Cornucopia - Ecommerce Website - AZ 5

Suit: Authorization

Card/Value: 5

Description:
Chad can access resources (including services, processes, AJAX, Flash, video, images, documents, temporary files, session data, system properties, configuration data, registry settings, logs) he should not be able to due to missing authorization, or due to excessive privileges (e.g. not using the principle of least privilege).

Technical Note:
Define access controls for each and every resource and system component. Enforce authorization controls on every request, regardless of resource type.

NB: the key concept for this card is applying authorization controls to all resource types. See AZ 6 for data controls, and AZ 7 for function/object/property controls.

References:
« Previous Card | Authorization | Next Card »