1. Secure Development Guide
  2. About this guide
  3. Addressing the Top Security Risks for Oracle Life Sciences IAMS APIs
  4. Broken Access Control

Broken Access Control

When a developer exposes a reference to an object without proper access or other protection, this reference can become a means of attack. When developing code and sending data to and from the API, ensure that the authorization model of the API interface is consistent to guard against insecure direction object references.

As a best practice, do not assume that a method will only be called within the context for which it was initially designed. All access to functionality that manipulates data must be protected either by access control on the entity or by guarding the invocation of methods with the appropriate permission checks. The credential of the identity associated with the access control at the client application must be encrypted and stored securely.

The authorization model in the SCIM interface ensures protection down to the object level and the SCIM interface has been validated for proper authorization constructs within the functions of the defined service. Any client code built to interact with the SCIM interface should complement this security model so that proper authorization is controlled at the object level.

As a best practice, do not assume that a method will only be called within the context for which it was initially designed. All access to functionality that manipulates data must be protected either by access control on the entity or by guarding the invocation of methods with the appropriate permission checks. The credential of the identity associated with the access control at the client application must be encrypted and stored securely.

Parent topic: Addressing the Top Security Risks for Oracle Life Sciences IAMS APIs