Smolen Alex Securing The Mvc Architecture Part Two

2,366
-1

Published on

This is the slide deck for the presentation I gave at SD Best Practices 2007, in Boston, MA

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,366
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • Smolen Alex Securing The Mvc Architecture Part Two

    1. 1. Securing the MVC Architecture Part Two Alex Smolen Software Security Consultant Foundstone, Inc Mission Viejo, CA [email_address]
    2. 2. Analysis of Frameworks
    3. 3. Analysis of Frameworks - Struts <ul><li>Struts Overview </li></ul>
    4. 4. Analysis of Frameworks - Struts <ul><li>Validation - Validation Plugin </li></ul>
    5. 6. Struts Data Validation Architecture
    6. 7. Analysis of Frameworks - Struts <ul><li>Authorization – Controller RBAC </li></ul>
    7. 8. Struts Authorization Architecture
    8. 9. Analysis of Frameworks - Struts <ul><li>Error Handling – </li></ul><ul><li>Global Exception Handlers and ActionMessages </li></ul>
    9. 10. Struts Error Handling Architecture
    10. 11. Analysis of Frameworks - Struts <ul><li>Inherited from Servlet Architecture: </li></ul><ul><li>Authentication </li></ul><ul><li>Session Management </li></ul><ul><li>Coarse-Grained Authorization </li></ul><ul><ul><li>Alternative </li></ul></ul>
    11. 12. Servlet Forms Authentication
    12. 13. Servlet Session Management
    13. 15. Servlet Authorization
    14. 16. Analysis of Frameworks - Struts <ul><li>What’s missing? </li></ul><ul><li>Logging </li></ul><ul><li>Fine-Grained Authorization </li></ul><ul><li>Data Protection in Storage </li></ul><ul><li>Data Sanitization </li></ul>
    15. 17. Analysis of Frameworks – ASP.NET <ul><li>ASP.NET Overview </li></ul>
    16. 18. Is ASP.NET MVC?
    17. 19. Analysis of Frameworks – ASP.NET <ul><li>Validation – </li></ul><ul><li>Validation Controls and ValidateRequest </li></ul>
    18. 20. ASP.NET Validation Architecture
    19. 21. Analysis of Frameworks – ASP.NET <ul><li>Coarse-Grained Authorization – </li></ul><ul><li>URL Authorization </li></ul>
    20. 22. ASP.NET Authorization Architecture
    21. 23. Analysis of Frameworks – ASP.NET <ul><li>Error Handling – OnPageError </li></ul>
    22. 24. ASP.NET Error Architecture
    23. 25. Analysis of Frameworks – ASP.NET <ul><li>Data Protection in Storage – DPAPI/Protected Configuration Providers </li></ul>
    24. 26. ASP.NET Data Protection Architecture
    25. 27. Analysis of Frameworks – ASP.NET <ul><li>Session Management – ASP.NET Sessions </li></ul>
    26. 28. ASP.NET Session Management Architecture
    27. 29. Analysis of Frameworks – ASP.NET <ul><li>What’s missing? </li></ul><ul><li>Logging </li></ul><ul><li>Fine-Grained Authorization (maybe) </li></ul><ul><li>Data Sanitization (sort of) </li></ul><ul><li>Good Data Validation Strategy </li></ul><ul><li>Clean Separation of MVC (by default) </li></ul>
    28. 30. Analysis of Frameworks – Ruby on Rails <ul><li>Overview of Ruby on Rails </li></ul>
    29. 31. Ruby on Rails Architecture
    30. 32. Analysis of Frameworks – Ruby on Rails <ul><li>Validation – Built into ActiveRecord </li></ul>
    31. 33. Ruby on Rails Validation Architecture
    32. 34. Analysis of Frameworks – Ruby on Rails <ul><li>Error Handling – errors attribute in Models </li></ul>
    33. 35. Ruby on Rails Error Handling Architecture
    34. 36. Analysis of Frameworks – Ruby on Rails <ul><li>Generators </li></ul><ul><li>Authentication ( acts_as_authenticated, OpenID ) </li></ul><ul><li>Coarse Authorization ( acts_as_authenticated ) </li></ul><ul><li>Fine Authorization ( ModelSecurity, AclSystem, AJuby, Goldberg ) </li></ul>
    35. 37. Analysis of Frameworks – Ruby on Rails <ul><li>What’s missing? </li></ul><ul><li>Logging </li></ul><ul><li>Data Protection in Storage </li></ul><ul><li>Default Security Mechanism Availability </li></ul><ul><li>Maturity of Security Mechanisms </li></ul>
    36. 38. Principles <ul><li>Simplicity </li></ul>versus…
    37. 39. Principles <ul><li>Centralization </li></ul>versus…
    38. 40. Principles <ul><li>Consistency </li></ul>versus…
    39. 41. Principles <ul><li>“ Securability” </li></ul>versus…
    40. 42. Exercise <ul><li>Hacme Books Coupon Code </li></ul>
    41. 43. Exercise <ul><li>Hacme Books Coupon Code </li></ul>15% AEODBOBOOG 25% BEAAABBOOG BEOABDBOOG
    42. 44. Conclusion
    43. 45. Conclusion
    44. 46. Conclusion

    ×