Access Controls

Are there tests for failed authentication states?

https://martinfowler.com/articles/web-security-basics.html

• Use existing authentication frameworks whenever possible instead of creating one yourself
• Support authentication methods that make sense for your needs
• Limit the ability of an attacker to take control of an account
• You can take steps to prevent attacks to identify or compromise accounts
• Never use default or hard-coded credentials

Proper Access Controls

This one is tricky as it is very dependent on the context of your application. Here are some things to consider:

• How do users authenticate? Are you using a secure library?
• Should only privileged users have access to certain resources? Where are these roles stored? Could they be manipulated by user input?
• What systems/services can access your database?

This last point is absolutely critical. App context varies, but an anonymous user/system/service should never be able to access your database. Make sure there is a strong authentication model for your database.

More Resources:

• OWASP Authentication Cheat Sheet
• MongoDB
• AWS Elastic Search
• MySQL
• PostgreSQL
• Microsoft SQL Server