest Security Hole - What is the BGP-style Vuln Lurking in Software Security?

2008-09-05 08:31:58 by Gunnar Peterson in 1 Raindrop
 
...authorization (just open up a queue) - run your whole book of business transaction backbone on anonymous ftp authorization with no authentication (mq enforces authorization policy on unverifiable tokens) -run your whole book of business transaction backbone on anonymous ftp, but think that you have security What is strange about the MQ...
 
Tags: security, security hole, security protocols, business, business runs, business transaction backbone, improve security, message security, enforces authorization policy
 
 
 
 
Expand article

Convergence of Access and Information Policies

2007-07-10 00:00:00 by Sean Kline in Speaking of Security, the RSA Blog and Podcast
 
...Authorization Management. The model that most people described at the conference still segments authentication from authorization and does not tend to talk about policy on the information itself
 
Tags: information, authorization, enterprise authorization management, network applications consortium, protect information, industry, industry participation, segments authentication, conference