Do not Trust Services

From The Secure Arc Wiki

Jump to: navigation, search

Contents

Assertion

Systems or sub-systems outside the bounds of a receiving component must never be trusted implicitly

Rationale

There are a number of scenarios where this can apply.

  1. In B2B interactions, partner organisations will not necessarily enforce the same level of security constraints, policies and quality controls as your own and therefore the level of trust attributed to their requests should be questioned.
  2. In large organisations, the same B2B scenarios above can come into play
  3. Within the same system a request from a User Interface to the downstream services should not be implicitly trusted either. This is in accordance with the Defence in Depth principle and primarily addresses bugs and misconfiguration rather than malicious intent, however depending on the deployment model used a Service used by its own Web Interface is an entry point for both intended web traffic and malicious direct traffic as described in the Minimise Attack Surface principle.

Where possible, a request should be accompanied with an end user credential that can be validated by the receiving service and authorisation controls should be enforced based on the end user, not the system the end-user is interacting with.

Further detailed information is available on Wikipedia.


Related References

Policies & Standards

Design Patterns

Navigation

Personal tools