The biggest trick with implementing proper access controls is that they must be done consistently and systemically. There's no room for an ad hoc approach here; the larger an application gets, the harder it is to track where each one-off check has to go. A much better approach is to generalize and standardize the checks as a single global framework.
This problem is compounded by the inability of application security scanners to accurately detect access control problems. They're simply not designed for it. Automated scans absolutely have their place in a secure development cycle, but they're not going to find your authorization problems. For this, you need manual testing and code review.
We've posted the slides used for the presentation on our site. If you're interested in seeing more, I encourage you to check them out.
Looks like a good presentation, thanks for posting the slides. Access control is so critical and yet, we continually find issues with it and you're right on, the automated tools aren't very good at finding the issues.
ReplyDelete