The OWASP Application Security Verification Standard is used in the development of web applications.
Enforce strict access control mechanisms to prevent unauthorized access and privilege escalation. For example, implement role-based or attribute-based access control (RBAC/ABAC) and enforce the principle of least privilege; Restrict access to sensitive data and operations based on defined authorization rules; Continuously monitor access attempts, log violations, and audit privilege changes to maintain security integrity.
V4.1 General Access Control Design Design access control mechanisms from the ground up, ensuring that they are based on role-based access control (RBAC), attribute-based access control (ABAC), or other suitable models tailored to the application's needs. Implement least privilege by ensuring users and systems are granted the minimum necessary access to perform their tasks. Ensure access control policies are consistently applied across all components and layers of the application, such as the user interface, API, and backend. Regularly review access control policies to ensure they align with business needs, legal requirements, and evolving security risks. V4.2 Operation Level Access Control Apply operation-level access control to ensure that users or services can only perform actions they are authorized for, such as creating, updating, or deleting records. Use access control checks for each critical operation in the system, ensuring they align with the defined access policies. Ensure that all sensitive or privileged operations (e.g., administrative actions, financial transactions) are subject to stricter access controls and logging. Enforce auditing and logging of all access-related actions to maintain traceability and detect potential misuse or abuse of privileges. V4.3 Other Access Control Considerations Secure administrative access by implementing additional layers of protection such as multi-factor authentication (MFA), IP whitelisting, and time-based restrictions for privileged accounts. Implement access control for non-human entities, such as service accounts or automated processes, ensuring they only have access to resources required for their operation. Enforce access control in distributed environments by managing access at both the network level (e.g., firewalls, VPNs) and application level (e.g., API access, service meshes). Ensure segmentation and isolation of sensitive environments (e.g., production, development, test) and restrict cross-environment access to minimize risk. By designing access control from the ground up, enforcing operation-level restrictions, and addressing special access considerations for sensitive or privileged actions, organizations can effectively secure their systems against unauthorized access and potential misuse.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-11-04-01-01 | Implement role-based or attribute-based access control | Enforce Role-Based Access Control (RBAC) or Attribute-Based Access Control (ABAC) to ensure users have access only to authorized resources based on their roles and attributes. | Development | Security Teams, Software Architects |
| SSS-02-11-04-01-02 | Enforce least privilege and separation of duties | Ensure users, applications, and services have only the minimum access necessary to perform their functions, preventing excessive permissions and reducing security risks. | Development | Security Teams, IT Operations |
| SSS-02-11-04-01-03 | Prevent privilege escalation | Implement strict access controls to prevent unauthorized privilege escalation. Use privilege separation, access audits, and continuous monitoring to detect and mitigate privilege abuse. | Deployment | Security Engineers, DevOps Teams |
| SSS-02-11-04-01-04 | Ensure object-level access control | Verify that users can access only their own data by implementing object-level authorization checks in APIs and databases, preventing unauthorized data access. | Post-deployment | Security Teams, Compliance Officers |
| SSS-02-11-04-01-05 | Prevent authorization bypass attacks | Secure applications against forced browsing, direct object reference attacks, and API abuse by enforcing proper authorization checks at every layer of access control. | Post-deployment | Security Engineers, DevOps Teams |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-0971) OWASP Application Security Verification Standard OWASP Application Security Verification Standard |