ASVS 4.1.4 - how should we relate to "deny by default"?

4.1.4 looks a little sloppy and could use some clarification.

Oct 21 '21 23:10 jmanico

Verify that the principle of deny by default exists whereby new users/roles start with minimal or no permissions and users/roles do not receive access to new features until access is explicitly assigned.

Oct 21 '21 23:10 cmlh

Hey @cmlh thanks for posting the text. Do you agree this needs a little cleanup? Any suggestions?

Oct 22 '21 16:10 jmanico

@jmanico wrote

Hey @cmlh thanks for posting the text. Do you agree this needs a little cleanup? Any suggestions?

I'd recommend 4.1.4 be applicable to Level 3 (as defined under the 4.x TOV specification).

We should split and into two separate requirements i.e. "...minimal or no permissions and users/roles...".

Also a certifier could interpret "users/roles do not receive access to new features until access is explicitly assigned." as requiring to add the existing group to a newly created "new features" group even when the existing users are exactly the same and therefore cause debt within IAM?

Oct 23 '21 00:10 cmlh

Never used this requirement in pen-tests, what it gives extra which is not covered by 4.1.3 for example?

4.1.3 Verify that the principle of least privilege exists - users should only be able to access functions, data files, URLs, controllers, services, and other resources, for which they possess specific authorization. This implies protection against spoofing and elevation of privilege.

4.1.4 basically says, that user should not have permissions when just created? And should not have access till it's not given? For me it's just common sense to use 4.1.3.

Probably reason for different requirements comes from covering CWE's:

4.1.3 - CWE-285: Improper Authorization
4.1.4 - CWE-276: Incorrect Default Permissions (part of permission issues https://cwe.mitre.org/data/definitions/275.html)

So, the question is - do we need to have separate requirement for "incorrect default permissions"

Oct 23 '21 06:10 elarlang

I typically start news users with default permissions. I am ok with deleting this requirement. Are you ok with a delete here too @cmlh ? Is 4.1.3 emough?

Oct 23 '21 16:10 jmanico

Are you ok with a delete here too @cmlh ? Is 4.1.3 enough?

I am willing to commit to deletion 4.1.4 @jmanico provided we have addressed CWE-285 and CWE-276 in their entirety as raised by @elarlang, perhaps aligning the requirement text to reflect that of CWE-276 is the solution?

Oct 23 '21 21:10 cmlh

@cmlh , I made quick stats for you, based on ASVS v4.0.2, we have:

requirements: 286
requirements with cwe set: 276
unique cwe values: 129

The point - not all CWE's are covered.

... the point and question here is, what problem or vector this requirement could solve which is not covered by other requirements? In this case, 4.1.3.

Oct 23 '21 23:10 elarlang

Did a lot of searching and found deny by default is mostly a network security concept and in the interest of so many new requirements entering ASVS I'm politely deleting this requirement

Oct 24 '21 01:10 jmanico

I am reopening this as I think that it bears further discussion.

I actually think that 4.1.4 "deny by default" is a lot more actionable/testable than the "principle of least privilege" which to me is a lot more conceptual.

"deny by default" - says that a newly created user should not receive permissions until explicitly assigned them. Can verify this by looking at the user creation process.
"principle of least privilege" - says that at any point in time, a user should only have the permissions that they need. Verifying this is very subjective.

I would actually be inclined to drop 4.1.3 and restore 4.1.4 but I am open to suggestions.