A few weeks ago I gave a presentation at our local OWASP chapter on the current state of access controls. We see access control problems to some extent in nearly every application we assess. They're hard to get right, and they're hard to detect when you've done them wrong. The talk was aimed at exposing why so many developers have a hard time getting them right, and what it takes to avoid problems with them in the first place.
The biggest trick with implementing proper access controls is that they must be done consistently and systemically. There's no room for an ad hoc approach here; the larger an application gets, the harder it is to track where each one-off check has to go. A much better approach is to generalize and standardize the checks as a single global framework.
This problem is compounded by the inability of application security scanners to accurately detect access control problems. They're simply not designed for it. Automated scans absolutely have their place in a secure development cycle, but they're not going to find your authorization problems. For this, you need manual testing and code review.
We've posted the slides used for the presentation on our site. If you're interested in seeing more, I encourage you to check them out.
Subscribe to:
Post Comments
(
Atom
)
Looks like a good presentation, thanks for posting the slides. Access control is so critical and yet, we continually find issues with it and you're right on, the automated tools aren't very good at finding the issues.
ReplyDelete