“Every access to every object must be checked for authority.” — Ensure that any required access control is enforced along all access paths to the object or function being protected. (See Saltzer and Schroeder's Secure Design Principles)
- Complete Mediation
- Saltzer & Schroeder 1975
- Access Control
- All Assets/Actors/Actions
- Missing Modifiers, Permissive Visibility, Missing auth Flows
- Mediation -> Every Thing/One/Call