Skip to content

/ CheatSheetSeries

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Authorization CS draft #478

Merged
merged 1 commit into from Sep 17, 2020
Merged

Update Authorization CS draft #478

merged 1 commit into from Sep 17, 2020

Conversation

@KellyMarchewa
Copy link
Contributor

@KellyMarchewa KellyMarchewa commented Aug 31, 2020
edited

This PR covers issue #474

Updated one of the headers slightly per feedback in the linked issue.
Thanks and looking forward to any discussions/feedback for improvement.
@KellyMarchewa
feature: update authorization CS draft
Loading status checks…
4b120fb 
 - added content to Deny by Default and Least Privileges sections
 - update header on tool/framework/technology usage
@KellyMarchewa KellyMarchewa requested review from jmanico and mackowski as code owners Aug 31, 2020
@KellyMarchewa KellyMarchewa changed the title feature: update authorization CS draft Update Authorization CS draft Sep 1, 2020
@mackowski
Copy link
Collaborator

@mackowski mackowski commented Sep 7, 2020

@KellyMarchewa so far it looks awesome for me.
Please review the current Authorization CS and think what is not covered by your draft and either add it or make a comment why do you want to exclude particular topic from this CS.
I am looking forward for next commits!
@KellyMarchewa
Copy link
Contributor Author

@KellyMarchewa KellyMarchewa commented Sep 10, 2020

Thanks for the feedback @mackowski . To my understanding, this CS was supposed to be replacement/merging for both the current IDOR and Access Control CSs. Regarding the concepts covered in those sheets:

  • Per an earlier discussion, it seemed to have been agreed in-depth discussions of MAC and DAC were not necessarily relevant for the scope of the CS. RBAC will necessarily be discussed under the "Prefer Feature and Attribute Based Access Control over RBAC" section.
  • Currently, I did not have plans to formally and explicitly explore the concept of permissions, but would be glad to do so if wanted.
  • Far as IDOR, I think the discussion under the header "Ensure Lookup IDs are Not Accessible Even When Guessed or Cannot Be Tampered With" will perhaps most closely relate to the current IDOR CS, though other sections (such as "Validate the Permissions on Every Request") will probably also be relevant.

Hope I covered everything. Looking forward to getting more work done on this soon.
@jmanico
Copy link
Member

@jmanico jmanico commented Sep 10, 2020

@jmanico
jmanico approved these changes Sep 17, 2020
View changes
Copy link
Member

@jmanico jmanico left a comment

Well done, I am sorry this took me 16 days to approve.
@jmanico jmanico merged commit 99bca08 into OWASP:master Sep 17, 2020
3 checks passed
3 checks passed
link-check
Details
lint
Details
Publishing Check
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jmanico jmanico

@mackowski mackowski

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants
@KellyMarchewa @mackowski @jmanico