Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

4.3.5 - Coverage by access control policies and deny by default otherwise #2063

Open
EnigmaRosa opened this issue Sep 4, 2024 · 4 comments
Open

4.3.5 - Coverage by access control policies and deny by default otherwise #2063

EnigmaRosa opened this issue Sep 4, 2024 · 4 comments
Assignees
@EnigmaRosa
Labels
1) Discussion ongoing Issue is opened and assigned but no clear proposal yet V4 Temporary label for grouping authorization related issues _5.0 - prep This needs to be addressed to prepare 5.0

Comments

@EnigmaRosa
Copy link
Contributor

Note: This is referenced as 4.3.7 in #2033 but has updated numbering

This requirement addresses two parts: there should not be any objects that don't have their access undefined, but if there is, deny by default. Because this cannot exactly be penetration tested, it is L2 and L3.

# Description L1 L2 L3 CWE
4.3.5 [ADDED] Verify that every object is addressed by at least one access control policy, and when an object does not have an access control policy all access to that object is rejected. 280
This was referenced Sep 4, 2024
Closed
Closed
@elarlang
Copy link
Collaborator

elarlang commented Sep 5, 2024

Comment from Elar (#2033 (comment)):

4.3.7 - not sure about this one. From implementation perspective it maybe makes sense, from pen-testing perspective is just finding a technical reason for 4.1.3 or 4.2.1 requirement.

Comment from Josh (#2033 (comment)):

  • I think this is a little too specific, I also think that practically speaking some data objects will be publicly accessible.
  • I would rather see this requirement be a little less specific and lean more into the deny by default concept, which we discussed in 4.1.4 - how should we relate to "deny by default"? 4.1.4 - how should we relate to "deny by default"? #1085.

@elarlang elarlang added 1) Discussion ongoing Issue is opened and assigned but no clear proposal yet V4 Temporary label for grouping authorization related issues labels Sep 5, 2024
@tghosth tghosth added the _5.0 - prep This needs to be addressed to prepare 5.0 label Sep 5, 2024
@jmanico
Copy link
Member

jmanico commented Sep 5, 2024

I think this is an excellent "secure by default" requirement. Access control is very very hard to test comprehensively and I'd like to have some leeway here to steer developers in the right direction since it's essentially business logic.

@EnigmaRosa
Copy link
Contributor Author

An object being publicly accessible doesn't mean that it lacks an access control policy - in fact, the access control policy should be "allow access independent of attribute" if we want to force deny by default.

@EnigmaRosa
Copy link
Contributor Author

@tghosth @elarlang following up on this

@EnigmaRosa EnigmaRosa mentioned this issue Sep 29, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@EnigmaRosa EnigmaRosa

Labels
1) Discussion ongoing Issue is opened and assigned but no clear proposal yet V4 Temporary label for grouping authorization related issues _5.0 - prep This needs to be addressed to prepare 5.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jmanico @tghosth @elarlang @EnigmaRosa