Groundwork
No matter what sort of web application you want to protect, there is some preparatory work that needs to be done before you can get down to the details of writing rules. We will shortly learn about a four-step process to implement the positive security model, but even before beginning this process, some helpful information to have on hand is the following:
Language the web application is written in
Source code to the web application
Test accounts, including privileged accounts for any restricted/administrative parts of the application
Thorough knowledge of the user actions available in the application (make sure you are familiar with the application and know the actions a user would typically perform when working with it)
In our case, we have all of the source code readily available since the forum software is written in Perl. YaBB ships with a default administrative account that has full privileges—this will be valuable for testing all the features of the forum.
Let's now take a...
