Broken Access Control: The CISO Perspective

The OWASP Top 10 is a formidable list of security threats that strikes fear into the hearts of CISOs and security professionals alike. Among these vulnerabilities, one, in particular, is a cause for serious concern: broken access control. This vulnerability sits at the number one spot of the OWASP Top 10 for good reason. The potential consequences of a breach are dire and far-reaching, ranging from data exfiltration to the execution of a successful ransomware attack.

A Strategic perspective

When it comes to dealing with broken access control, CISOs take a strategic rather than a tactical approach. They rely on their security team to establish and enforce access control standards. To do this, the security team dissects the components of access control, assesses their interplay, and identifies potential failure points. This method enables the team to establish a solid baseline and concentrate their efforts effectively, in cooperation with other teams in the organization.

The components of access control that a CISO should be primarily focused on are authentication, permissions, and session management. The lack of control over any one of these can result in broken access control.

The Backbone - Permissions

Permissions are the backbone of access control. Permissions play a crucial role in securely handling application requests in cloud-native apps. They provide a mechanism to control access to sensitive data and functionality, ensuring that only authorized users or systems can perform certain actions. With cloud-native applications, there are often multiple services and resources that need to communicate with each other, making it important to have a clear understanding of permissions and authorization. Properly implementing and managing permissions can help prevent unauthorized access, data breaches, and other security incidents that can harm both the organization and its customers.

Least privilege

The principle of least privilege is one of the cornerstones of information security. All forms of access should be configured with the least possible access to accomplish the goals provided by that access. If you’re building an eCommerce site, visitors to the site shouldn’t be admins. If you’re provisioning a cloud environment, every developer should not have unfettered access to the entire environment.

Implement an authorization model

One way to accomplish permissions control is through an authorization model, such as role-based access control, attribute-based access control, or relationship-based access control. Deciding which model to choose depends on the prominence of attributes or roles for specific needs. Whichever is chosen should enforce both vertical and horizontal controls and ensure that movement outside of vertical and horizontal access permissions is respected. It also should never result in hardcoding entitlement logic in applications.

Session management

Session management is about enforcing and constraining desired behavior. If someone can navigate to a restricted webpage from a public page, traverse environment levels when they shouldn’t be able to, or delete or encrypt large swaths of data in an environment, then appropriate session management is lacking.

A CISO's responsibility

The responsibility of the CISO is to the organization and its customers’ information. They are tasked with developing conditions to nurture an environment conducive to maintaining the confidentiality, integrity, and availability of information. Broken access controls thwart that development. They provide an unknown and likely unmonitored avenue of threat ingress. Once in an environment, a threat actor can move laterally or vertically and wreak havoc. In a very real way, broken access controls fuel what is soon expected to be a multi-trillion-dollar-per-year ransomware threat industry.

Addressing broken access control vulnerabilities can be done in ways that fall short of enterprise-wide security-office defining projects. Blocking and tackling broken access control vulnerabilities is an option. However, if an organization has the appetite for taking on access control and identity governance projects, it can also benefit greatly from those. The security team can work with developers to ensure that permissions and authorization are properly implemented in applications. Developers play a crucial role in this process, and it's important to ensure that they have the necessary training and resources to implement a secure authorization layer. 

Build healthy CISO - Dev. Cooperation

Creating a system that allows for healthy cooperation between developers and security can potentially be very challenging. At the end of the day, it's crucial to have an authorization management layer anyone in your organization can use in a secure way.

Normally, creating and managing your application’s authorization policies could only be done through complex R&D work and steep learning curves. This creates a situation where developers become bottlenecks in your app’s permission management, other stakeholders are locked out of the conversation, and your customers are left without the flexibility they require. All of these manifest as an unending stream of feature requests.

The solution is implementing and managing your RBAC and ABAC policies with a simple no-code UI which makes permission management accessible to other stakeholders. 

That’s what Permit is here for

Permit provides a permission management solution that makes policy-as-code as easy as checking a checkbox - generating the needed code for you, and wrapping it nicely into Git, and API / UI interfaces. This allows including all of the stakeholders in the permission management process, preventing developers from becoming bottlenecks.

Want to learn more about Authorization? Join our Slack community, where there are hundreds of devs building and implementing authorization.