SCP [85, 86, 89, 90, 91, 93, 100] Cornucopia - Access Control #123
Description
These are SCP coding practices used during Cornucopia threat modeling sessions that we could add here.
SCP [84] Restrict access to protected functions to only authorized users
This is also mentioned in ASVS 8.2.1.
SCP [84] is referred to in AZ7 and C9.
Suggesting to add: Restrict function-level access to consumers with explicit permissions
SCP [86] Restrict direct object references to only authorized users
This is also mentioned in ASVS 8.2.2
SCP [86] is referred to in AZ7 and C9.
Suggesting to add: Restrict direct object references to only authorized users with explicit permissions to specific data items to mitigate insecure direct object reference (IDOR) and broken object level authorization (BOLA)
SCP [89] Restrict access to user and data attributes and policy information used by access controls
This is also mentioned in ASVS 8.2.3
SCP [89] is referred to in AZ5, AZJ, AZK and C9.
Suggesting to add: Restrict access to user and data attributes to consumers with explicit permissions to specific fields to mitigate broken object property level authorization (BOPLA)
SCP [90] Restrict access security-relevant configuration information to only authorized users
I would say this is similar to ASVS 8.4.2
SCP [90] is referred to in AZJ, CRJ, C9 and CJ.
Suggesting to add: Restrict access security-relevant configuration information to only authorized users who have been allowed access through multiple layers of security, including continuous consumer identity verification, device security posture assessment, and contextual risk analysis
SCP [91] Server side implementation and presentation layer representations of access control rules must
match
I would say this is similar to ASVS 8.3.1 and ASVS 2.3.2
SCP [91] is referred to in AZX and AZK.
Suggesting to add: Server side implementation and presentation layer representations of access control rules should not differ in such a way that they allow for business functionality and rules to be compromised.
SCP [93] Enforce application logic flows to comply with business rules
I would say this is similar to ASVS 2.3.1 and ASVS 2.3.2.
SCP [93] is referred to in AZ8.
Suggesting to add as is: Enforce application logic flows to comply with business rules
SCP [100] Create an Access Control Policy to document an application's business rules, data types and access authorization criteria and/or processes so that access can be properly provisioned and controlled. This includes identifying access requirements for both the data and system resources
A bit outdated, but still good. The practice is referred to in Authorization Cheat Sheet and ASVS V8.1 Authorization Documentation.
SCP [100] is referred to in AZ3.
Suggesting to add:
7.1.6: Create unit and integration test to document and verify an application's business rules, data types and access authorization criteria and/or processes so that access can be properly provisioned and controlled for restricting function-level, data-specific, and field-level access based on consumer permissions and resource attributes.
7.1.7: Access Control criteria and/or processes not testable through automated tests should be documented so that they can be manually tested.