[Owasp-topten] 2013 A7 - Access Control

Ryan Dewhurst ryandewhurst at gmail.com
Fri Feb 15 20:15:23 UTC 2013

Some good points raised.

Maybe A9 could be titled to include the word "outdated" as most
software with "known vulnerabilities" should have already been patched
and therefor be outdated as mentioned in the "How do I prevent This?"

Something like:

"The ues of outdated third-party software"

On Fri, Feb 15, 2013 at 5:47 PM, Abbas Naderi <abbas.naderi at owasp.org> wrote:
> Hello there folks,
> A few comments on RC 2013, which is my own opinion as well as opinion of
> countless people who have contacted me as OWASP official of my region:
> One of the worst things about top ten - which countless people contact me
> about everyday - are complex titles. Why not replace Missing Function Level
> Access Control with Insufficient Access Control? Everybody knows what access
> control and insufficient means, but without reading the description nobody
> will know what function level in the context is supposed to mean.
> I don't see a clear distinction between A4 (which has a very mysterious
> title and has held it for 10 years now) and A7. They are basically the same
> thing, and I assume the correct position is indeed A4. What current A4 has
> (and have had) only boggles the minds of developers who haven't experienced
> it before. I think the correct way would be to just name it insufficient
> access control. Everyday apps require access control on every single task.
> I also suggest changing the following from A2 Authentication:
> Are credentials always protected when stored using hashing or encryption?
> See A6.
>  to
> 1. Are credentials stored using cryptographically secure hashing and
> encryption?
> What I see is most people tend to store passwords as MD5 hashes, at least 10
> times more than people who store them in cleartext. They both are essential
> flaws but a person employing MD5 would think it is secure by reading this.
> The defense for Insecure Direct Object Reference is something you can never
> expect developers to do, unless they realize why. The more logical approach
> is to ask them to enforce access control on everything, and then to
> indirectly reference sensitive data. The trade-off is just not logical.
> Again, A7 states three scenarios which are basically the same. It has like
> 80% common ground with A4, and separating them is just caused by long years
> of Top Ten existence, not reality. I need other peoples opinion on this.
> I think it is worth mentioning that defense against CSRF is not that simple
> and requires some effort.
> I suggest renaming A9 to "Using Vulnerable 3rd Party" or "Using Vulnerable
> Tools", because we mean 3rd party tools not developed components of the
> local company.
> Thats all, I'd really appreciate some feedback on this.
> Thanks
> -Abbas
> ______________________________________________________________
> Notice: This message is digitally signed, its source and integrity are
> verifiable.
> If you mail client does not support S/MIME verification, it will display a
> file (smime.p7s), which includes the X.509 certificate and the signature
> body.  Read more at Certified E-Mail with Comodo and Thunderbird in
> AbiusX.com
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten

More information about the Owasp-topten mailing list