ASVS icon indicating copy to clipboard operation
ASVS copied to clipboard

Published 20 hours ago verified publisher icon OWASP

v4 control objectives need fine tuning

Open jmanico opened this issue 3 years ago • 1 comments

I think the following objectives are too role-centric, Roles are just one paradigm.

Change:

  • Users are associated with a well-defined set of roles and privileges.
  • Role and permission metadata is protected from replay or tampering.

To:

  • Users are associated with a well-defined set of entitlements.
  • Access control policy metadata is protected from replay or tampering.

jmanico avatar Feb 02 '22 11:02 jmanico

Users are associated with a well-defined set of entitlements.

I think "privileges" is more clear than "entitlements". I think the original is also fine.

Access control policy metadata is protected from replay or tampering.

I think this is an improvement. Perhaps remove "policy"?

What do you think about 1.4.5?

1.4.5 Verify that attribute or feature-based access control is used whereby the code checks the user's authorization for a feature/data item rather than just their role. Permissions should still be allocated using roles.

Sjord avatar Aug 13 '22 12:08 Sjord

I agree with Jim's changes, I think entitlements nicely covers both roles and permissions/privileges.

@Sjord, do you want to open a separate issues about 1.4.5 if it has not already been discussed in another issue?

tghosth avatar Sep 14 '22 18:09 tghosth

Opened #1375

tghosth avatar Sep 14 '22 18:09 tghosth

@Sjord, do you want to open a separate issues about 1.4.5 if it has not already been discussed in another issue?

I think this is up to @jmanico.

Sjord avatar Sep 15 '22 07:09 Sjord