R265. Restrict access to critical processes

Requirement

The system must restrict access to system functions that execute critical business processes, it will only allow authorized users.

Description

Systems must enforce access controls on trusted enforcement points. They must also have a clear definition of user privileges and roles. Functions that execute critical business processes should only be available for authenticated users with roles with enough privileges.

References

  1. CWE-269: Improper Privilege Management The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

  2. CWE-284: Improper Access Control The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

  3. CWE-285: Improper Authorization The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

  4. CWE-287: Improper Authentication When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

  5. CWE-306: Missing Authentication for Critical Function The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

  6. Directive 2002/58/EC (amended by E-privacy Directive 2009/136/EC). Art. 4: Security of processing.(1a) The measures referred to in paragraph 1 shall at least ensure that personal data can be accessed only by authorized personnel for legally authorized purposes.

  7. NIST 800-53 IA-2 Identification and authentication: The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

  8. OWASP-ASVS v4.0.1 V1.4 Access Control Architectural Requirements.(1.4.3) Verify enforcement of the principle of least privilege in functions, data files, URLs, controllers, services, and other resources. This implies protection against spoofing and elevation of privilege.

  9. OWASP-ASVS v4.0.1 V1.4 Access Control Architectural Requirements.(1.4.4) Verify the application uses a single and well-vetted access control mechanism for accessing protected data and resources. All requests must pass through this single mechanism to avoid copy and paste or insecure alternative paths.

  10. OWASP-ASVS v4.0.1 V1.4 Access Control Architectural Requirements.(1.4.5) Verify that attribute or feature-based access control is used whereby the code checks the user’s authorization for a feature/data item rather than just their role. Permissions should still be allocated using roles.

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy