OWASP Access Controls Presentation

A few weeks ago I gave a presentation at our local OWASP chapter on the current state of access controls. We see access control problems to some extent in nearly every application we assess. They're hard to get right, and they're hard to detect when you've done them wrong. The talk was aimed at exposing why so many developers have a hard time getting them right, and what it takes to avoid problems with them in the first place.

The biggest trick with implementing proper access controls is that they must be done consistently and systemically. There's no room for an ad hoc approach here; the larger an application gets, the harder it is to track where each one-off check has to go. A much better approach is to generalize and standardize the checks as a single global framework.

This problem is compounded by the inability of application security scanners to accurately detect access control problems. They're simply not designed for it. Automated scans absolutely have their place in a secure development cycle, but they're not going to find your authorization problems. For this, you need manual testing and code review.

We've posted the slides used for the presentation on our site. If you're interested in seeing more, I encourage you to check them out.

ISSA Kansas City

After a very close election (in which I ran uncontested), I have been re-elected as President of the Kansas City Chapter of ISSA. If you're not familiar with the ISSA, our goal is to provide a forum for like-minded security professionals to interact, network, and share ideas.

Our chapter hosts a lunch meeting every month with a speaker from the information security industry. The topics are different each month and they range from detailed technical presentations to enterprise risk management strategies. Read more about the chapter and upcoming events at http://issa-kc.org.