I have heard that most websites use ad-hoc security. How is security policy specified and enforced in code? E.g., only bob's friends may see his email address. If the policy Intertwined throughout the code, how do they manage it as it is error prone. I have started developing a Information Flow Control package for web applications, just curious on what big companies use?
Note: this question is best suited for the Security Stack Exchange site.
Generally speaking, software development companies - not just websites - develop their own authorization logic ad-hoc using code (Java, C#... you name it).
There are a few companies / teams that have decoupled their business logic from their authorization logic. Doing so is called externalizing authorization. The field related to that is called externalized authorization.
There are several benefits to externalizing authorization:
There are several ways to achieve externalized authorization. Here are some examples:
All these approaches are specific to one given language. Some e.g. CanCan are policy-based. Others use a role-based approach.
Ideally, all companies and websites would use a technology-neutral approach based on policies. There is in fact a standard around such a 'thing'. It is called ABAC (attribute-based access control) and it uses policies written in XACML to express the access control logic.
The cool thing is that you could principally reuse these policies across Facebook, Yahoo, etc...