Creating application security layer based on resource access decision service


Metin M. Ö., ŞENER C., Göǧebakan Y.

1st International Conference on Security of Information and Networks, SIN 2007, Gazimagusa, Türkiye, 7 - 10 Mayıs 2007, ss.248-257 identifier

  • Yayın Türü: Bildiri / Tam Metin Bildiri
  • Basıldığı Şehir: Gazimagusa
  • Basıldığı Ülke: Türkiye
  • Sayfa Sayıları: ss.248-257
  • Orta Doğu Teknik Üniversitesi Adresli: Evet

Özet

Different solutions have been implemented for different security aspects (access control, application security) of enterprise web applications. However combining "enterprise-level" and "application-level" security aspects in one layer could give great benefits such as reusability, manageability, and scalability. In this paper, we propose adding a new layer to n-tier web application architectures, which use RAD service implementations to execute enterprise and application security policies. Proposed architecture enables applications not only benefit from enterprise-level security policies provided by RAD, but also implements "application-level" security based on RAD services to eliminate web application attacks including but not limited to those based on cross-site scripting, SQL injection, forceful browsing, cookie poisoning, invalid input and most importantly session stealing. © 2008 Atilla Elçi.