Your company sells toys online worldwide, which is supported by a web-based E-Commerce system. The EC system issues an access token, which is renewed on a rolling basis, for subsequent access authorization after a user is validated. You disabled a user account after confirming an active session is established using the breached user account. However, the access token and the user session is still active, and resources are accessible. Which of the following is the best solution to solve this problem?
A. Implement complete mediation
B. Impose a higher degree of race condition
C. Conduct Time-of-Check after Time-of-Use
D. Apply need-to-know and least privilege principles
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. Implement complete mediation.
Complete mediation means every access to every object must be checked for authority.
The race condition is bad. It means several parties are competing resources. In the context of RDBMS, a severe race condition is subject to deadlock because of poor concurrency control. Imposing a higher degree of race condition will worsen the performance and cause more security problems.
TOC/TOU is a typical software issue. Time-of-Check should be conducted before Time-of-Use. Even so (check before use), the software may still result in TOC/TOU problems if not implemented correctly because of the volatile and dynamic nature of states.
Need-to-know and least privilege principles are applied when a user account is proofed, enrolled, authorized, and provisioned.
- Common Security Issues in Financially-Oriented Web Applications
- Saltzer and Schroeder’s design principles
- Security Design Principles
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.