[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Working draft of Application Security Policy for LedgerSMB 1.3

On Thu, 4 Mar 2010, Chris Travers wrote:

Further suggested refinements, and thoughts about duty sep for orders...


Maybe:  "Due to the way web-based software works, there are certain
types of attacks which are indistinguishable to the server from
legitimate uses of the software."
"Due to the nature of web based software, there are certain types of attack which the server can not distinguish from legitimate use." 


"There are two downsides to this method.  The first is that users who
are already logged into the network must also log into the
application, possibly using a different username and password (though
shared management of credentials is possible).  The second is that the
web server must have access to the password in an unencrypted form.
This means that if the server was compromised, it would be possible
for an attacker to capture the password information as users log in."
Rather jarring switch from present to past tense there. I would replace "was" and "would", with "is" and "could". 
Otherwise I like it.


The basic thing is that separation of duties, as a means of preventing
financial fraud, is not applicable to non-financial documents.  There
might be other risk factors which might require it, but they are
outside the areas of fraudulent usage.
There is a social engineering aspect to orders as vehicles of fraud, is there not? I.E. "if an order exists", someone in order fulfillment or processing might say, "it had to pass by someone first. To-wit I will look less intently at its content than I would if Bob in shipping came over and asked me to put through an invoice for a dozen thousand dollar hammers."
So an order may not be a financial document exactly, but it is a pre-financial document. Also, purchase orders, if taken literally (I.E. in government and non-profit contexts at the very least) are binding legal agreements, committing the purchaser to buy X at Y. If they are used as actual purchase orders. In that case, they would seem to me to be financial documents, although I am no accountant, and could easily be missing some key element. 


"As non-financial documents, orders and quotations do not pose the
same risks of financial fraud and so are generally excluded from
separation of duties mechanisms at this time.  Most businesses which
I would remove "at this time". If you must have that disclaimer (everything in software is "at this time" until it isn't, imo), I would replace "generally" with "currently"; but really I don't see a need for the temporal disclaimer at all. 


enforce separation of duties on financial documents do not need to do
so for these types of documents.  Typical reasons for enforcing
separation of duties here have to do with concerns other than those
which we have chosen to target for this release."


s/here have to do with/in this context, relate to/

Luke