[owasp-intrinsic-security] Fwd: Introducing ABE (with almostdefinitive syntax specs)

Giorgio Maone giorgio.maone at gmail.com
Sun Dec 21 08:42:03 EST 2008


IMO, the priority hierarchy User > Site > Community should work fine enough,
if an UI for conflict resolution like the one I suggested in my previous
message is provided.

Site rules would prevail over community rules, which are given as a first
line "common sense" safety net, good for average joe.
User rules would prevail over everything else, because we suppose that if an
user embarks himself in creating custom rules, he will probably be able to
tweak them later if a conflict (or, on the opposite, a new security issue)
happens.
--
Giorgio

On Sun, Dec 21, 2008 at 2:30 PM, Bil Corry <bil at corry.biz> wrote:

> (Did you mean to take this off-list?  I'm leaving it off-list in case
> that's your intention; feel free to reply to this publicly on the list.)
>
> Giorgio Maone wrote on 12/21/2008 4:49 AM:
> > This way user can see what's going on and choose to keep trusting his own
> > rule over site's (possibly tweaking it, if he's capable of) or to trust
> the
> > site because site developers know better.
>
> Going back to my original thought, there will be three sets of rules: the
> user's (manual/learned), the site's, and the community contributed.  I think
> you'll have similar issues with the community rules as well.
>
> Beyond that, I'm also imagining the scenario where one or more people
> export their rule sets, send them to me, and I import them.  So it could be
> that one site has numerous rule sets which may or may not conflict with each
> other.  For example, the site specifies one behavior, but due to a security
> hole, a security expert suggests using another set of rules until the
> security issue is fixed.  Those rules get imported and then ????  Ideally
> the user could choose to overwrite their own rule set.  But in other cases
> where the user is importing rules for hundreds of sites, they may not want
> to bulk overwrite everything.
>
> I don't have any answers, just bringing up some edge cases.
>
> - Bil
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-intrinsic-security/attachments/20081221/320b64f3/attachment.html 


More information about the owasp-intrinsic-security mailing list