The OWASP Top 10 Proactive Controls are used in the development of web applications.
Ensure strict access control mechanisms to regulate user, program, or process access to sensitive resources based on predefined policies. For example, enforce role-based or attribute-based access control at multiple levels, including business logic and database layers, to prevent unauthorized access and privilege escalation; Align access control enforcement across all entry points, such as web applications, APIs, and backend services, ensuring consistency and eliminating bypass risks; Maintain a clear distinction between authentication (verifying identity) and authorization (verifying permissions); Continuously monitor, log, and audit access attempts to detect and mitigate potential security threats.
1.Design Access Control Thoroughly Up Front Plan and implement access control policies early in the design phase, addressing all potential access points, roles, and data sensitivities. 2.Force Every Access Request to Go Through an Access Control Check Ensure that all requests for sensitive data or operations pass through a centralized access control check to enforce policies consistently across the application. 3.Consolidate the Access Control Check Use a centralized access control service to reduce complexity and improve maintainability, ensuring that all checks are consistent and auditable. 4.Deny by Default Implement default-deny access control, where access to resources is denied unless explicitly granted by predefined policies. 5.Principle of Least Privilege / Just in Time (JIT), Just Enough Access (JEA) Enforce the principle of least privilege by granting users only the minimum level of access necessary to perform their tasks. Implement JIT and JEA to dynamically allocate and revoke permissions based on specific needs. 6.Do not Hard-code Roles Avoid hard-coding roles directly into the application. Use a dynamic role management system to assign roles and permissions to users based on their actual job functions. 7.ABAC Policy Enforcement Point Example Implement Attribute-Based Access Control (ABAC) by creating policies that use attributes (e.g., user roles, data sensitivity, resource context) to enforce access decisions dynamically. An example could be restricting access to sensitive data based on user attributes such as department or clearance level. By designing comprehensive access control models, centralizing checks, and applying the principle of least privilege, organizations can ensure secure, granular access to resources across all environments.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-12-01-01-01 | Development access control thoroughly up front | Plan and implement access control policies early in the Development phase, considering all potential access points, roles, and data sensitivities. Address different access levels such as business logic and database row level. | Preparation | Security Teams, Software Architects |
| SSS-02-12-01-01-02 | Force every access request to go through an access control check | Ensure that every access request for sensitive data or operations goes through a centralized access control check to enforce policies consistently across the application. | Development | Security Engineers, Software Developers |
| SSS-02-12-01-01-03 | Consolidate the access control check | Use a centralized access control service to reduce complexity, improve maintainability, and ensure consistency in access checks across the application. | Development | Security Engineers, DevOps Teams |
| SSS-02-12-01-01-04 | Deny by default | Implement default-deny access control, where access to resources is denied unless explicitly granted by predefined policies. This ensures strict control over who can access what. | Development | Security Engineers, IT Operations |
| SSS-02-12-01-01-05 | Enforce principle of least privilege / just in time (jit), just enough access (jea) | Grant users only the minimum necessary access to perform their tasks by enforcing the principle of least privilege. Use JIT and JEA to dynamically allocate and revoke permissions based on needs. | Deployment | Security Teams, Compliance Officers |
| SSS-02-12-01-01-06 | Avoid hard-coding roles | Avoid embedding roles directly into the application code. Instead, use a dynamic role management system that assigns roles and permissions based on actual job functions and needs. | Development | Security Engineers, Software Architects |
| SSS-02-12-01-01-07 | Implement abac policy enforcement | Implement Attribute-Based Access Control (ABAC) by creating policies that use user attributes (e.g., department, clearance level) and resource context to make access decisions dynamically. | Development | Security Teams, Software Engineers |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1849) OWASP Proactive Controls OWASP Proactive Controls |