Access Control is necessary for security at almost every layer within a web application. This webcast will cover several of the critical access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, direct object reference issues, and "fail open" access control mechanisms, to name a few. In reviewing these and other access control anti-patterns, we will come up with a series of positive access control principles that make up a robust access-control mechanism for any web- or API-based application.