Use the principle of deny by default
Summary
The system should set minimal or no permissions for new users/roles and users/roles should not receive access to new features until it is explicitly granted.
Description
Systems should have a set of roles with different levels of privilege to access resources. The privileges of each role must be clearly defined and the role of each user should also be clearly stated. Furthermore, permissions and access should be granted using the principle of deny by default.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Essential | 🔴 |
| Advanced | 🟢 |
References
- CAPECâ„¢-122. Privilege abuse
- CAPECâ„¢-233. Privilege escalation
- CWEâ„¢-276. Incorrect default permissions
- CWEâ„¢-285. Improper authorization
- CWEâ„¢-732. Incorrect permission assignment for critical resource
- NERC CIP-005-5_R1_3. Electronic security perimeter
- OWASP TOP 10-A1. Broken access control
- SOC2®-CC6_3. Logical and physical access controls
- CERT-J-FIO01-J. Create files with appropriate access permissions
- PA-DSS-5_2_8. Improper access controls
- CMMC-SC_L2-3_13_6. Network communication by exception
- HITRUST CSF-09_c. Segregation of duties
- LGPD-46. Security and Secrecy of Data
- ISA/IEC 62443-RDF-5_2. Zone boundary protection
- WASC-W_02. Insufficient authorization
- NIST SSDF-PW_9_1. Configure software to have secure settings by default
- OWASP SCP-7. Error handling and logging
- PCI DSS-7_3_3. Access control system is set to deny by default
- SIG Core-N_1_9. Network security
- OWASP ASVS-4_1_1. General access control design
- SANS 25-11. Missing authorization
- CASA-4_1_1. General Access Control Design
- CASA-4_3_3. Other Access Control Considerations
- CASA-13_1_4. Generic Web Service Security
- CWE TOP 25-862. Missing authorization
- NIST CSF-PR_IR-01. Networks and environments are protected from unauthorized logical access and usage
Vulnerabilities
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.