Web sites today face many threats to the confidentiality and integrity of the data used and the functionality provided by the application. This problem is compounded by the fact that Web developers are simply lack of either adequate knowledge and skills in writing secure Web application codes (Huang et al., 2005) or sufficient testing methodologies for the audit and control of Web development (Mansouir and Houri, 2006). Works in the design and implementation of security measures for Web applications are greatly in need.

User authentication and data access are becoming two of the most common areas for web attacks when procedures such as single sign-on and authentication delegation have become practically indispensable for e-business environment (Paulus, 2001). These two types of on-line vulnerability can be counterattacked by securing user account database that opens the gate of the application and by encrypting SQL connection that leads to the data store.

This paper describes the design and development of a Secure Authentication and Access Control System, herein referred to as SCAAS, implemented as a reusable library that provides data- driven and encryption-based authentication and access control for the use with ASP.NET applications. SCAAS employs Microsoft SQL Server to persist the security definitions that the SCAAS run-time system utilizes. The SCAAS database will be herein referred to as the SCAAS User Registry. The system also provides an ASP.NET based administration application that is used to maintain the data in the SCAAS User Registry.

Download pdf SCAAS: A Secure Authentication and Access Control System for Web Application Development