## How to Prevent Access Control

- Do not rely on obfuscation alone
- Deny access by default
- Use single application-wide mechanism for enforcing access controls
- Make it mandatory for developers to declare access allowed for each resource
- Audit and test access controls to ensure they are working