Do web apps need access control? Stewart has a blog post with the
statement that they don't and that access control is to be done at the
app server. I don't support a web app. I have to deal with audits and
all of the other fun stuff. But I suspect that at some point many web
apps must also deal with audits if they store personal data which is
subject to many rules in many countries.

Has anyone here undergone an audit for 'web app' personal data?
In such an audit has access control at the app server been sufficient?
Are managers at such a company comfortable that anyone (such as a
disgruntled employee) with access to the db can read all customer
data?

Note that once a web app gets big and needs to make some money there
will be just as much internal access to the database as there is
user-facing access and the internal access won't go through the web
app. The internal access will be large queries used for monetization.
And those queries are the ones that might not be allowed access to the
user's personal data.

-- 
Mark Callaghan
[email protected]

_______________________________________________
Mailing list: https://launchpad.net/~drizzle-discuss
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~drizzle-discuss
More help   : https://help.launchpad.net/ListHelp

Reply via email to