[owasp-intrinsic-security] Introducing ABE (with almost definitive syntax specs)

Bil Corry bil at corry.biz
Sat Dec 20 08:57:25 EST 2008


Giorgio Maone wrote on 12/20/2008 5:02 AM: 
> http://hackademix.net/2008/12/20/introducing-abe/
> 
> Comments are welcome

When there's a violation, will ABE prompt the user to give them an opportunity to allow the request temporarily or permanently?  I'm imagining a scenario where a site originally didn't allow something, but a feature is added and now wants to allow it.  Everyone who has the older rules will now hit a security violation, so to keep it as automatic as possible, either the user would have to override the security error (which could be challenging for the average user, do they allow a violation of security?  Or not?), or the site would have to provide new rules and ABE would have to discover and use the new rules.  Maybe ABE checks for new rules first before popping up the security dialog box?  Just curious how you see that working.

Thinking about the virus checking software on my laptop, what frustrates me is something won't work and then I have to dig around inside its settings to figure out how to allow it.  It's tempting at times to just turn it off rather than spending the time to figure it out.  My concern for the average ABE user is if sites do not work properly, and if there's an abundance of security dialog boxes that they don't know the answer to, they may opt to just turn it off.  But maybe your target audience isn't computer novices?  If it is, then I think careful consideration is needed to make ABE as helpful and useful to them as possible.  They will not understand firewall-style rules :)


- Bil



More information about the owasp-intrinsic-security mailing list