-
-
Notifications
You must be signed in to change notification settings - Fork 673
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
1.4.6 - Contextual attributes for access decisions #2062
Comments
Comment from Elar (#2033 (comment)):
Comment from Josh (#2033 (comment)):
Comment from Elar (#2033 (comment))
Related requirement in logging section:
Comment from Josh (#2033 (comment)):
|
Hi @EnigmaRosa, I had a discussion with Elar about this. We agree that the concept is important but is hard to be too prescriptive about the actual requirement. We therefore think it might be good as an L3 documentation requirement as that means that the application developer is expected to have considered this and documented an effective way to carry it out. What do you think about putting the following in 1.4?
|
I like the idea of merging this into 1.4 |
Yes, this is why I had it proposed as a requirement exclusively to L3. I am okay with merging into 1.4. |
Excellent, I think you can open a PR :) |
For V1 "Verify that there are documented controls" should be something like "Verify that there are documentation for controls" e. g. implementation requirement vs documentation requirement. |
Good point @elarlang, maybe something like;
|
Created the PR! |
From PR:
|
I agree with dropping the CWE. @elarlang My opinion is that this is quite a challenging requirement and I would prefer to keep it as L3. |
Ack, let's drop the CWE and move on. |
Sorry, I am behind on this one, but it may be worth updating the wording to include a reference to session attributes/characteristics. For example, consider the current draft NIST SP 800-63B-4 that defines "Session Monitoring" (section 5.3) as a category for these controls. |
@ryarmst - is it more topic for 3.7.1?
|
@elarlang No, sorry, I will clarify. Consider using an IP address as a contextual attribute. I will suggest two possible use cases (not commenting on their merits as actual controls):
For (2) above, you could consider this a part of authorization logic, but the property is nevertheless bound to a user's session. At my organization, we've historically referred to these as "session-bound properties". The NIST document similarly refers to these as "session characteristics". As another example, this recent post from Slack details how they use a number of session characteristics to detect what they refer to as session forking (as far as I can tell, this is perhaps the first published use of this term). Unless I am misunderstanding the intent of 1.4.6, I interpret the authorization decisions to be fulfilling (2) above and therefore strongly based on session characteristics. If so, I simply suggest adding a reference to "session characteristics" or something similar in the requirement so it can be correlated with other standards and publications. Here is a suggestion (added text emphasized):
Does this make sense? |
I just add it here as potentiall related:
|
I'm not a fan of mentioning session-specific requirements in authorization-related requirements. Also, I'm not sure do we need to duplicate it in the session section kind of. ping @tghosth |
So to me this whole requirement is a little wide ranging which I think makes sense and therefore it doesn't necessarily fit cleanly into a particular chapter. I think Ryan's idea makes sense so maybe something like:
|
Ok for me. Just in case, don't carry the |
Note: This is discussed in #2033 as 4.3.5, but is now 4.3.4 to account for updating numbering.
Proposing a requirement to consider additional attributes with regards to access control decisions for sensitive (i.e. L3) applications.
The text was updated successfully, but these errors were encountered: