[CDP-development] U.S. and Australia Partner to Release Advisory on Preventing Web Application Access Control Abuse

Masse, Theresa theresa.masse at cisa.dhs.gov
Fri Jul 28 07:03:43 PDT 2023 

FYSA



Yesterday, the Cybersecurity and Infrastructure Security Agency (CISA), Australian Signals Directorate's Australian Cyber Security Centre (ACSC) and National Security Agency (NSA) published a joint Cybersecurity Advisory<https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-208a> (CSA) titled "Preventing Web Application Access Control Abuse." The joint CSA warns vendors, designers, developers, and end-user organizations of web applications about insecure direct object reference (IDOR) vulnerabilities that are frequently exploited by malicious actors. The CSA provides important guidance to reduce prevalence of IDOR flaws and vulnerabilities.



Depending on the type of IDOR vulnerability, malicious actors can access sensitive data, modify or delete objects, or access functions. These vulnerabilities exist because an object identifier is exposed, passed externally, or easily guessed, allowing any user to use or modify the identifier. And these flaws and vulnerabilities are common, hard to prevent outside of the development process, and can be abused at scale in data breach incidents.



In the joint advisory, mitigations are categorized and aligned for specific groups - vendors and developers; all end-user organizations; end-user organizations with on-premises software, infrastructure-as-a-service (IaaS), or private cloud models; and end-user organizations with software-as-a-service (SaaS). Implementing secure-by-design principles into each state of software development life cycle (SDLC) is strongly encouraged.



Vendors, designers, and developers of web application frameworks and web applications are strongly encouraged to implement secure-by-design into each stage of software development life cycle (SDLC).



All organizations are strongly urged to review the advisory and apply mitigation measures to reduce the prevalence of IDOR vulnerabilities and flaws to protect sensitive data in their systems.



Theresa A. Masse
Cybersecurity State Coordinator/Advisor, Region 10 (Oregon)
Cybersecurity and Infrastructure Security Agency
Department of Homeland Security
Phone: (503) 930-5671
Email: theresa.masse at cisa.dhs.gov<mailto:theresa.masse at cisa.dhs.gov>

[cid:image001.png at 01D9C121.93FB6CF0]


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20230728/a4da5672/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 16152 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20230728/a4da5672/attachment-0001.png>

More information about the CDP-development mailing list