I have read the book "Designing Secure Web-based Applications", found it quite
informative but also somewhat disappointing.
I was (at the time) looking for a book that assists with "writing secure code".
Thus how code should be written, not the way code interfaces with security
components.
Example:
What is the best way to display User Details:
~~Suedo code Begin ~~
Option 1:
If var_userLevel = USER then
... display User info
else
... Display Admin Info
end if
Option 2:
If var_userLevel = ADMIN then
... display Admin info
else
... Display User Info Info
end if
Option 3:
If var_userLevel = ADMIN then
... display Admin info
elseif var_userLevel = USER
... Display User Info Info
else
... Capture Error
end if
~~Suedo code End~~
To me it is Option 3. Somewhat more work, but a lot more secure, then Option 1.
If for some reason someone else writes the code to get the variable for
var_userLevel , and that code is hackable, Option 3 will withstand the attack a
lot better then Option 1. Option 2 in this case would also be better then
Option 1, as Option 1 would display the Admin info for anybody other then user.
Option 2 in this case would revert back to the lower level of access. Thus just
structuring the If stament differently in Option 1 and 2, already makes the
code more secure.
Also by logging all the errors in option 3's last "Else" statement one can look
for any thing overlooked initially (and capture any unknown hacker attacks
-although this is reactively)
Regards
Anton
Confidentiality Warning
=======================
The contents of this e-mail and any accompanying documentation
are confidential and any use thereof, in what ever form, by anyone
other than the addressee is strictly prohibited.
