Do web apps need access control? Stewart has a blog post with the statement that they don't and that access control is to be done at the app server. I don't support a web app. I have to deal with audits and all of the other fun stuff. But I suspect that at some point many web apps must also deal with audits if they store personal data which is subject to many rules in many countries.
Has anyone here undergone an audit for 'web app' personal data? In such an audit has access control at the app server been sufficient? Are managers at such a company comfortable that anyone (such as a disgruntled employee) with access to the db can read all customer data? Note that once a web app gets big and needs to make some money there will be just as much internal access to the database as there is user-facing access and the internal access won't go through the web app. The internal access will be large queries used for monetization. And those queries are the ones that might not be allowed access to the user's personal data. -- Mark Callaghan [email protected] _______________________________________________ Mailing list: https://launchpad.net/~drizzle-discuss Post to : [email protected] Unsubscribe : https://launchpad.net/~drizzle-discuss More help : https://help.launchpad.net/ListHelp

