[owasp-intrinsic-security] Fwd: Introducing ABE (with almostdefinitive syntax specs)

Giorgio Maone giorgio.maone at gmail.com
Sun Dec 21 10:49:58 EST 2008


Well, I'm not even sure this is a case I want to handle, since once we start
having user and site rules the blame shifts on user and site.
But a possible approach would be that if a matching restrictive rule is more
recent than a matching permissive rule, the former gets enforced (or at
least raises a resolvable conflict) no matter its source priority. This
means that individual rules must be timestamped some way (well, it could be
done automatically by ABE, diffing the single rules with the current copy
and applying ruleset's timestamp to new/modified rules only).
--
Giorgio
On Sun, Dec 21, 2008 at 4:29 PM, Bil Corry <bil at corry.biz> wrote:

> Giorgio Maone wrote on 12/21/2008 7:42 AM:
> > IMO, the priority hierarchy User > Site > Community should work fine
> enough,
> > if an UI for conflict resolution like the one I suggested in my previous
> > message is provided.
>
> Yes, in cases where the user rules are more restrictive than the site or
> community rules.  Now I'm flipping the example around.  Imagine the
> user/site allows an action that is determined to be unsafe (there's a
> security hole).  So the community rule is updated to prevent the hole.  Now
> the community rule is more restrictive, but the user/site rules allow it.
>  How does that get managed by the UI?  I'm going off the assumption that
> most people will never manually code the rules, but rather will rely on the
> auto-learn, site and community rule sets instead.
>
>
> - Bil
>
> _______________________________________________
> owasp-intrinsic-security mailing list
> owasp-intrinsic-security at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-intrinsic-security
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-intrinsic-security/attachments/20081221/3ec6585e/attachment.html 


More information about the owasp-intrinsic-security mailing list