OWASP Top Ten #1 Worst Problem: Poor Access Control

Webinar Access Control

How To Avoid “All Your Base Are Belong To Everyone!”

As you are probably well aware, access control is the biggest problem in Application Security. OWASP research in 2021 pointed this out, as did Verizon’s well-respected 2022 DIBR report.

Why is this important? The same report points out that web application attacks are the second most frequent attack pattern after DoS. So, if your organization has not been hit in this area, chances are you will be. Get ready!

The good, the bad and the ugly

Be warned; there are no quick fixes! No magical tools resolve this for you. Developers’ first response is mostly to ignore access control as an issue and to make matters worse. Application frameworks rarely provide details about their functionality since it’s not particularly generalizable.

But don’t despair! Approaches to resolve this are mature and well-developed. Watch this webinar with Application Security experts Jim Manico (OWASP Top Ten contributor), Erwin Geirnaert (Co-founder & Chief Hacking Officer at Shift Left Security) and Julius Musseau (CTO at Mergebase) to learn about guidelines, patterns, as well as pitfalls to avoid it.

What will you learn in this course?

– First, What defines the terms “access control” and “authorization,” and why are these still hard to get right?

– The building blocks developers need to know about it: 

  • Learn how to apply the principle of least privilege when building access control in your applications.
  • Learn how to use the suitable data types for access control decisions
  • Learn how to build data-centric access control system to avoid Indirect Object Reference (IOR) issues.

We are going to look at some of the building blocks around good access control. Talk about principal lease privilege we want to look at, like what data we should be using at the point of making an ac decision.

– Best protection strategies to prevent it and then one of the more difficult things, indirect object reference. It is data-specific access control, and we’re going to come up with some protection strategies and design principles. 

So, if you want to learn more about what makes applications so vulnerable and what you can do about it, this is the webinar you won’t want to miss!

The recording was made on June 20th.

Webinar’s Highlights

What is Access Control and Authorization?

AC is about selectively restricting access in a piece of software right various features and various resource access. Authorization is when you give permission to a particular user or entity to access certain features or data again. In other words, access control is the act of restricting access, and authorization is the act of giving someone access to a specific part of your software.

How do most people do access control?

They use Role Based Access Control (RBAC), which is the most common access control implemented in most web frameworks. Usually, you check in a hard-coded way what role the user is correct. This is a policy enforcement point somewhere in the software where you can check if the user has permission to execute this feature.

However, hard coding has some problems:

  • It makes “proving” the policy of an application difficult for audit or Q/A purposes.
  • Any time the access control policy changes to be updated, new code needs to be pushed.
  • It does not support horizontal ac.
  • It is often not “automatic” and needs to be “hand-coded” for each application feature. 
  • It does not support multi-tenancy.

Why is it still difficult? What is the challenge?

  • It is difficult for developers to build. Frameworks rarely provide detailed ac functionality.
  • It is difficult to test from automated tools. Scanning tools are rarely aware of your custom access control policies.

Best Practices

  • SQL Integrated.
  • Access Control Sequence: If you have a big sequence and it is hard to look down everything, protect the steps that will hurt your business
  • Data Context considered in Permissions
  • Centralize ACL Control (CanCanComunity)

Is your application safe?

MergeBase

About the Author

MergeBase