Security Features
Scrap Static Tools, just “Fix your code”?
Recently, Gary and I collaborated on an InformIT article on static analysis. you will find our observations regarding static analysis shared by others. It’s encouraging to note that Flash Sheridan observes many of the same difficulties and more formally treats them in his ISSRE ’10 publication. It’s worth a read. A few commentators shared some [...]
Externalizing Access Control Quandary
This entry started as an email to a co-worker: Will. I’ve edited to make it a bit more readable, but in an attempt to blog more often and less formally, I’m only applying the thinnest editing veneer. We were discussing whether (again) moving entitlement/access control decisions out of the application code really made sense. Will [...]
Aspect-Oriented Service Architecture: “Built In” or “Bolted On” Security?
I’ve been looking at how people have been implementing input validation and entitlement evaluation within service-oriented architectures (SOA). One of the nice properties of an SOA is service composition, so transformation and validation can be implemented as an independent utility service and then composed with other services. But service composition has the drawback that one [...]
