As you hopefully recall, broken access control was at the top of the OWASP Top 10. An authorization framework is not a magic bullet, e.g., you may still leave resources with Insecure Direct Object Reference and broken access control also includes to code injection and low-level code vulnerabilities.
But there are benefits to using a framework like Cedar, which is part of a more pro-active approach to security. If we consider the OWASP recommendations for pro-active controls, "C1: Implement Access Control", which of the recommendation does using a language like Cedar contribute to?

Question

As you hopefully recall, broken access control was at the top of the OWASP Top 10. An authorization framework is not a magic bullet, e.g., you may still leave resources with Insecure Direct Object Reference and broken access control also includes to code injection and low-level code vulnerabilities.

But there are benefits to using a framework like Cedar, which is part of a more pro-active approach to security. If we consider the OWASP recommendations for pro-active controls, "C1: Implement Access Control", which of the recommendation does using a language like Cedar contribute to?

Accepted Answer

Design Access Control Thoroughly Up Front

Accepted Answer

Consolidate the access control check

Accepted Answer

Deny by Default

Answer

Force Every Access Request to Go Through an Access Control Check

Answer

Principle of Least Privilege

Answer

Do not Hard-code Roles (prefer ABAC)

Crowdly

As you hopefully recall, broken access control was at the top of the OWASP Top 1...

Want instant access to all verified answers on moodle.ut.ee?