tags:

views:

168

answers:

3
+5  Q: 

Good resources for writing a Authentication/Authorization system

Are there any good books, blogs, wiki's, etc, on coding security systems? and standards that should be followed? I'm specifically interested in writing Access Control (DAC, MAC, RBAC) and auditing. I think I have a solid working understanding of DAC due to my experience with *nix systems. But I don't know what goes into implementing these systems (example: I believe there is a standard for RBAC?) and would like to learn.

Most of this should be language independent, but language dependent resources are welcome.

update yes I know there are lots of existing modules and about NIH Syndrome and Don't Reinvent the wheel... however sometimes you have to reinvent the wheel for educational purposes. Someone has to know how to build security systems, and they have to start learning somewhere.

update I decided to make this a Community Wiki because I doubt there is any 1 good answer and I think it could be an important resource.

+2  A: 
DmitryK  2010-08-18 14:07:21
And before you start implementing, you need to understand the concepts. This won't teach you everything you need to know, but you need to know everything this will teach you: [Security Engineering by Ross Anderson](http://www.cl.cam.ac.uk/~rja14/book.html).
Gilles  2010-08-18 22:05:36
@Gilles interesting... any idea on the value of 2ed or 1ed?
xenoterracide  2010-08-19 01:30:24
@xenoterracide: If you can afford it, 2ed, on paper (it's the kind of book where you'll want to highlight and annotate passages). It's always good to have something up-to-date, and there is some new material. If you're a starving student, 1ed is better than nothing.
Gilles  2010-08-19 08:42:58
@Gilles am I allowed to accept that book as the answer? I liked the first couple of chapters of the 1ed so much I bought 2ed and am working my way through it.
xenoterracide  2010-09-04 06:36:23
+1  A: 

Some of the pioneering work on RBAC was done by NIST (esp this paper). Still good for conceptual background.

Andrew Matthews  2010-08-19 01:52:16
A: 

If you want to build real fine-grained access control (FGAC), just check my article on this subject for MySQL :

MySQL 5.0 Fine-Grained Access Control (FGAC)

Basically, you don't want your business code be dependent on the FGAC implementation, you don't want to mix FGAC code in where clause of the select statements of your business rules. This article shows solutions to avoid cluttering of SQL statements.

Jérôme Radix  2010-08-24 12:26:25

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security