[Owasp-topten] 2013 A7 - Access Control

Abbas Naderi abbas.naderi at owasp.org
Fri Feb 15 16:47:47 UTC 2013

Hello there folks,

A few comments on RC 2013, which is my own opinion as well as opinion of countless people who have contacted me as OWASP official of my region:

One of the worst things about top ten - which countless people contact me about everyday - are complex titles. Why not replace Missing Function Level Access Control with Insufficient Access Control? Everybody knows what access control and insufficient means, but without reading the description nobody will know what function level in the context is supposed to mean.

I don't see a clear distinction between A4 (which has a very mysterious title and has held it for 10 years now) and A7. They are basically the same thing, and I assume the correct position is indeed A4. What current A4 has (and have had) only boggles the minds of developers who haven't experienced it before. I think the correct way would be to just name it insufficient access control. Everyday apps require access control on every single task.

I also suggest changing the following from A2 Authentication:
Are credentials always protected when stored using hashing or encryption? See A6. 

	1. Are credentials stored using cryptographically secure hashing and encryption? 

What I see is most people tend to store passwords as MD5 hashes, at least 10 times more than people who store them in cleartext. They both are essential flaws but a person employing MD5 would think it is secure by reading this.

The defense for Insecure Direct Object Reference is something you can never expect developers to do, unless they realize why. The more logical approach is to ask them to enforce access control on everything, and then to indirectly reference sensitive data. The trade-off is just not logical.

Again, A7 states three scenarios which are basically the same. It has like 80% common ground with A4, and separating them is just caused by long years of Top Ten existence, not reality. I need other peoples opinion on this.

I think it is worth mentioning that defense against CSRF is not that simple and requires some effort.

I suggest renaming A9 to "Using Vulnerable 3rd Party" or "Using Vulnerable Tools", because we mean 3rd party tools not developed components of the local company. 

Thats all, I'd really appreciate some feedback on this.
Notice: This message is digitally signed, its source and integrity are verifiable.
If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130215/acbf5d74/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4889 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130215/acbf5d74/attachment.bin>

More information about the Owasp-topten mailing list