O'Reilly logo

Web Commerce Security Design and Development by Ronald L. Krutz, Hadi Nahari

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Access Control

Access control mechanisms must address the threats to a Web commerce system, the system's vulnerability to these threats, and the risk that the threats might materialize. These concepts are defined as follows:

Threat: An event or activity that has the potential to cause harm to the information systems or networks

Vulnerability: A weakness or lack of a safeguard that can be exploited by a threat, causing harm to the information systems or networks

Risk: The potential for harm or loss to an information system or network; the probability that a threat will materialize

Controls

Controls are implemented to mitigate risk and reduce the potential for loss. Controls can be preventive, detective, or corrective. Preventive controls are put in place to inhibit harmful occurrences; detective controls are established to discover harmful occurrences; and corrective controls are used to restore systems that are victims of harmful attacks.

Two important control concepts are the separation of duties and the principle of least privilege. Separation of duties requires that an activity or process must be performed by two or more entities for successful completion. Thus, the only way that a security policy can be violated is if there is collusion among the entities. For example, in a financial environment, the person requesting that a check be issued for payment should not also be the person who has authority to sign the check. In least privilege, the entity that has a task to perform ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required