Sunday, February 10, 2008
The Missing Conversation on Authorization
It is difficult to talk about web application security without acknowledging that web applications get busted not only from outside attacks but also the insider threat. Consider that if you were to ask my boss whether I am still an employee, he would say yes, but if you ask him what I have access to, he would tell you that he has no freakin clue but as soon as you find out, let him know.
The authorization problem is fascinating at a variety of levels in that most vendors don't pay attention to this problem space. Imagine a scenario where I work for Verizon and I want to see the phone calls of my neighbor. One approach may be to access the billing application where I may be locked out because the software vendor was thoughtful enough to define RBAC properly. I would of course move on to ECM systems where images of the bills may be stored. Regardless of whether it is Stellent, Alfresco or Documentum, it is almost guaranteed that to access the same information, they will have different authorization models and hence an opportunity for bad guys to do harm.
The funny thing is that software vendors in the ECM, BPM and CRM space know about the authorization problem yet refuse to think more than a minute about actually providing a solution as their insular all about them mindset prevents them from doing the right thing for their customers.
The real question though is when will customers stand up? Maybe the problem gets brought to the surface as industry groups such as OWASP and Oasis plan to tackle this challenge...
Links to this post: