Young hacker smiling

We hack your software

zero false positives

Expert intelligence + effective automation

REQ.269 Use principle of least privilege

This document contains the details of the security requirements related to the definition and management of systems in the organization. This requirement establishes the importance of setting privileges for new objects following the principle of least privilege.

Requirement

Privileges for new objects must be set according to the principle of least privilege (umask).

References

  1. OWASP-ASVS v3.1-4.1 Verify that the principle of least privilege exists. Users should only be able to access functions, data files, URLs, controllers, services, and other resources, for which they possess specific authorization. This implies protection against spoofing and elevation of privilege.

  2. NIST 800-53 AC-6 The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.


Service status - Terms of Use