OWASP AI Security and Privacy Guide OWASP Foundation

Access Control (or Authorization) is the process of granting or denying specific requests from a user, program, or process. To satisfy the accuracy principle, you should also have tools and processes in place to ensure that the data is obtained from reliable sources, its validity and correctness claims are validated and data quality and accuracy are periodically assessed. GDPR also refers to such practices but also has a specific clause related to algorithmic-decision making. This includes getting a human intervention to an algorithmic decision, an ability to contest the decision, and get a meaningful information about the logic involved. The US Equal Credit Opportunity Act requires detailed explanations on individual decisions by algorithms that deny credit. These range from group fairness, false positive error rate, unawareness, and counterfactual fairness.

These techniques should be applied proactively at the early stages of software development to ensure maximum effectiveness. Similarly, you may need to collect sensitive data under KYC requirements, but such data should not be used for ML models used for business analytics without proper controls. Security Assertion Markup Language (SAML) is often considered to compete with OpenId.

OWASP Proactive Control 2 — leverage security frameworks and libraries

The document was then shared globally so even anonymous suggestions could be considered. The protocol is designed to plug these device capabilities into a common authentication framework. Multi-factor authentication (MFA) is by far the best defense against the majority of password-related attacks, including brute-force attacks, with analysis by Microsoft suggesting that it would have stopped 99.9% of account compromises.

They
are discretionary in the sense that a subject with certain access
permissions is capable of passing on that access, directly or
indirectly, to other subjects. For example, buffer overflows are a failure in enforcing
write-access on specific areas of memory. Often, a buffer overflow
exploit also accesses the CPU in a manner that is implicitly
unauthorized as well. The OWASP Top 10 Proactive Controls is similar to the OWASP Top 10 but is focused on defensive techniques and controls as opposed to risks.

The Top 10 Proactive Controls¶

However, these frameworks and libraries must not be viewed as a quick panacea for all development problems; developers have a duty to use such frameworks responsibly and wisely. As a security concept, Least Privileges refers to the principle of assigning users only the minimum privileges necessary to complete their job. owasp controls Although perhaps most commonly applied in system administration, this principle has relevance to the software developer as well. For example, even though both an accountant and sales representative may occupy the same level in an organization’s hierarchy, both require access to different resources to perform their jobs.

While authentication through a combination of username, password, and multi-factor authentication is considered generally secure, there are use cases where it isn’t considered the best option or even safe. Examples of this are third-party applications that desire to connect to the web application, either from a mobile device, another website, desktop, or other situations. When this happens, it is NOT considered safe https://remotemode.net/ to allow the third-party application to store the user/password combo, since then it extends the attack surface into their hands, where it isn’t in your control. For this and other use cases, there are several authentication protocols that can protect you from exposing your users’ data to attackers. The answer is with security controls such as authentication, identity proofing, session management, and so on.