Application Security · AS-Q05

Question: Are authorization and access controls consistently enforced at both application and API layers?

  1. Objective — Why This Matters
    Broken authorization is among the most exploited vulnerabilities. Consistent enforcement ensures users only access data they are entitled to, limiting breach impact.

  2. Maturity Levels (0–5)

0 — Unaware
No authorization model; relies on UI restrictions.
1 — Ad Hoc
Checks scattered across code; no centralized enforcement.
2 — Defined
Role-based access control documented; APIs gated via tokens.
3 — Managed
RBAC/ABAC enforced through middleware or gateway policies.
4 — Integrated
Central policy service with dynamic context evaluation.
5 — Optimized
Continuous authorization (zero-trust) using behavioral signals.
  1. How to Level Up
From → To Actions
0 → 1 Introduce simple role checks in critical endpoints.
1 → 2 Define RBAC model and enforce at controller/service layers.
2 → 3 Adopt centralized enforcement (API gateway or middleware).
3 → 4 Implement policy engine (OPA/Keto) with attribute rules.
4 → 5 Incorporate adaptive, risk-based authorization decisions.

  1. People / Process / Technology Enablers
    People – Developers, Architects.
    Process – Access model reviews, periodic privilege recertification.
    Technology – Keycloak Authorization Services, OPA, ORY Keto.

  2. Evidence Required
    Access-control matrix, policy files, audit logs showing denied attempts.

  3. Metrics / KPIs
    • number of authorization violations detected per release
    • percentage of endpoints covered by central policy
    • average time to remediate access bugs

  4. Low-Cost / Open-Source Options (MSME)

Purpose Tool Notes
Policy engine OPA / ORY Keto Context-aware authorization logic.
Gateway Kong OSS / Tyk JWT validation and policy integration.
Auditing Wazuh / ELK Monitor access events and failures.

  1. Common Pitfalls
    Authorization checked in UI only; hard-coded role logic; no API-level control.

  2. Compliance Mapping

Standard Clauses / Notes
ISO 27001 A.5.18 / A.8.15.
NIST CSF 2.0 PR.AC-3 / PR.AC-6.
CERT-In 2022 Access-control governance.
NIRMATA Scoring AS-Q05 ≥ Level 4 requires centralized policy enforcement.