Use the principle of deny by default
Summary
The system should set minimal or no permissions for new users/roles and users/roles should not receive access to new features until it is explicitly granted.
Description
Systems should have a set of roles with different levels of privilege to access resources. The privileges of each role must be clearly defined and the role of each user should also be clearly stated. Furthermore, permissions and access should be granted using the principle of deny by default.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Machine | 🔴 |
| Squad | 🟢 |
References
- CAPEC™-122. Privilege abuse
- CAPEC™-233. Privilege escalation
- CWE™-276. Incorrect default permissions
- CWE™-285. Improper authorization
- CWE™-732. Incorrect permission assignment for critical resource
- NERC CIP-005-5_R1_3. Electronic security perimeter
- OWASP TOP 10-A1. Broken access control
- SOC2®-CC6_3. Logical and physical access controls
- CERT-J-FIO01-J. Create files with appropriate access permissions
- PA-DSS-5_2_8. Improper access controls
- CMMC-SC_L2-3_13_6. Network communication by exception
- HITRUST CSF-09_c. Segregation of duties
- LGPD-46. Security and Secrecy of Data
- ISA/IEC 62443-RDF-5_2. Zone boundary protection
- WASC-W_02. Insufficient authorization
- NIST SSDF-PW_9_1. Configure software to have secure settings by default
- OWASP SCP-7. Error handling and logging
- PCI DSS-7_3_3. Access control system is set to deny by default
- SIG Core-N_1_9. Network security
- OWASP ASVS-4_1_1. General access control design
- OWASP MASVS-V7_7. Code quality and build setting requirements
- SANS 25-16. Missing Authorization
- CASA-4_1_1. General Access Control Design
- CASA-4_3_3. Other Access Control Considerations
- CASA-13_1_4. Generic Web Service Security
Vulnerabilities
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.