Word Notes 1.4.22
Ep 82 | 1.4.22

OWASP broken access control (noun)


Rick Howard: The word is: OWASP broken access control. 

Rick Howard: Spelled: O for open, W for web, A for application, S for security, P for project, broken for failure, access for permission, and control for the power of restraint.  

Rick Howard: Definition: Software users are allowed access to data or functionality contrary to the defined zero trust policy by bypassing or manipulating the installed security controls.  

Rick Howard: Example sentence: acting as a user without being logged in or acting as an admin when logged in is the result of broken access control.  

Rick Howard: Origin and context: Dave Wickers and Jeff Williams, working for Aspect Security, a software consultant company, published an education piece in 2003 on the top software security coding issues of the day. That eventually turned into the OWASP Top 10, a reference document describing the most critical security concerns for web applications.  

Rick Howard: Today, OWASP is an international team of security professionals led by the Foundation Executive Director and Top 10 project leader, Andrew van der Stock, and dedicated to enabling organizations to develop, purchase and maintain applications and APIs that can be trusted. Today, there are tens of thousands of members and hundreds of chapters worldwide.  

Rick Howard: In 2021, OWASP published an updated list where broken access control jumped up from the fifth position to the number one spot. 94% of all the tested applications had some form of broken access control and had more occurrences than any other OWASP category.  

Rick Howard: Broken access control occurs when users can act outside of their intended permissions. If zero trust is our stated strategy, and access controls are one of the tactics we use to pursue that strategy, then a broken access control is a failure in design and implementation. Broken access controls manifest in several categories: vertical privilege escalation, horizontal privilege escalation, and context-dependent privilege escalation.  

Rick Howard: The Purple Box website team recommends some common best practices designed to reduce the probability that your code will have you broken access control. First, obfuscation, as well as hope, is not a plan. Just because you don't understand it, doesn't mean that the bad guys can't figure out. Second, as per the zero trust strategy, deny access to all by default and then only grudgingly allow access based on rigorous identification and authorization approvals. Third, centralize the control framework. Don't build one-off systems for each component that you won't be able to remember a year from now. Drive everything through this centralized control framework. And finally, through a DevSecOps kind of model, through an infrastructure as code model, thoroughly audit and test access controls to ensure they are working as designed.  

Rick Howard: Nerd reference: In Season One, Episode Five of the best hacker TV show ever, Mr. Robot, Elliot, played by Rami Malik, has to break a thug out of the New York City's Department of Corrections. 

Rick Howard: In order to save his friend, he tries a couple of different techniques to compromise the jail's network. The first is having his sister Darlene, played by Carly Chaikin, drop infected USB drives around the jail's parking lot. He then tries scanning for unsecured wifi connections. And yes, I said wifi because I think it's funny. But, he finally has success by compromising a laptop used by a policeman in patrol car number 365. He spoofs the car's laptop to believing that Elliot's remote keyboard is the actual keyboard for the computer. He then uses the remote keyboard to connect to the jail's network via wifi and moves laterally inside the jail by searching for unsecured SCADA devices.  

Rick Howard: Once found, he uploads malicious software via FTP designed to unlock all the cell doors in the jail when he pushes a button. And that is textbook broken access control. Why would a cop's laptop have access to SCADA devices that control the opening and closing of jail cells? 

Rick Howard: Word Notes has written by Nyla Gennaoui, executive produced by Peter Kilpe, and edited by John Petrik and me, Rick Howard. The mix, sound design, and original music have all been crafted by the ridiculously talented Elliott Peltzman. Thanks for listening.