The system should set minimal or no permissions for new users/roles and users/roles should not receive access to new features until it is explicitly granted.
Systems should have a set of roles with different levels of privilege to access resources. The privileges of each role must be clearly defined and the role of each user should also be clearly stated. Furthermore, permissions and access should be granted using the principle of deny by default.
CAPEC-122: Privilege Abuse. An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.
CAPEC-233: Privilege Escalation. An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.
CWE-276: Incorrect Default Permissions. The product, upon installation, sets incorrect permissions for an object that exposes it to an unintended actor.
CWE-732: Incorrect Permission Assignment for Critical Resource. The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
NERC CIP-005-5. B. Requirements and measures. R1.3 Require inbound and outbound access permissions, including the reason for granting access, and deny all other access by default.
OWASP Top 10 A5:2017-Broken Access Control. Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users' data, change access rights, etc.
OWASP-ASVS v4.0.1 V4.1 General Access Control Design.(4.1.4) Verify that the principle of deny by default exists whereby new users/roles start with minimal or no permissions and users/roles do not receive access to new features until access is explicitly assigned.
OWASP-ASVS v4.0.1 V10.2 Malicious Code Search.(10.2.2) Verify that the application does not ask for unnecessary or excessive permissions to privacy related features or sensors, such as contacts, cameras, microphones, or location.
OWASP-ASVS v4.0.1 V14.2 Dependency.(14.2.6) Verify that the attack surface is reduced by sandboxing or encapsulating third party libraries to expose only the required behavior into the application.
OWASP-ASVS v4.0.1 V14.5 Validate HTTP Request Header Requirements.(14.5.1) Verify that the application server only accepts the HTTP methods in use by the application or API, including pre-flight OPTIONS.
PCI DSS v3.2.1 - Requirement 6.5.8 Address common coding vulnerabilities in software-development processes including improper access control (such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions).
PCI DSS v3.2.1 - Requirement 7.1.2 Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.
PCI DSS v3.2.1 - Requirement 7.2.2 This access control system(s) must include a default "deny-all" setting.