The system must restrict access to system functions that execute critical business processes, allowing only authorized users.
Systems must enforce access controls on trusted enforcement points. They must also have a clear definition of user privileges and roles. Functions that execute critical business processes should only be available for authenticated users with roles that have the required privileges.
CAPEC-13: Subverting Environment Variable Values. The attacker directly or indirectly modifies environment variables used by or controlling the target software.
CAPEC-122: Privilege Abuse. An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.
CIS Controls. 4.7 Limit Access to Scripting Tools. Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or development users with the need to access those capabilities.
CWE-269: Improper Privilege Management The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
CWE-284: Improper Access Control The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-285: Improper Authorization The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-287: Improper Authentication When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
CWE-306: Missing Authentication for Critical Function The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Directive 2002/58/EC (amended by E-privacy Directive 2009/136/EC). Art. 4: Security of processing.(1a) The measures referred to in paragraph 1 shall at least ensure that personal data can be accessed only by authorized personnel for legally authorized purposes.
NIST 800-53 IA-2 Identification and authentication: The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).
OWASP Top 10 A5:2017-Broken Access Control. Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users' data, change access rights, etc.
OWASP-ASVS v4.0.1 V1.4 Access Control Architectural Requirements.(1.4.3) Verify enforcement of the principle of least privilege in functions, data files, URLs, controllers, services, and other resources. This implies protection against spoofing and elevation of privilege.
OWASP-ASVS v4.0.1 V1.4 Access Control Architectural Requirements.(1.4.4) Verify the application uses a single and well-vetted access control mechanism for accessing protected data and resources. All requests must pass through this single mechanism to avoid copy and paste or insecure alternative paths.
OWASP-ASVS v4.0.1 V1.4 Access Control Architectural Requirements.(1.4.5) Verify that attribute or feature-based access control is used whereby the code checks the user’s authorization for a feature/data item rather than just their role. Permissions should still be allocated using roles.
PCI DSS v3.2.1 - Requirement 6.5.8 Address common coding vulnerabilities in software-development processes including improper access control (such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions).
PCI DSS v3.2.1 - Requirement 8.7 Restrict access to any database so that only database administrators have the ability to directly access or query databases.