AppSec Blog

Top 25 Series - Rank 21 - Incorrect Permission Assignment for Critical Response

Incorrect Permission Assignment for Critical Response (CWE-732) is a complicated name for a problem that is easy to understand. If you don't go out of the way to do a few steps to secure your resources, they are probably not secured by default. Often enough in development, the responsibility to secure resources and components of infrastructure becomes the job of developer. If the developer isn't told explicitly to secure the resources and setting the permission settings correctly, they properly won't do it. In many programming languages, when a file is created within the code, the permission of the file is rather loose. Developer has to write extra code to protect those files. This lead to resources with improper or insecure permission settings.

To ensure the security settings are actually set, the security policy must be there to specify the requirements and with standards and procedures for changing it the right way. In the development lifecycle, such requirements should be observed and be part of the project requirement. Use of standard API and process to perform functions are encouraged, this takes the responsibility away from the developers who are busy enough trying to develop code. With careful planning and regular audit, this is a vulnerability that can be addressed.

Post a Comment


* Indicates a required field.