https://wiki.owasp.org/index.php?action=history&feed=atom&title=OWASP_AppSec_DC_2012%2FAccess_Control_Designs_and_PitfallsOWASP AppSec DC 2012/Access Control Designs and Pitfalls - Revision history2026-04-23T22:13:41ZRevision history for this page on the wikiMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=OWASP_AppSec_DC_2012/Access_Control_Designs_and_Pitfalls&diff=126006&oldid=prevMark.bristow: Created page with "<noinclude>{{:OWASP AppSec DC 2012 Header}}</noinclude> __NOTOC__ == The Presentation == Access Control is a necessary security control at almost every layer within a web app..."2012-03-12T01:00:28Z<p>Created page with "<noinclude>{{:OWASP AppSec DC 2012 Header}}</noinclude> __NOTOC__ == The Presentation == Access Control is a necessary security control at almost every layer within a web app..."</p>
<p><b>New page</b></p><div><noinclude>{{:OWASP AppSec DC 2012 Header}}</noinclude><br />
__NOTOC__<br />
== The Presentation ==<br />
Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms. In reviewing these and other access control anti-patters (problems), we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.<br />
== The Speakers ==<br />
<table><br />
<tr><br />
<td><br />
===Jim Manico===<br />
[[Image:AppSecDC12-manico.png|left]]Jim Manico is the VP of Security Architecture for WhiteHat Security. Jim is part of the WhiteHat Static Analysis Software Testing (SAST) team, leading the data-driven, Web service portion of the SAST service. He also provides secure coding and developer awareness training for WhiteHat using his 7+ years of experience delivering developer-training courses for SANS, Aspect Security and others.<br />
<br />
Jim brings 15 years of database-driven Web software development and analysis experience to WhiteHat. He has helped deliver Web-centric software systems for Sun Microsystem, Fox Media (MySpace), several Fortune 500's, and major NGO financial institutions. He holds expertise in a variety of areas, includingWeb-based J2EE development, thick-client and applet-based Java applications, hybrid Java, C++ and Flash applications, Web-based PHP applications, rich-media Web applications using advanced Ajax techniques, Python REST Webservice development, and Database technology using Oracle, MySQL and Postgres.<br />
<br />
A host of the OWASP Podcast Series, Jim is the committee chair of the OWASP Connections Committee and is a significant contributor to various OWASP projects.<br />
<br />
Jim works on the beautiful island of Kauai, Hawaii where he lives with his wife Tracey.<br />
</td><br />
</tr><br />
</table><br />
<noinclude>{{:OWASP AppSec DC 2012 Footer}}</noinclude></div>Mark.bristow