Mitigating Broken Access Control using compiler

by Aleksei Bekh-Ivanov

Aleksei Bekh-Ivanov

In 2021 OWASP moved Broken Access Control type of vulnerabilities to the first place of their TOP10 list. One of the reasons it can happen, is the fact that developers forget.

  • Forget to check if the user is authenticated when writing a new method in a controller.
  • Forget to check that the data they are presenting, belongs to a different user.
  • Forget to check if the user has admin privileges.

And often it is understandable. Maybe project is being delivered under great pressure before the Black Friday. Or product owner does not consider security as a priority and authorization was not even discussed. Or the feature is implemented by a rather junior person, and they are struggling to write some working code and have no mental capacity to think about security on top of that. Or the service was inherited from another team and no one in the team does fully understand how it works. Or possibly it was you who wrote it but didn't work on it in the last year, and completely forgot everything!

Here I would like to present some ideas of how the type system of your language can save future you or others from making mistakes that can cost your company a huge lawsuit and can cost you your job.

Aleksei Bekh-Ivanov

Senior Consultant, Thoughtworks

Hi! I'm Aleksei. Currently I am an Application and Infrastructure Developer at ThoughtWorks. Overall, I've been working in IT for around 12-15 years (depends on how you prefer to count). In that time I had a chance to try different roles from office SysAdmin setting up printers to Cyber Security Responsible for a big enterprise platform. I worked in very different companies, including NGOs, companies where salary is paid every week and companies having thousands of developers. My passions are testing, security, privacy and software design.