From 2439354a76373c7da72e40bda2b616458acab263 Mon Sep 17 00:00:00 2001 From: Josh Grossman Date: Sun, 27 Oct 2024 08:01:50 +0200 Subject: [PATCH] Make 1.4.5 a recommendation to resolve #1183 --- 5.0/en/0x10-V1-Architecture.md | 2 +- 5.0/en/0x99-Appendix-X_Recommendations.md | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/5.0/en/0x10-V1-Architecture.md b/5.0/en/0x10-V1-Architecture.md index 2562ca1c0c..51947bb82b 100644 --- a/5.0/en/0x10-V1-Architecture.md +++ b/5.0/en/0x10-V1-Architecture.md @@ -60,7 +60,7 @@ There is no single pattern that suits all applications. Therefore, it is infeasi | **1.4.2** | [DELETED] | | | | | | **1.4.3** | [DELETED, DUPLICATE OF 4.1.3] | | | | | | **1.4.4** | [DELETED, INSUFFICIENT IMPACT] | | | | | -| **1.4.5** | [GRAMMAR] Verify that attribute or feature-based access control is used whereby the code checks the user's authorization for a feature or data item rather than just their role. Permissions should still be allocated using roles. | | ✓ | ✓ | 275 | +| **1.4.5** | [DELETED, INSUFFICIENT IMPACT] | | | | | | **1.4.6** | [ADDED] Verify that the application documentation defines controls which use changes to a user's regular environmental and contextual attributes (such as time of day, location, IP address, or device) to make security decisions, including those pertaining to authentication and authorization. These changes should be detected both when the user tries to start a new session and also in the course of an existing session. | | | ✓ | | | **1.4.7** | [ADDED] Verify that access control documentation defines the rules for access control decision-making, specifying user and subject attributes, resource attributes, and relevant environmental factors involved in the process. | ✓ | ✓ | ✓ | | diff --git a/5.0/en/0x99-Appendix-X_Recommendations.md b/5.0/en/0x99-Appendix-X_Recommendations.md index 8d6ce23037..aeac18f2cd 100644 --- a/5.0/en/0x99-Appendix-X_Recommendations.md +++ b/5.0/en/0x99-Appendix-X_Recommendations.md @@ -21,6 +21,7 @@ The following items were previously in ASVS but are not really requirements. Rat * Security controls should be centralized, simple (economy of design), verifiably secure, and reusable. This should avoid duplicate, missing, or ineffective controls. * Ideally, A single and well-vetted access control mechanism should be used to access protected data and resources. All requests should pass through this single mechanism to avoid copy and paste or insecure alternative paths. +* Attribute or feature-based access control is a recommended pattern whereby the code checks the user's authorization for a feature or data item rather than just their role. Permissions should still be allocated using roles. ## Software Security processes