Introduction
These are security standards, regulations and requirements that are known, used and implemented internationally in different types of organizations.
- Introduction
- Compliance
- Requirements
- Introduction
- Architecture
- Components with minimal dependencies
- Control calls to interpreted code
- Store source code in a repository
- Define standard configurations
- Set maximum response time
- Disable insecure functionalities
- Avoid client-side control enforcement
- Control redirects
- Protect WSDL files
- Set a rate limit
- Use consistent encoding
- Include HTTP security headers
- Serve files with specific extensions
- Authentication
- Validate credential ownership
- Out of band transactions
- Proper authentication responses
- Avoid account lockouts
- Display access notification
- Authenticate using standard protocols
- Request access credentials
- Implement a biometric verification component
- Require equipment identity
- Define credential interface
- Establish authentication time
- Ascertain human interaction
- Establish safe recovery
- Request authentication
- Make authentication options equally secure
- Request MFA for critical systems
- Avoid knowledge-based authentication
- Define out of band token lifespan
- Assign MFA mechanisms to a single account
- Use of indistinguishable response time
- Authorization
- Certificates
- Credentials
- Set a password regeneration mechanism
- Store hashed passwords
- Define unique data source
- Validate previous passwords
- Limit password lifespan
- Deny multiple password changing attempts
- Passphrases with at least 4 words
- Passwords with at least 20 characters
- Store passwords with salt
- Passwords with random salt
- Force temporary password change
- Change temporary passwords of third parties
- Define lifespan for temporary passwords
- Set minimum OTP length
- Define OTP lifespan
- Force re-authentication
- Change system default credentials
- Unique access credentials
- Remove inactive accounts periodically
- Prevent the use of breached passwords
- Store salt values separately
- Invalidate previous OTPs
- Notify upcoming expiration dates
- Proper generation of temporary passwords
- Define a password management tool
- Cryptography
- Protect system cryptographic keys
- Remove cryptographic keys from RAM
- Use pre-existent mechanisms
- Set minimum size of asymmetric encryption
- Set minimum size of symmetric encryption
- Set minimum size for hash functions
- Separate keys for encryption and signatures
- Uniform distribution in random numbers
- Use secure cryptographic mechanisms
- Disable insecure TLS versions
- Implement perfect forward secrecy
- Use initialization vectors once
- Assign unique keys to each device
- Replace cryptographic keys
- Use OAEP padding with RSA
- Use GCM Padding with AES
- Proper Use of Initialization Vector (IV)
- Data
- Restrict system objects
- Avoid caching and temporary files
- Use digital signatures
- Use mock data
- Transmit data using secure protocols
- Delete sensitive data securely
- Obfuscate application data
- Encrypt sensitive information
- Mask sensitive data
- Notify configuration changes
- Prioritize token usage
- Avoid deserializing untrusted data
- Keep client-side storage without sensitive data
- Avoid exposing technical information
- Remove sensitive data from client-side applications
- Devices
- Emails
- Files
- Do not deploy temporary files
- Parameters without sensitive data
- Define maximum file size
- Compare file format and extension
- Scan files for malicious code
- Validate file format
- Define an explicit content type
- Define an explicit charset
- Remove metadata when sharing files
- Manage the integrity of critical files
- Avoid storing sensitive files in the web root
- Use octet stream downloads
- Legal
- Logs
- Record exceptional events in logs
- Avoid disclosing technical information
- Disable debugging events
- Record exact occurrence time of events
- Prevent log modification
- Avoid logging sensitive data
- Allow transaction history queries
- Allow session history queries
- Avoid excessive logging
- Register severity level
- Store logs based on valid regulation
- Use of log management system
- Networks
- Hide SSID on private networks
- SSID without dictionary words
- Locate access points
- Manage access points
- Change access point IP
- Configure key encryption
- Restrict network access
- Change SSID name
- Allow access only to the necessary ports
- Access based on user credentials
- Filter website content
- Segment the organization network
- Verify sub-domain names
- Privacy
- Specify the purpose of data collection
- Request user consent
- Demonstrate user consent
- Allow user consent revocation
- Inform inability to identify users
- Provide processing confirmation
- Provide processed data information
- Allow rectification requests
- Allow erasure requests
- Notify third parties of changes
- Respect the Do Not Track header
- Remove unnecessary sensitive information
- Services
- Session
- Terminate inactive user sessions
- Transfer information using session objects
- Manage concurrent sessions
- Encrypt client-side session information
- Allow session lockout
- Allow users to log out
- Cookies with security attributes
- Avoid object reutilization
- Discard user session data
- Avoid session ID leakages
- Use stateless session tokens
- Set a maximum lifetime in sessions
- Social
- Source
- Reuse database connections
- Eliminate backdoors
- Application free of malicious code
- Source code without sensitive information
- Use the strict mode
- Use a secure programming language
- Obfuscate code
- Encode system outputs
- Define secure default options
- Avoid duplicate code
- Use optimized structures
- Close unused resources
- Initialize variables explicitly
- Use parameterized queries
- Remove commented-out code
- Encrypt connection strings
- Discard unsafe inputs
- Transactions without a distinguishable pattern
- Protect pages from clickjacking
- Declare dependencies explicitly
- Exclude unverifiable files
- Make critical logic flows thread safe
- Validate request parameters
- Avoid dynamic code execution
- Establish protections against overflows
- Avoid using generic exceptions
- Associate type to variables
- Keep low McCabe ciclomatic complexity
- Use of absolute paths
- System
- Virtualization
- Vulnerabilities
- Introduction
- Abuse Functionality
- Asymmetric denial of service
- Symmetric denial of service
- Insecure functionality
- Password change without identity check
- Lack of root detection
- Insecure service configuration - ADB Backups
- Debugging enabled in production - APK
- Insecure exceptions
- Errors without traceability
- Traceability loss - Server's clock
- Cached form fields
- Improper resource allocation
- Inappropriate coding practices - Wildcard import
- Duplicate code
- Conditional statement without a default option
- Commented-out code
- Non-upgradable dependencies
- Account lockout
- Privacy violation
- Hidden fields manipulation
- Lack of protection against deletion
- Email uniqueness not properly verified
- Improper control of interaction frequency
- Insecure functionality - Float currency
- HTTP request smuggling
- Improper type assignation
- Unverifiable files
- Regulation infringement
- Improper dependency pinning
- Email flooding
- Race condition
- Inappropriate coding practices
- Use of deprecated components
- Insecure exceptions - Empty or no catch
- Inappropriate coding practices - Eval function
- Inappropriate coding practices - Static Import
- Insecure service configuration
- Insecure service configuration - AWS
- Insecure service configuration - Kerberoast
- Insecure service configuration - Wireless Certificates
- Insecure service configuration - Keystore
- Insecure service configuration - Keys
- Insecure service configuration - Antivirus
- Insecure service configuration - Firewall
- Insecure service configuration - App Backup
- Insecure service configuration - Backup
- Insecure service configuration - Backdoor
- Insecure service configuration - DNS
- Insecure service configuration - SSH
- Insecure service configuration - Security Groups
- Insecure service configuration - RDP
- Insecure service configuration - SMB
- Insecure service configuration - SMTP
- Insecure service configuration - DynamoDB
- Debugging enabled in production
- Traceability loss
- Asymmetric denial of service - ReDoS
- Message flooding
- Incomplete funcional code
- Insecure functionality - Pass the hash
- Lack of protection against deletion - RDS
- Lack of protection against deletion - EC2
- Lack of protection against deletion - ELB
- Lack of protection against deletion - DynamoDB
- Insecure Binary compilation
- Insecure functionality - File Creation
- Insecure functionality - Password management
- Insecure functionality - Masking
- Insecure functionality - Fingerprint
- Insecure exceptions - NullPointerException
- Insecure service configuration - App Transport Security
- Inappropriate coding practices - Public variables
- Insecure service configuration - Key pair
- Insecure service configuration - OTP
- Insecure functionality - Session management
- Inappropriate coding practices - Initialization
- Inappropriate coding practices - Performance
- Enabled default configuration
- Insecure service configuration - Signatures
- Insecure service configuration - Certificates
- Insecure service configuration - DB
- Insecure service configuration - CloudDB
- Improper resource allocation - Buffer overflow
- Improper resource allocation - Memory leak
- Insecure service configuration - Roles
- Insecure service configuration - LDAP
- Insecure functionality - User management
- Insecure service configuration - EC2
- Insecure service configuration - IAM
- Insecure service configuration - S3
- Insecure service configuration - Salt
- Insecure service configuration - Request Validation
- Insecure service configuration - BREACH Attack
- Insecure service configuration - Task Hijacking
- Insecure service configuration - Non Masked Variables
- Symmetric denial of service - SMTP
- Symmetric denial of service - FTP
- Insecure service configuration - DocumentBuilderFactory
- Inappropriate coding practices - Transparency Conflict
- Inappropriate coding practices - Unnecessary imports
- Supply Chain Attack - Docker
- Supply Chain Attack - Terraform
- Insufficient data authenticity validation - Front bypass
- Insecurely generated token - OTP
- Collect Information
- Sensitive information in source code
- Use of software with known vulnerabilities
- Insecure encryption algorithm - SSL/TLS
- Sensitive information sent insecurely
- Administrative credentials stored in cache memory
- Non-encrypted confidential information
- Use of an insecure channel
- Call interception
- User enumeration
- Insecure temporary files
- Sensitive information sent via URL parameters
- ViewState not encrypted
- Technical information leak
- Business information leak
- Exposed web services
- Missing secure obfuscation - APK
- Automatic information enumeration
- Insecure encryption algorithm
- Exposed administrative services
- Sensitive information stored in logs
- Technical information leak - Console functions
- Weak CAPTCHA
- Non-encrypted confidential information - AWS
- Insecurely deleted files
- Sensitive data stored in client-side storage
- Insecure encryption algorithm - Anonymous cipher suites
- Insecure encryption algorithm - Cipher Block Chaining
- Non-encrypted confidential information - AWS EBS
- Non-encrypted confidential information - S3 Server Side Encryption
- XS-Leaks
- Metadata with sensitive information
- Directory listing
- Insecure encryption algorithm - Perfect Forward Secrecy
- Sensitive information in source code - API Key
- Insecure encryption algorithm - Unused components
- Insecure encryption algorithm - SSLContext
- Use of an insecure channel - FTP
- Use of an insecure channel - SMTP
- Use of an insecure channel - useSslProtocol()
- Use of an insecure channel - Telnet
- Missing secure obfuscation
- Missing secure obfuscation - binary
- Business information leak - JWT
- Business information leak - Credentials
- Business information leak - Repository
- Business information leak - Source Code
- Business information leak - Credit Cards
- Business information leak - Network Unit
- Business information leak - Redis
- Business information leak - Token
- Business information leak - Users
- Business information leak - DB
- Business information leak - JFROG
- Business information leak - AWS
- Business information leak - Azure
- Business information leak - Personal Information
- Business information leak - NAC
- Business information leak - Analytics
- Business information leak - Power BI
- Business information leak - Firestore
- Technical information leak - Angular
- Technical information leak - Stacktrace
- Technical information leak - Headers
- Technical information leak - SourceMap
- Technical information leak - Print Functions
- Technical information leak - API
- Technical information leak - Errors
- Non-encrypted confidential information - Credit Cards
- Non-encrypted confidential information - DB
- Non-encrypted confidential information - AWS
- Non-encrypted confidential information - LDAP
- Non-encrypted confidential information - Credentials
- Non-encrypted hard drives
- Non-encrypted confidential information - JFROG
- Automatic information enumeration - Open ports
- Automatic information enumeration - AWS
- Automatic information enumeration - Credit Cards
- Insecure encryption algorithm - DSA
- Insecure encryption algorithm - SHA1
- Insecure encryption algorithm - MD5
- Insecure encryption algorithm - TripleDES
- Insecure encryption algorithm - AES
- Insecure encryption algorithm - TLS
- Insecure encryption algorithm - SSL
- Insecure encryption algorithm - DES
- Insecure encryption algorithm - Blowfish
- Non-encrypted confidential information - Local data
- Sensitive information sent via URL parameters - Session
- Use of an insecure channel - AWS
- Insecure encryption algorithm - ECB
- Automatic information enumeration - Personal Information
- Non-encrypted confidential information - Base 64
- Technical information leak - Logs
- Technical information leak - IPs
- Business information leak - Financial Information
- Sensitive information in source code - Dependencies
- User Enumeration - Wordpress
- Use of insecure channel - Source code
- Business information leak - Corporate information
- Technical information leak - Alert
- Technical information leak - Credentials
- Automatic information enumeration - Corporate information
- Sensitive information in source code - Credentials
- Sensitive information in source code - Git history
- Use of an insecure channel - HTTP
- Use of an insecure channel - Oracle Database
- Non-encrypted confidential information - Hexadecimal
- Deceptive Interactions
- Uncontrolled external site redirect - Host Header Injection
- Spoofing
- Insecurely generated token
- MDNS spoofing
- Missing subresource integrity check
- Reverse tabnabbing
- Server-side request forgery (SSRF)
- Phishing
- Uncontrolled external site redirect
- Email spoofing
- Insecurely generated token - JWT
- Insecurely generated token - Validation
- Insecurely generated token - Lifespan
- Clickjacking
- Inject Unexpected
- SQL injection - C Sharp SQL API
- Remote command execution
- Reflected cross-site scripting (XSS)
- Stored cross-site scripting (XSS)
- SQL injection - Java Persistence API
- XPath injection
- HTML code injection
- Lack of data validation - Path Traversal
- XML injection (XXE)
- Lack of data validation - Trust boundary violation
- CSV injection
- Insecure deserialization
- Apache lucene query injection
- NoSQL injection
- LDAP injection
- SQL injection - Java SQL API
- HTTP parameter pollution
- Lack of data validation - Type confusion
- Lack of data validation - URL
- SQL injection
- Time-based SQL Injection
- SQL Injection - Headers
- Lack of data validation
- Lack of data validation - Header x-amzn-RequestId
- Lack of data validation - Web Service
- Lack of data validation - Source Code
- Lack of data validation - Modify DOM Elements
- Lack of data validation - Content Spoofing
- Lack of data validation - Session Cookie
- Lack of data validation - Responses
- Lack of data validation - Reflected Parameters
- Lack of data validation - Host Header Injection
- Lack of data validation - Input Length
- Lack of data validation - Headers
- Lack of data validation - Dates
- Lack of data validation - Numbers
- Lack of data validation - Out of range
- Lack of data validation - Emails
- Restricted fields manipulation
- SQL injection - Code
- Lack of data validation - HTML code
- XML injection (XXE) - Unmarshaller
- Lack of data validation - Special Characters
- Lack of data validation - OTP
- Lack of data validation - Non Sanitized Variables
- Lack of data validation - Token
- Missing secure obfuscation - JavaScript
- Technical information leak - Content response
- Weak credential policy - Password strength
- Weak credential policy - Temporary passwords
- Authentication mechanism absence or evasion - Response tampering
- DOM-Based cross-site scripting (XSS)
- Manipulate Data
- External control of file name or path
- Insufficient data authenticity validation - APK signing
- Out-of-bounds read
- Local file inclusion
- Insufficient data authenticity validation
- Insufficient data authenticity validation - Images
- Insufficient data authenticity validation - Checksum verification
- Insufficient data authenticity validation - Device Binding
- Manipulate System
- Probabilistic Techniques
- Insecure generation of random numbers
- Weak credential policy
- Enabled default credentials
- Guessed weak credentials
- Lack of protection against brute force attacks
- Weak credential policy - Password Expiration
- Weak credential policy - Password Change Limit
- Lack of protection against brute force attacks - Credentials
- Protocol Manipulation
- Insecure authentication method - Basic
- Insecure or unset HTTP headers - Content-Security-Policy
- Insecure HTTP methods enabled
- Insecure or unset HTTP headers - Referrer-Policy
- Insecure or unset HTTP headers - Strict Transport Security
- Insecure or unset HTTP headers - X-Content-Type-Options
- Insecure or unset HTTP headers - CORS
- Insecure or unset HTTP headers - X-XSS Protection
- Insecure or unset HTTP headers - Cache Control
- Insecure or unset HTTP headers - X-Permitted-Cross-Domain-Policies
- Insecure or unset HTTP headers - X-Frame Options
- Insecure or unset HTTP headers - Accept
- Insecure or unset HTTP headers - Content-Type
- Subvert Access
- Privilege escalation
- Authentication mechanism absence or evasion
- Cross-site request forgery
- Insecure object reference
- Improper authentication for shared folders
- Unrestricted access between network segments - AWS
- Insecure file upload
- Excessive privileges - AWS
- Improper authorization control for web services
- Insecurely generated cookies
- Inappropriate coding practices - Unused variables
- Cracked weak credentials
- Anonymous connection
- Asymmetric denial of service - Content length
- Concurrent sessions
- Insecure session expiration time
- Unauthorized access to files - APK Content Provider
- Insecure session management
- Lack of multi-factor authentication
- Security controls bypass or absence
- Lack of isolation methods
- Insecurely generated cookies - HttpOnly
- Insecurely generated cookies - SameSite
- Insecurely generated cookies - Secure
- Unrestricted access between network segments
- Unrestricted access between network segments - Azure AD
- Excessive privileges
- Excessive privileges - Temporary Files
- Insecure digital certificates
- Unauthorized access to files
- Unauthorized access to files - Debug APK
- Unauthorized access to files - S3 Bucket
- Insuficient Phisical Access Controls
- Security controls bypass or absence - Anti hooking
- Security controls bypass or absence - SSLPinning
- Security controls bypass or absence - Antivirus
- Security controls bypass or absence - Emulator
- Security controls bypass or absence - Facial Recognition
- Security controls bypass or absence - Cloudflare
- Authentication mechanism absence or evasion - OTP
- Authentication mechanism absence or evasion - AWS
- Authentication mechanism absence or evasion - WiFi
- Authentication mechanism absence or evasion - Admin Console
- Authentication mechanism absence or evasion - BIOS
- Root detection control bypass
- Session Fixation
- Insecure object reference - Personal information
- Insecure object reference - Corporate information
- Insecure object reference - Financial information
- Insecure session management - Change Password
- Authentication mechanism absence or evasion - Redirect
- Authentication mechanism absence or evasion - JFROG
- Authentication mechanism absence or evasion - Azure
- Concurrent sessions control bypass
- Security controls bypass or absence - Data creation
- Insecure object reference - Files
- Insecure object reference - Data
- Unauthorized access to screen
- Unrestricted access between network segments - JSch
- Excessive privileges - Wildcards
- Insecure object reference - Session management
- Insecure session management - CSRF Fixation
- Security controls bypass or absence - Session Invalidation
- Excessive privileges - Mobile App
- Insecure digital certificates - Lifespan
- Insecure digital certificates - Chain of trust
- Insecure file upload - Files Limit
- Unrestricted access between network segments - StrictHostKeyChecking
- Insecure object reference - User deletion
- Authentication mechanism absence or evasion - Security Image
- Security controls bypass or absence - Debug Protection
- Security controls bypass or absence - Tampering Protection
- Security controls bypass or absence - Reversing Protection