SlideShare a Scribd company logo

Cm3 secure code_training_1day_access_control

Download as PPTX, PDF
D
dcervigni

This document discusses access control best practices and anti-patterns. It defines access control as the process of determining if a user has permission to access a resource. It recommends building centralized authorization logic to code permissions rather than roles, using server-side data to make access control decisions, and enforcing application logic flows. The document warns against hard-coding roles in code and using untrusted data for access control.

Technology
1 of 23
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
SECURE CODE TRAINING ACCESS CONTROL DAVID CERVIGNI IT SECURITY CONSULTANT AND PCI CODE REVIEWER
What is Access Control? Authorization is the process where a system determines if a specific user has access to a resource. https://tools.ietf.org/html/rfc2904 PIP = Policy Information Point PDP = Policy Decision Point PEP = Policy Enforcement Point PAP = Policy Administration Point PRP = Policy Retrieval Point (XACML) *XACML stands for "eXtensible Access Control Markup Language"
Access Control Attacks Vertical Access Control Attacks A standard user accessing administration functionality Horizontal Access Control Attacks Same role, but accessing another user's private data Business Logic Access Control Attacks Abuse of one or more linked activities that collectively realize a business objective
Access Controls failure impact • Loss of accountability – Attackers maliciously execute actions as other users – Attackers maliciously execute higher level actions • Disclosure of confidential data – Compromising admin-level accounts often results in access to user’s confidential data • Data tampering – Privilege levels do not distinguish users who can only view data and users permitted to modify data
Access Control Best Practices • Build a centralized AuthZ mechanism • Code to the permission, not the role • Design AuthZ as a filter • Deny by default, fail securely • Server-side trusted data should drive AuthZ • Be able to change entitlements in real time • Design standardized data contextual AuthZ • Build grouping for users and permissions
Access Control Anti-Patterns • Hard-coded role checks in application code • Lack of centralized access control logic • Untrusted data driving access control decisions • Access control that is “open by default” • Lack of addressing horizontal access control in a standardized way (if at all) • Access control logic that needs to be manually added to every endpoint in code • Access Control that is “sticky” per session • Access Control that requires per-user policy
Best Practice: Centralized AuthZ • Define a centralized access controller – ACLService.isAuthorized(PERMISSION_CONSTANT) – ACLService.assertAuthorized(PERMISSION_CONSTANT) • Access control decisions go through these simple API’s • Centralized logic to drive policy behavior and persistence • May contain data-driven access control policy information
Best Practice: Code to the Activity int articleId = request.getInt(“articleId”); if (AC.hasAccess(“article:edit:” + articleId)) { //execute activity } • Code it once, never needs to change again • Implies policy is centralized in some way • Implies policy is persisted in some way • Requires more design/work up front to get right
Data Contextual Access Control Data Contextual / Horizontal Access Control API examples: ACLService.isAuthorized(“car:view:321”) ACLService.assertAuthorized(“car:edit:321”) Long form: IsAuthorized(user, Perm.EDIT_CAR, Car.class, 321) • Check if the user has the right role in the context of a specific object • Protecting data at the lowest level! 9
Using a Centralized Access Controller In Presentation Layer if (isAuthorized(Permission.VIEW_LOG_PANEL)) { <h2>Here are the logs</h2> <%=Encoder.forHTMLContent(getRawLogData());%/> }
Using a Centralized Access Controller In Controller try { assertAuthorized(Permission.DELETE_USER); deleteUser(); } catch (Exception e) { //IDS EVENT }
Implementation Use a single site-wide component to check access authorization. This includes libraries that call external authorization services and also separate privileged logic from other application code.
Re-validaiton If long authenticated sessions are allowed, periodically re-validate a user’s authorization to ensure that their privileges have not changed and if they have, log the user out and force them to re-authenticate The application must support disabling of accounts and terminating sessions when authorization ceases (e.g., Changes to role, employment status, business process, etc.)
Access Control good practices examples Don’t rely on client data Use only trusted system objects, e.g. server side session objects, for making access authorization decisions Use White Listing *Deny all access if the application cannot access its security configuration information
Access Control bad practices examples Use Untrusted data • Avoid trusting request data for access control decisions • Never make access control decisions in JavaScript • Never make authorization decisions based solely on: • hidden fields • cookie values • form parameters • URL parameters • anything else from the request • Never depend on the order of values sent from the client
Consider the order or actions Imagine the following parameters 1. http://example.com/buy?action=chooseDataPackage 2. http://example.com/buy?action=customizePackage 3. http://example.com/buy?action=makePayment 4. http://example.com/buy?action=downloadData Can an attacker control the sequence? Can an attacker abuse this with concurrency?
Enforce logic application flow Enforce application logic flows to comply with business rules (AppSensor) Monitoring: Limit the number of transactions a single user or device can perform in a given period of time. The transactions/time should be above the actual business requirement, but low enough to deter automated attacks.
Access Control bad practices examples HARD CODED ROLES void editProfile(User u, EditUser eu) { if (u.isManager()) { editUser(eu); } } How to maintain that code?
Access Control bad practices examples HARD CODED ROLES if ((user.isManager() || user.isAdministrator() || user.isEditor()) && user.id() != 1132)) { //execute action }
Access Control bad practices examples HARD CODED ROLES • Makes “proving” the policy of an application difficult for audit or Q/A purposes • Any time access control policy needs to change, new code need to be pushed • RBAC is often not granular enough • Fragile, easy to make mistakes
Avoid Direct Object reference http://foo.bar/somepage?invoice=12345 How to avoid? • Semantic validation (stateless) • Level of (randomized) indirection (stateful implementation)
SQL Integrated Access Control • Example Feature http://mail.example.com/viewMessage?messageid=2356342 • This SQL would be vulnerable to tampering select * from messages where messageid = 2356342 • Ensure the owner is referenced in the query! select * from messages where messageid = 2356342 AND messages.message_owner = <userid_from_session>
SECURE CODE TRAINING INTENSIVE COURSE DAVID CERVIGNI IT SECURITY CONSULTANT AND PCI CODE REVIEWER

More Related Content

What's hot (9)

PPTX
Advanced Authorization for SAP Global Deployments Part I of III
NextLabs, Inc.
 
PPTX
Rootconf_phishing_v2
Arjun BM
 
PPTX
IT Operations Management with OpManager
ManageEngine, Zoho Corporation
 
PDF
FLIGHT WEST 2018 Presentation - Open Source License Management in Black Duck Hub
Black Duck by Synopsys
 
PPTX
7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...
Inspirisys Solutions Limited
 
PPTX
Webinar: Building amazing web apps rapidly with emerging tech
Harbinger Systems - HRTech Builder of Choice
 
PPTX
Box Demo - Custom CRM
Mike Checker
 
PPTX
Box Demo - Custom CRM
Mike Checker
 
PDF
Introduction to Software Potential
InishTech
 
Advanced Authorization for SAP Global Deployments Part I of III
NextLabs, Inc.
 
Rootconf_phishing_v2
Arjun BM
 
IT Operations Management with OpManager
ManageEngine, Zoho Corporation
 
FLIGHT WEST 2018 Presentation - Open Source License Management in Black Duck Hub
Black Duck by Synopsys
 
7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...
Inspirisys Solutions Limited
 
Webinar: Building amazing web apps rapidly with emerging tech
Harbinger Systems - HRTech Builder of Choice
 
Box Demo - Custom CRM
Mike Checker
 
Box Demo - Custom CRM
Mike Checker
 
Introduction to Software Potential
InishTech
 

Similar to Cm3 secure code_training_1day_access_control (20)

PPTX
Access Control Pitfalls v2
Jim Manico
 
PPTX
Authorization Pattern.pptx power point s
Coderkids
 
PDF
Alliance Compant Presentation
Alliance Tech Solution Pvt Ltd
 
PPTX
Defending broken access control in .NET
Supriya G
 
PDF
S5-Authorization
zakieh alizadeh
 
PPTX
information security(authentication application, Authentication and Access Co...
Zara Nawaz
 
PPT
4_5949547032388570388.ppt
MohammedMohammed578197
 
PPTX
Modeling Multi-Layer Access Control Policies of a Hyperledger-Fabric-Based Ag...
Dilum Bandara
 
PPT
How much does it cost to be Secure?
mbmobile
 
PDF
Injection techniques conversys
Krishnendu Paul
 
PPTX
Q4_Fortify your IBM Power Systems with Strong Access Control_E_FINAL.pptx
Precisely
 
PPTX
009 Authentication and Access Control.pptx
AssadLeo1
 
PPTX
The Importance of Enterprise Privileged Access Management (PAM)
Bert Blevins
 
PDF
Principles of Information Security 5th Edition Whitman Solutions Manual
feyenrungeab
 
PDF
Principles of Information Security 5th Edition Whitman Solutions Manual
badatokinsso
 
PDF
Full download Principles of Information Security 5th Edition Whitman Solution...
awudorrisone
 
PPT
lecture7-accesscontroool_ct1405.pptx.ppt
maneltighiouart7
 
PDF
Principles of Information Security 5th Edition Whitman Solutions Manual
xhroghjqwc072
 
PDF
Principles of Information Security 5th Edition Whitman Solutions Manual
hajrnwqbvw117
 
PDF
Principles of Information Security 5th Edition Whitman Solutions Manual
yjuywsznt9224
 
Access Control Pitfalls v2
Jim Manico
 
Authorization Pattern.pptx power point s
Coderkids
 
Alliance Compant Presentation
Alliance Tech Solution Pvt Ltd
 
Defending broken access control in .NET
Supriya G
 
S5-Authorization
zakieh alizadeh
 
information security(authentication application, Authentication and Access Co...
Zara Nawaz
 
4_5949547032388570388.ppt
MohammedMohammed578197
 
Modeling Multi-Layer Access Control Policies of a Hyperledger-Fabric-Based Ag...
Dilum Bandara
 
How much does it cost to be Secure?
mbmobile
 
Injection techniques conversys
Krishnendu Paul
 
Q4_Fortify your IBM Power Systems with Strong Access Control_E_FINAL.pptx
Precisely
 
009 Authentication and Access Control.pptx
AssadLeo1
 
The Importance of Enterprise Privileged Access Management (PAM)
Bert Blevins
 
Principles of Information Security 5th Edition Whitman Solutions Manual
feyenrungeab
 
Principles of Information Security 5th Edition Whitman Solutions Manual
badatokinsso
 
Full download Principles of Information Security 5th Edition Whitman Solution...
awudorrisone
 
lecture7-accesscontroool_ct1405.pptx.ppt
maneltighiouart7
 
Principles of Information Security 5th Edition Whitman Solutions Manual
xhroghjqwc072
 
Principles of Information Security 5th Edition Whitman Solutions Manual
hajrnwqbvw117
 
Principles of Information Security 5th Edition Whitman Solutions Manual
yjuywsznt9224
 
Ad

More from dcervigni (9)

PPTX
Cm9 secure code_training_1day_input sanitization
dcervigni
 
PPTX
Cm2 secure code_training_1day_data_protection
dcervigni
 
PPTX
Cm1 secure code_training_1day_intro
dcervigni
 
PPTX
Cm8 secure code_training_1day_security libraries
dcervigni
 
PPTX
Cm4 secure code_training_1day_error handling and logging
dcervigni
 
PPTX
Cm5 secure code_training_1day_system configuration
dcervigni
 
PPTX
Cm6 secure code_training_1day_file management
dcervigni
 
PPTX
Cm7 secure code_training_1day_xss
dcervigni
 
PPTX
JavaScript security and tools evolution at 2017 OWASP Taiwan Week
dcervigni
 
Cm9 secure code_training_1day_input sanitization
dcervigni
 
Cm2 secure code_training_1day_data_protection
dcervigni
 
Cm1 secure code_training_1day_intro
dcervigni
 
Cm8 secure code_training_1day_security libraries
dcervigni
 
Cm4 secure code_training_1day_error handling and logging
dcervigni
 
Cm5 secure code_training_1day_system configuration
dcervigni
 
Cm6 secure code_training_1day_file management
dcervigni
 
Cm7 secure code_training_1day_xss
dcervigni
 
JavaScript security and tools evolution at 2017 OWASP Taiwan Week
dcervigni
 
Ad

Recently uploaded (20)

PDF
Human-centred design in online workplace learning and relationship to engagem...
Tracy Tang
 
PPT
Interview paper part 3, It is based on Interview Prep
SoumyadeepGhosh39
 
PDF
July Patch Tuesday
Ivanti
 
PDF
Ampere Offers Energy-Efficient Future For AI And Cloud
ShapeBlue
 
PDF
Why Orbit Edge Tech is a Top Next JS Development Company in 2025
mahendraalaska08
 
PDF
Blockchain Transactions Explained For Everyone
CIFDAQ
 
PDF
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
PDF
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
PPTX
✨Unleashing Collaboration: Salesforce Channels & Community Power in Patna!✨
SanjeetMishra29
 
PDF
Smart Air Quality Monitoring with Serrax AQM190 LITE
SERRAX TECHNOLOGIES LLP
 
PDF
TrustArc Webinar - Data Privacy Trends 2025: Mid-Year Insights & Program Stra...
TrustArc
 
PPTX
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
PDF
Apache CloudStack 201: Let's Design & Build an IaaS Cloud
ShapeBlue
 
PPTX
MSP360 Backup Scheduling and Retention Best Practices.pptx
MSP360
 
PPTX
Darren Mills The Migration Modernization Balancing Act: Navigating Risks and...
AWS Chicago
 
PDF
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
PDF
Chris Elwell Woburn, MA - Passionate About IT Innovation
Chris Elwell Woburn, MA
 
PDF
Log-Based Anomaly Detection: Enhancing System Reliability with Machine Learning
Mohammed BEKKOUCHE
 
PPTX
Extensions Framework (XaaS) - Enabling Orchestrate Anything
ShapeBlue
 
PDF
Building Resilience with Digital Twins : Lessons from Korea
SANGHEE SHIN
 
Human-centred design in online workplace learning and relationship to engagem...
Tracy Tang
 
Interview paper part 3, It is based on Interview Prep
SoumyadeepGhosh39
 
July Patch Tuesday
Ivanti
 
Ampere Offers Energy-Efficient Future For AI And Cloud
ShapeBlue
 
Why Orbit Edge Tech is a Top Next JS Development Company in 2025
mahendraalaska08
 
Blockchain Transactions Explained For Everyone
CIFDAQ
 
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
✨Unleashing Collaboration: Salesforce Channels & Community Power in Patna!✨
SanjeetMishra29
 
Smart Air Quality Monitoring with Serrax AQM190 LITE
SERRAX TECHNOLOGIES LLP
 
TrustArc Webinar - Data Privacy Trends 2025: Mid-Year Insights & Program Stra...
TrustArc
 
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
Apache CloudStack 201: Let's Design & Build an IaaS Cloud
ShapeBlue
 
MSP360 Backup Scheduling and Retention Best Practices.pptx
MSP360
 
Darren Mills The Migration Modernization Balancing Act: Navigating Risks and...
AWS Chicago
 
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
Chris Elwell Woburn, MA - Passionate About IT Innovation
Chris Elwell Woburn, MA
 
Log-Based Anomaly Detection: Enhancing System Reliability with Machine Learning
Mohammed BEKKOUCHE
 
Extensions Framework (XaaS) - Enabling Orchestrate Anything
ShapeBlue
 
Building Resilience with Digital Twins : Lessons from Korea
SANGHEE SHIN
 

Cm3 secure code_training_1day_access_control

  • 1. SECURE CODE TRAINING ACCESS CONTROL DAVID CERVIGNI IT SECURITY CONSULTANT AND PCI CODE REVIEWER
  • 2. What is Access Control? Authorization is the process where a system determines if a specific user has access to a resource. https://tools.ietf.org/html/rfc2904 PIP = Policy Information Point PDP = Policy Decision Point PEP = Policy Enforcement Point PAP = Policy Administration Point PRP = Policy Retrieval Point (XACML) *XACML stands for "eXtensible Access Control Markup Language"
  • 3. Access Control Attacks Vertical Access Control Attacks A standard user accessing administration functionality Horizontal Access Control Attacks Same role, but accessing another user's private data Business Logic Access Control Attacks Abuse of one or more linked activities that collectively realize a business objective
  • 4. Access Controls failure impact • Loss of accountability – Attackers maliciously execute actions as other users – Attackers maliciously execute higher level actions • Disclosure of confidential data – Compromising admin-level accounts often results in access to user’s confidential data • Data tampering – Privilege levels do not distinguish users who can only view data and users permitted to modify data
  • 5. Access Control Best Practices • Build a centralized AuthZ mechanism • Code to the permission, not the role • Design AuthZ as a filter • Deny by default, fail securely • Server-side trusted data should drive AuthZ • Be able to change entitlements in real time • Design standardized data contextual AuthZ • Build grouping for users and permissions
  • 6. Access Control Anti-Patterns • Hard-coded role checks in application code • Lack of centralized access control logic • Untrusted data driving access control decisions • Access control that is “open by default” • Lack of addressing horizontal access control in a standardized way (if at all) • Access control logic that needs to be manually added to every endpoint in code • Access Control that is “sticky” per session • Access Control that requires per-user policy
  • 7. Best Practice: Centralized AuthZ • Define a centralized access controller – ACLService.isAuthorized(PERMISSION_CONSTANT) – ACLService.assertAuthorized(PERMISSION_CONSTANT) • Access control decisions go through these simple API’s • Centralized logic to drive policy behavior and persistence • May contain data-driven access control policy information
  • 8. Best Practice: Code to the Activity int articleId = request.getInt(“articleId”); if (AC.hasAccess(“article:edit:” + articleId)) { //execute activity } • Code it once, never needs to change again • Implies policy is centralized in some way • Implies policy is persisted in some way • Requires more design/work up front to get right
  • 9. Data Contextual Access Control Data Contextual / Horizontal Access Control API examples: ACLService.isAuthorized(“car:view:321”) ACLService.assertAuthorized(“car:edit:321”) Long form: IsAuthorized(user, Perm.EDIT_CAR, Car.class, 321) • Check if the user has the right role in the context of a specific object • Protecting data at the lowest level! 9
  • 10. Using a Centralized Access Controller In Presentation Layer if (isAuthorized(Permission.VIEW_LOG_PANEL)) { <h2>Here are the logs</h2> <%=Encoder.forHTMLContent(getRawLogData());%/> }
  • 11. Using a Centralized Access Controller In Controller try { assertAuthorized(Permission.DELETE_USER); deleteUser(); } catch (Exception e) { //IDS EVENT }
  • 12. Implementation Use a single site-wide component to check access authorization. This includes libraries that call external authorization services and also separate privileged logic from other application code.
  • 13. Re-validaiton If long authenticated sessions are allowed, periodically re-validate a user’s authorization to ensure that their privileges have not changed and if they have, log the user out and force them to re-authenticate The application must support disabling of accounts and terminating sessions when authorization ceases (e.g., Changes to role, employment status, business process, etc.)
  • 14. Access Control good practices examples Don’t rely on client data Use only trusted system objects, e.g. server side session objects, for making access authorization decisions Use White Listing *Deny all access if the application cannot access its security configuration information
  • 15. Access Control bad practices examples Use Untrusted data • Avoid trusting request data for access control decisions • Never make access control decisions in JavaScript • Never make authorization decisions based solely on: • hidden fields • cookie values • form parameters • URL parameters • anything else from the request • Never depend on the order of values sent from the client
  • 16. Consider the order or actions Imagine the following parameters 1. http://example.com/buy?action=chooseDataPackage 2. http://example.com/buy?action=customizePackage 3. http://example.com/buy?action=makePayment 4. http://example.com/buy?action=downloadData Can an attacker control the sequence? Can an attacker abuse this with concurrency?
  • 17. Enforce logic application flow Enforce application logic flows to comply with business rules (AppSensor) Monitoring: Limit the number of transactions a single user or device can perform in a given period of time. The transactions/time should be above the actual business requirement, but low enough to deter automated attacks.
  • 18. Access Control bad practices examples HARD CODED ROLES void editProfile(User u, EditUser eu) { if (u.isManager()) { editUser(eu); } } How to maintain that code?
  • 19. Access Control bad practices examples HARD CODED ROLES if ((user.isManager() || user.isAdministrator() || user.isEditor()) && user.id() != 1132)) { //execute action }
  • 20. Access Control bad practices examples HARD CODED ROLES • Makes “proving” the policy of an application difficult for audit or Q/A purposes • Any time access control policy needs to change, new code need to be pushed • RBAC is often not granular enough • Fragile, easy to make mistakes
  • 21. Avoid Direct Object reference http://foo.bar/somepage?invoice=12345 How to avoid? • Semantic validation (stateless) • Level of (randomized) indirection (stateful implementation)
  • 22. SQL Integrated Access Control • Example Feature http://mail.example.com/viewMessage?messageid=2356342 • This SQL would be vulnerable to tampering select * from messages where messageid = 2356342 • Ensure the owner is referenced in the query! select * from messages where messageid = 2356342 AND messages.message_owner = <userid_from_session>
  • 23. SECURE CODE TRAINING INTENSIVE COURSE DAVID CERVIGNI IT SECURITY CONSULTANT AND PCI CODE REVIEWER