Protecting against insufficient authorization

• Improper access to secure areas of the website

  .
  
  

  • Need to carefully examine program logic
  • Consider establishing an Access Control List (ACL)
  • Careful planning needed
  • Customer requirements should be taken into account

• Improper authority for low level accounts

  .
  
  

  • Need to apply the principal of least privileges
  • Especially true for database access