[Owasp-royalholloway] Fwd: Is there a spreadsheet/template for Mapping WebServices Authorization Rules?
dinis.cruz at owasp.org
Thu May 3 22:44:12 UTC 2012
Also asking this here since most of you are not on the OWASP Leaders list.
---------- Forwarded message ----------
From: Dinis Cruz <dinis.cruz at owasp.org>
Date: 3 May 2012 23:24
Subject: Is there a spreadsheet/template for Mapping WebServices
To: owasp-leaders at lists.owasp.org
What is the best way to map/document the Authorization Rules? (for example
I'm looking for a spreadsheet/template that allows the business-rules (i.e.
'who has access to what') to be mapped, visualized and analyzed.
I looked at owasp.org and this is what I found (did I missed something?)
- Guide to Authorization<https://www.owasp.org/index.php/Guide_to_Authorization>
- Testing for
- Reviewing Code for Authorization
- Cheat Sheets <https://www.owasp.org/index.php/Cheat_Sheets> (no
In the past I have created a couple of these (some even with
O2 Automation), but NDAs prevented me from sharing. So today, since I'm
helping Arvind to create a set of Python scripts to test TeamMentor's
WebServices, I took the time to create a model which I think came out quite
You can read about it here: Creating a spreadsheet with WebService's
this is what it looks like:
[image: Inline images 1]
Since I'm going to integrate this with O2 next, it is better to change it
into a better format/standard now (vs later).
I also think that we should have a couple of these templates in an easy to
consume format on the OWASP WIki (I have lost count the amount of times
that I have tried to explain the need for
'such authorization tables/mappings' without having good examples at hand).
Note that creating these mappings is just one part of the puzzle! Also as
important is the ability to keep it well maintained, up-to-date and
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-royalholloway