Srijith Nair and I have written a new paper - "Using the OWASP Top Ten to Upgrade your Authorization Services." The paper uses code examples to show how improving authorization can help mitigate some common vulnerabilities illustrated in WebGoat. The paper implements these techniques for JSON Injection, Forced Browsing, Parameter Tampering, and Access Control vulnerabilities.
One of the factors that makes security so challenging is the dual mandate of delivering better access control and identity services, making these policies reflect how the business works. At the same time, security architects have to deliver defensive services to cope with malicious actors.
One of the main areas we explore in the paper is how extending access control down to the attribute level gives you better coverage of the defensive services needed to defend against certain vulnerabilities. We'll have a webinar coming soon on this as well. The paper includes code that you can run against WebGoat or your own apps to test it all out in practice.
Comments