Authorization and access control

- Providing authentication for an application is only half the battle. You also need to provide the rules around what that person can access. This is called authorization, and faulty authorization can lead to security defects that often are hard to track down. Let's start with the basics of what issues exist around authorization. Often defects arise in this arena because we have access control lists in place, but they are not applied correctly or they simply have not been applied at all. In either case, a user could get access to resources or data that he or she shouldn't have access to. Consider the use case where your site has a user portion and an administrator portion. If you don't have solid access control lists, your users could potentially access your admin section of your site. This obviously gives them more control than they should ever have. Now, take it a step further and consider that in your admin site, you can see all the demographic and personal details of your…