27 January 2009

What is a Positive Security Model?

Terminology can get in the way of the understanding each other in project teams. Sometimes information security terminology can get particularly foggy. So if you hear "positive security model", what should you be thinking of?

Positive security models are sometimes referred to as a white list (or whitelist) approach. There are good definitions and descriptions on the following sites:

For a web site (web application), a positive security model would define a limited number of interactions and data that would be allowed.

As an analogy, if you were having a family get-together, you could be very explicit about who you are inviting—Granny Jones, Uncle Sam, etc. By listing everyone you will let in to your house on a particular day, you'd have a type of positive security model. If they were not invited (or turned up on another day!), they wouldn't be allowed in. But people who are new to having a party tend to do things a bit differently. They'll tend to say "everyone's invited" with some exceptions—Bob, Jinny and Si can't come. That's a negative security model.

In the family get-together it's easy to prevent (known) trouble-makers from attending - just don't invite them (and enforce the door policy) i.e. allow all legitimate guests and deny everyone else. For the party, since everyone's welcome passers-by and friends of friends may turn up who cause trouble.

The positive security model is stricter, but relies on having a full knowledge of what is, and what is not permissible. For a web application, this would be what information (e.g. type, range/length, character set, format, syntax, cardinality) can be sent & received, by who, in what manner, when, in what order, how often and what pre-conditions there are.

The more of these things that can be defined early in a web application project, help guide the design, development and testing. Of course there will be difficulties defining what exactly is allowed or making it specific enough, but by going through the thought process, it helps build security in from the start.

There are some more thoughts in A Techie's Musings about It's Only a Model.

Posted on: 27 January 2009 at 08:58 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

Comments

Comments are filtered automatically and should appear shortly after they been checked.

Post a comment
Confirm acceptance and understanding of the terms of use
New posts to this thread will be sent to your email address
What is a Positive Security Model?
http://www.clerkendweller.com/2009/1/27/What-is-a-Positive-Security-Model
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/2009/1/27/What-is-a-Positive-Security-Model
Requested by 38.107.191.105 on Wednesday, 8 September 2010 at 00:30 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2009-2010 clerkendweller.com