Application Security

  • No case studies on ABAC?

    Posted by
    Shawn McKinney
    Date
     August 7, 2016
    Share

    Don’t get me wrong, everyone needs at least RBAC, but it has limitations and doesn’t work well with instance data in the authorization expression. This perceived need leads me to look for case studies describing large-scale deployments of ABAC.
    For example I’d like to read about:

    A global phone company that controls ac […]

  • We Can Stop Looking For That Panacea Now

    Posted by
    Shawn McKinney
    Date
     August 5, 2016
    Share

    It seems every year there’s a new protocol for handling security.  I was first sucked down into this black hole in the ’90’s.  Few standards back then.  Now, so many years and protocols have passed…
    https auth, x.509 auth, CSIv2, spnego, liberty, saml, ws-*, xacml, openid, oauth, uma

    All said to hold great prom […]

  • Of late, on a quest, to educate the info sec community, the definition of RBAC.  Not the first time.  A couple years back, this role-infused rant:
    Using Roles for Access Control is Not Role-Based Access Control
    And before that this:
    An Introduction to Role-Based Access Control
    But my efforts have fallen on deaf ears.  One of the most p […]

  • Security Access Control Engine – How & Why
    The OpenLDAP Accelerator is a Policy Decision Point that resides inside the slapd process. This presentation – “Introducing a Security Access Control Engine” –  explains how it works and why it’s important. We’ll explore ideas of protocol standardization […]

  • ApacheDS & Fortress QUICKSTART

    Posted by
    Shawn McKinney
    Date
     April 1, 2016
    Share

    As engineers, we are often encouraged to use the right tool for the job.  Maybe that is because we tend to grow too attached to the familiar.  When we’ve got a hammer, everything looks like a nail.
    Apache Directory Server is one of those tools that is often overlooked.  This is unfortunate because it’s a high functioning LD […]

  • Announced just this week: Apache Fortress 1.0-RC42 released.  What, is this some kind of joke?  Why would a project go thru 42 iterations of release candidates just for a 1.0 designation?  No joke here unless you find our efforts to create a simple, useful and robust access management solution funny.  Before that 1.0 label gets used, […]

  • DROWN Vulnerability w/Remediation

    Posted by
    Jason Trupp
    Date
     March 14, 2016
    Share

    (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0800)
    Network traffic encrypted using an RSA-based SSL certificate may be decrypted if enough SSLv2 handshake data can be collected. Exploitation of this vulnerability—referred to as DROWN in public reporting—may allow a remote attacker to obtain the private key of a server supp […]

  • Why another open source iam product?

    Posted by
    Shawn McKinney
    Date
     January 4, 2015
    Share

    A question that has been lingering.  It’s fair game, but before I get around to actually answering, let’s remember how we got here.
    Late 90’s
    Before the first open source iam product existed we had standard policy enforcement protocols in use.  Examples include Java’s ee security & jaas. Unix had PAM, sudo a […]

  • Within the past few days the internet has flooding with news and discussion of a recent OpenSSL vulnerability with far reaching impact (details). The good news here at Symas is that none of our current nor prior product releases are susceptible to this particularly nasty bug which affects versions of OpenSSL we don’t use at this tim […]

  • ANSI RBAC
    ANSI RBAC Explained
    Misnomers abound as to what constitutes a working Role-Based Access Control (RBAC) system. With ANSI RBAC, Groups are not Roles and resource connections not Sessions. This paper explains what ANSI RBAC is and how it can be applied to existing problem domains. It dispels longstanding myths persistent within th […]

No more posts to show