Open EnigmaRosa opened 1 week ago
Comment from Elar (https://github.com/OWASP/ASVS/issues/2033#issuecomment-2323964821):
4.3.7 - not sure about this one. From implementation perspective it maybe makes sense, from pen-testing perspective is just finding a technical reason for 4.1.3 or 4.2.1 requirement.
Comment from Josh (https://github.com/OWASP/ASVS/issues/2033#issuecomment-2324157184):
I think this is an excellent "secure by default" requirement. Access control is very very hard to test comprehensively and I'd like to have some leeway here to steer developers in the right direction since it's essentially business logic.
An object being publicly accessible doesn't mean that it lacks an access control policy - in fact, the access control policy should be "allow access independent of attribute" if we want to force deny by default.
Note: This is referenced as 4.3.7 in #2033 but has updated numbering
This requirement addresses two parts: there should not be any objects that don't have their access undefined, but if there is, deny by default. Because this cannot exactly be penetration tested, it is L2 and L3.