Access Control Design Best Practices

Explore critical access control anti-patterns and best practices in this 40-minute webcast from RSA Conference. Learn about hard-coded security policies, horizontal access control issues, direct object reference problems, and "fail open" mechanisms. Discover positive access control principles for robust web and API-based applications. Delve into role-based checks, enforcement strategies, and centralized mechanisms. Examine real-world examples, including video game and digital shopping cart scenarios. Gain insights on implementing deny-by-default policies, server-side trusted data, and command patterns. Understand the importance of the Application Security Verification Standard in access control design.

Introduction
Agenda
Antipatterns
Problem
Best Practices
Video Game Example
RoleBased Check
Enforcement Check
Can the User View
Oak Framework
Dotnet
Database schema
Centralized mechanism
Presentation Layer
Command Pattern
Deny by Default
Serverside Trusted Data
Digital Shopping Cart
Access Control Best Practices
Application Security Verification Standard
Final Notes
Wrap Up