Welcome to the 8th episode of our Security Culture Campaign! On today’s show Matt Konda talks testing for Authorization.

Authorization is the idea that a user can only do what they should be able to based on their role. It is synonymous with access control.

Consider the case of a consulting firm with:

  • Consultants that record time and submit timesheets (Let’s say Joe and Brian are consultants)
  • Managers who approve timesheets (Let’s say Matt is a manager)

There are several types of authorization that need to be implemented in a typical time tracking system.

We need vertical access control implemented to prevent a consultant from approving their own timesheet.

We need horizontal access control or instance based access control to prevent Joe from seeing, modifying or submitting Brian’s timesheet.

Unfortunately, in all my years as a developer, I often observed that we needed to apply security to search functions and admin functions but not necessarily update, delete and view functions on an instance - because we thought it would someehow be very difficult to create a fake request. I believe this issue is common in real world applications. We certainly see it in many pen tests.

Read more on the blog.

Click here for the associated YouTube video.

The Jemurai Security Culture Campaign Series is a stream of topical content released every Thursday intended to help developers think about security in a particular area. The content will be available in associated videos, podcasts and blog posts.

Click here to request a topic.

Matt Konda

Matt is a software engineer. He's our CEO and former Chair & OWASP Board Member.