As of 2021, OWASP ranks Broken Access Control as the #1 most common web application security risk. This is a significant jump from its previous slot at #5 in 2017. Nowadays, Broken Access Control is even more pervasive than other storied vulnerabilities such as SQL injection, cryptographic failures, and cross-site-scripting (XSS). With Broken Access Control presenting a broader threat, it’s a sign for organizations to double down on their efforts to secure application access.
For those unfamiliar, OWASP is a leading cybersecurity research group that oversees a number of lists that rank software security risks in specific areas. In security circles, the OWASP Top 10 has become an essential playbook of vulnerabilities to mitigate.
So what is fueling the dramatic shift toward more insufficient access control? The reasons behind it are manifold.
I recently met with Canming Jiang, CEO and Co-Founder of Datawiza, to discover what underpins this rise. According to Jiang, an increasing number of applications and complex security standards have birthed a scenario in which Broken Access Control can thrive. To make matters worse, a lack of security expertise complicates the issue, influencing more compromised systems.
Defining Broken Access Control
First, what exactly is Broken Access Control?
Broken Access Control is when a software system doesn’t correctly enforce its security policies. An application with broken access control may, for example, break the rule of least privilege, allowing the requesting party access to resources they are not intended to view.
Unauthorized access to a system might be possible by changing the URL or tampering with elements of the HTTP request sent to a server. These holes, in effect, could allow a user to view someone else’s account or, worse, gain administrative access. Broken Access Control is thus a significant risk to mitigate as it could lead to account privilege escalation and data overexposure.
5 Reasons Broken Access Control Is Pervasive
1. More Apps Than Ever Before
The rise in Broken Access Control runs parallel with the increase in applications across the board. “People are building more and more applications, both internal applications and consumer-facing applications,” said Jiang.
Digital expectations were significantly heightened throughout the pandemic, and the application development rush has not subsided since. The more applications there are, the more attack surfaces present themselves.
2. More Complex Security Protocols
In previous years, implementing access control was relatively straightforward with HTTP Basic Authentication. Today, however, the bar is higher.
Authentication and authorization are becoming more challenging to manage, as there is an increasing array of modern security protocols to learn and implement, describes Jiang. These protocols include OAuth 2.0, OpenID Connect, and SAML. Each standard comes with its own best practices and nuances, and the rising complexity leaves more room for errors, possibly contributing to more broken access.
3. Not Enough Cybersecurity Experts
Most tech hubs lack the supply of talent to meet the demand of new digital initiatives. In addition, the available workforce with security know-how is slim, describes Jiang. As a result, most access control implementations are stitched together by the application developers themselves, who may not have much security expertise. If an organization doesn’t have a strong DevSecOps culture, allowing inexperienced developers to set security policies is a recipe for failure.
4. Various IAM Solutions
Furthermore, an organization might be implementing various vendor-specific Identity and Access Management (IAM) tools, such as Okta, Azure AD, Ping, or OneLogin. Enterprises could be using many disparate access management controls due to acquisitions, or different departments might be making different technology choices, says Rocky Gunderson, Strategy Advisor, Datawiza. And, the complexity rises for hybrid estates involving on-premise legacy IAM models. Overseeing many disparate identity solutions could lead to oversight that affects access integrity.
5. Integration Presents a Barrier
Even though identity providers do supply robust access management tools, they’re going over the heads of some users, says Jiang. Software Development Kits (SDKs) and Application Programming Interfaces (APIs) require extra effort to learn and maintain.
“I’m not sure the major suppliers of SSO are telling people it’s hard,” describes Gunderson. API integration expertise doesn’t eliminate the need for domain knowledge of the security profiles themselves. “Once you use the SDK, you still need to manage the protocol,” says Jiang.
Other Factors
There are plenty of other factors that might be giving rise to an increase in Broken Access Control. Take, for example, the sheer number of APIs being pushed to market. A report from F5 estimates that there are 200 million public and private APIs in use today. The web API, which is prone to access insecurities, is now the most common attack vector, according to Gartner.
Passwords are also inherently frail — they are often leaked or can be easily guessed. Users also reuse the same password across multiple digital services, thus widening the potential attack surface. Insecure password practices and a lack of multi-factor authentication can exacerbate the access control dilemma, which is at the forefront amid rising supply chain vulnerabilities.
Another factor is the act of setting permissions. Implementing granular access management can be a headache for organizations, especially within a company made of tens of thousands of employees. Ideally, each user would be assigned granular permissions to match their privileges and usage habits. However, security architects typically use more high-level groups, says Gunderson. Such generalized permission grouping can break the principle of least privilege.
Final Thoughts
Secure access control will be critical to protecting cloud-native infrastructure and hybrid multi-cloud environments. According to Jiang, to tie it all together, the solution lies in a no-code solution that decreases the need for excessive engineering resources. Solutions here will require a future-proofed view of the maintenance effort.
“Security is a dynamic and ongoing changing challenge,” said Gunderson. “It’s about addressing the broader need of a lack of software development expertise from a security perspective. It’s really more of a platform approach than a technology approach to accommodate hybridity.”
Want more cybersecurity insights? Visit the Cybersecurity channel: