Secure Coding Practices, Part 3: Authorization

by Steven McElwee, CISSP

Reviewing application authorization is an important consideration when reviewing code security. Authorization determines what users are allowed to do in the application after the they have successfully authenticated.

Proper authorization supports separation of duties. Information is better protected by giving users the least privilege needed to perform their jobs. Applications must support fine-grained roles in order to implement separation of duties when assigning users to roles.

When evaluating authorization in an application, here are a few questions to consider:

• Are permissions defined to create fine-grained user access?
• Are permissions defined for fine-grained administrator access?
• Are permissions enforced consistently in the application?
• Can permissions be grouped or organized to user roles for simplified access management?
• Are roles and permissions consistent with standards or other applications in the enterprise?

Make sure that your software developers understand the differences between authentication and authorization, as well as the importance of fine grained access to support separation of duties. Authorization controls are an important part of your secure coding guidelines and should be on your security code review checklist too.