ASVS
ASVS copied to clipboard
Published
20 hours ago •
OWASP
OWASP
4.3.1 and 4.3.3
Addressing #1352 Q7:
Q7 - 4.3.1, 4.3.3 - are those actually authentication requirements?
While 4.3.1 is relevant to access control - as access to the admin interface can enable changes to user permissions - I would argue that this is an authentication issue, not an access control one. Furthermore, the language surrounding "administrative interfaces" should be clarified, as I've seen users interpret it as admin interface for a single corporate instance (in a multi-tenant SaaS app).
I'm also inclined to argue that 4.3.3 doesn't belong in V4, and likely in authentication.
| # | Description | L1 | L2 | L3 | CWE |
|---|---|---|---|---|---|
| 4.3.1 | [MODIFIED] Verify administrative interfaces can only be logically accessed from trusted endpoints or locations. For example, restricting access to bastion or jump hosts, trusted admin workstations or endpoints (e.g., device authentication), administrative LANs, etc. | ✓ | ✓ | ✓ | 419 |
| 4.3.3 | [MODIFIED] Verify that, if the application allows changing highly sensitive configurations around passwords or connection parameters for integrations with databases and third-party systems, they are protected by extra controls such as re-authentication or multi-user approval. | ✓ | ✓ | 732 |
