R265. Restrict access to critical processes

Requirement

The system must restrict access to system functions that execute critical business processes, it will only allow authorized users.

Description

Systems must enforce access controls on trusted enforcement points. They must also have a clear definition of user privileges and roles. Functions that execute critical business processes should only be available for authenticated users with roles with enough privileges.

Findings

References

  1. CWE-269: Improper Privilege Management The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

  2. CWE-284: Improper Access Control The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

  3. CWE-285: Improper Authorization The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

  4. CWE-287: Improper Authentication When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

  5. CWE-306: Missing Authentication for Critical Function The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

  6. Directive 2002/58/EC (amended by E-privacy Directive 2009/136/EC). Art. 4: Security of processing.(1a) The measures referred to in paragraph 1 shall at least ensure that personal data can be accessed only by authorized personnel for legally authorized purposes.

  7. NIST 800-53 IA-2 Identification and authentication: The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

  8. OWASP-ASVS v4.0.1 V1.4 Access Control Architectural Requirements.(1.4.3) Verify enforcement of the principle of least privilege in functions, data files, URLs, controllers, services, and other resources. This implies protection against spoofing and elevation of privilege.

  9. OWASP-ASVS v4.0.1 V1.4 Access Control Architectural Requirements.(1.4.4) Verify the application uses a single and well-vetted access control mechanism for accessing protected data and resources. All requests must pass through this single mechanism to avoid copy and paste or insecure alternative paths.

  10. OWASP-ASVS v4.0.1 V1.4 Access Control Architectural Requirements.(1.4.5) Verify that attribute or feature-based access control is used whereby the code checks the user’s authorization for a feature/data item rather than just their role. Permissions should still be allocated using roles.

Fluid Attacks logo

Ready to start with Fluid Attacks?

Fluid Attacks logo
Ready to start?
Young hacker smiling Contact Us
Contact Fluid Attacks
Products
Integrates
Drills
Forces
Use Cases
Continuous Hacking
One-shot Hacking
Comparative
About Us
Certifications
Differentiators
Values
Reviews
Resources
Events
People
Partners
Blog
Careers
FAQ
Community
Contact
Newsletter
Security

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy