Skip to main content

ISSAF

logo

Summary

The Information Systems Security Assessment Framework is designed to evaluate the network, system and application controls in penetration testing methodology. The version used in this section is ISSAF 0.2.1B.

Definitions

DefinitionRequirements
A_2_4. Assesment - Penetration035. Manage privilege modifications
A_2_7. Assesment - Compromise remote users or sites338. Implement perfect forward secrecy
D_1. Network security - Password security testing (gathering authentication credentials)130. Limit password lifespan
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
139. Set minimum OTP length
332. Prevent the use of breached passwords
D_8. Network security - Password security testing (countermeasures)127. Store hashed passwords
133. Passwords with at least 20 characters
134. Store passwords with salt
135. Passwords with random salt
332. Prevent the use of breached passwords
334. Avoid knowledge-based authentication
E_1. Network security - Switch security assessment062. Define standard configurations
273. Define a fixed security suite
E_13. Network security - Switch security assessment (assess private VLAN attack)255. Allow access only to the necessary ports
E_21. Network security - Switch security assessment (VLAN reconfiguration)148. Set minimum size of asymmetric encryption
150. Set minimum size for hash functions
E_22. Network security - Switch security assessment (layer 2 port authentication)072. Set maximum response time
327. Set a rate limit
F_1. Network security - Router security assessment (router identification)266. Disable insecure functionalities
F_2. Network security - Router security assessment (common issues assesment)062. Define standard configurations
F_5. Network security - Router security assessment (global countermeasures)062. Define standard configurations
F_5_1. Network security - Router security assessment (turn on logging)376. Register severity level
F_5_2. Network security - Router security assessment (limit telnet)181. Transmit data using secure protocols
F_5_3. Network security - Router security assessment (protect passwords)148. Set minimum size of asymmetric encryption
150. Set minimum size for hash functions
F_5_7. Network security - Router security assessment (disable non-essential services)161. Define secure default options
F_5_9. Network security - Router security assessment (configure ingress filtering)173. Discard unsafe inputs
320. Avoid client-side control enforcement
342. Validate request parameters
G_9_8. Network security - Firewalls (identify firewall architecture)142. Change system default credentials
161. Define secure default options
G_12. Network security - Firewalls (port redirection)153. Out of band transactions
173. Discard unsafe inputs
377. Store logs based on valid regulation
G_13_4. Network security - Firewalls (application level)273. Define a fixed security suite
G_14. Network security - Firewalls (countermeasures)153. Out of band transactions
253. Restrict network access
258. Filter website content
G_15. Network security - Firewalls (compromise remote users/sites)153. Out of band transactions
181. Transmit data using secure protocols
320. Avoid client-side control enforcement
H_14_3. Network security - Intrusion detection (detection engine)178. Use digital signatures
H_14_7. Network security - Intrusion detection (detection engine)075. Record exceptional events in logs
080. Prevent log modification
227. Display access notification
H_14_13. Network security - Intrusion detection (detection engine)072. Set maximum response time
327. Set a rate limit
H_14_17. Network security - Intrusion detection (detection engine)148. Set minimum size of asymmetric encryption
149. Set minimum size of symmetric encryption
150. Set minimum size for hash functions
181. Transmit data using secure protocols
336. Disable insecure TLS versions
H_15_9. Network security - Intrusion detection (rule configuration and management interface)152. Reuse database connections
172. Encrypt connection strings
H_16_5. Network security - Intrusion detection (logging systems)075. Record exceptional events in logs
181. Transmit data using secure protocols
J_4. Network security - Anti-virus system (objective)041. Scan files for malicious code
118. Inspect attachments
273. Define a fixed security suite
J_6_1. Network security - Anti-virus system (methology)273. Define a fixed security suite
J_6_4. Network security - Anti-virus system (methology)115. Filter malicious emails
118. Inspect attachments
J_7_2. Network security - Anti-virus system (check end user antivirus)273. Define a fixed security suite
353. Schedule firmware updates
J_7_3_5. Network security - Anti-virus system (methology)040. Compare file format and extension
266. Disable insecure functionalities
K_9_1. Network security - Storage Area Network SAN (practices for the data-at-rest)039. Define maximum file size
176. Restrict system objects
185. Encrypt sensitive information
249. Locate access points
329. Keep client-side storage without sensitive data
339. Avoid storing sensitive files in the web root
L_3_1. Network security - WLAN security (types of threats)247. Hide SSID on private networks
253. Restrict network access
L_4_3. Network security - WLAN security (audit and review)248. SSID without dictionary words
250. Manage access points
254. Change SSID name
255. Allow access only to the necessary ports
353. Schedule firmware updates
L_4_5_6. Network security - WLAN security (exploitation and attacks)181. Transmit data using secure protocols
L_8. Network security - WLAN security (global countermeasures)252. Configure key encryption
P_4. Host security - Linux security (identify ports and services)237. Ascertain human interaction
266. Disable insecure functionalities
327. Set a rate limit
P_4_1. Host security - Linux security (identify ports and users)266. Disable insecure functionalities
P_6_1. Host security - Linux security (remote attacks)173. Discard unsafe inputs
265. Restrict access to critical processes
266. Disable insecure functionalities
P_6_3. Host security - Linux security (buffer overflows)158. Use a secure programming language
164. Use optimized structures
173. Discard unsafe inputs
345. Establish protections against overflows
P_6_4. Host security - Linux security (stack based overflows)345. Establish protections against overflows
P_6_5. Host security - Linux security (heap based overflows)345. Establish protections against overflows
P_6_6. Host security - Linux security (integer overflows)345. Establish protections against overflows
P_6_15. Host security - Linux security (local attacks)035. Manage privilege modifications
096. Set user's required privileges
173. Discard unsafe inputs
176. Restrict system objects
265. Restrict access to critical processes
320. Avoid client-side control enforcement
P_6_16. Host security - Linux security (file and directory permission attacks)323. Exclude unverifiable files
Q_8_6_1. Host security - Windows security (brute force passwords or remote attack)237. Ascertain human interaction
327. Set a rate limit
Q_16_10. Host security - Windows security (SMB attacks)134. Store passwords with salt
135. Passwords with random salt
150. Set minimum size for hash functions
266. Disable insecure functionalities
Q_16_13. Host security - Windows security (registry attacks)154. Eliminate backdoors
Q_16_20. Host security - Windows security (local attacks)035. Manage privilege modifications
096. Set user's required privileges
144. Remove inactive accounts periodically
173. Discard unsafe inputs
176. Restrict system objects
265. Restrict access to critical processes
Q_16_27. Host security - Windows security (DLL injection attack)040. Compare file format and extension
041. Scan files for malicious code
Q_16_34. Host security - Windows security (denial of service attacks)072. Set maximum response time
237. Ascertain human interaction
S_5_1. Web server security - Countermeasures (secure administrative access)033. Restrict administrative access
096. Set user's required privileges
284. Define maximum number of connections
S_5_4. Web server security - Countermeasures (enable logging and do periodic analysis)075. Record exceptional events in logs
080. Prevent log modification
S_5_7. Web server security - Countermeasures (Compartmentalize web server process)374. Use of isolation methods in running applications
S_5_8. Web server security - Countermeasures (run as a non-root user)326. Detect rooted devices
T_6_4. Web application assessment - Identifying web server vendor and version (default files)161. Define secure default options
T_6_5. Web application assessment - Identifying web server vendor and version (by extension of pages on web server)355. Serve files with specific extensions
T_6_6. Web application assessment - Identifying web server vendor and version (by error)077. Avoid disclosing technical information
152. Reuse database connections
169. Use parameterized queries
T_6_10. Web application assessment - Test view source bugs156. Source code without sensitive information
T_10_1. Web application assessment – Attack on secure HTTP181. Transmit data using secure protocols
349. Include HTTP security headers
T_11_1. Web application assessment - Brute force attack237. Ascertain human interaction
327. Set a rate limit
T_12_2. Web application assessment - Browsable directories check176. Restrict system objects
266. Disable insecure functionalities
T_13_2. Web application assessment - Test invalidated parameters (Cross Site Scripting)029. Cookies with security attributes
173. Discard unsafe inputs
T_13_3. Web application assessment - Test invalidated parameters (Cross Site Tracing)029. Cookies with security attributes
266. Disable insecure functionalities
T_14_1. Web application assessment - URL manipulation032. Avoid session ID leakages
336. Disable insecure TLS versions
T_14_2. Web application assessment - Hidden form fields manipulation173. Discard unsafe inputs
T_14_3. Web application assessment - Cookie manipulation029. Cookies with security attributes
329. Keep client-side storage without sensitive data
T_16_1. Web application assessment - Input validation (validate data)029. Cookies with security attributes
077. Avoid disclosing technical information
173. Discard unsafe inputs
320. Avoid client-side control enforcement
342. Validate request parameters
T_16_2. Web application assessment - Input Validation (test buffer overflow)327. Set a rate limit
345. Establish protections against overflows
T_16_3. Web application assessment - Input Validation (PHP insertion)077. Avoid disclosing technical information
176. Restrict system objects
T_17. Web application assessment - Test SQL injection169. Use parameterized queries
173. Discard unsafe inputs
T_19_1. Web application assessment - Global Countermeasures (client-side)023. Terminate inactive user sessions
029. Cookies with security attributes
030. Avoid object reutilization
123. Restrict the reading of emails
173. Discard unsafe inputs
336. Disable insecure TLS versions
375. Remove sensitive data from client-side applications
T_19_2. Web application assessment - Global Countermeasures (server-side)225. Proper authentication responses
261. Avoid exposing sensitive information
339. Avoid storing sensitive files in the web root
376. Register severity level
U_8. Web application SQL injections - Check SQL injection vulnerability173. Discard unsafe inputs
U_9. Web application SQL injections - Bypass user authentication143. Unique access credentials
144. Remove inactive accounts periodically
332. Prevent the use of breached passwords
U_11. Web application SQL injections - Get control on host096. Set user's required privileges
173. Discard unsafe inputs
176. Restrict system objects
265. Restrict access to critical processes
U_15. Web application SQL injections – Countermeasures037. Parameters without sensitive data
096. Set user's required privileges
156. Source code without sensitive information
158. Use a secure programming language
164. Use optimized structures
167. Close unused resources
169. Use parameterized queries
173. Discard unsafe inputs
342. Validate request parameters
359. Avoid using generic exceptions
V_6_1. Application security - Source code auditing (authentication)176. Restrict system objects
V_6_3. Application security - Source code auditing (hash or digest authentication)127. Store hashed passwords
333. Store salt values separately
V_6_4. Application security - Source code auditing (forms based authentication)088. Request client certificates
090. Use valid certificates
V_7. Application security - Source code auditing (session management)342. Validate request parameters
V_9. Application security - Source code auditing (data and input validation)173. Discard unsafe inputs
237. Ascertain human interaction
342. Validate request parameters
V_10. Application security - Source code auditing (Cross Site Scripting XSS)029. Cookies with security attributes
173. Discard unsafe inputs
324. Control redirects
V_11. Application security - Source code auditing (buffer overflows)345. Establish protections against overflows
V_12. Application security - Source code auditing (error handling)225. Proper authentication responses
V_13. Application security - Source code auditing (command injection)173. Discard unsafe inputs
265. Restrict access to critical processes
266. Disable insecure functionalities
Y_2. Database Security - Oracle security assessment181. Transmit data using secure protocols
Y_3_1. Database Security - Database services countermeasures133. Passwords with at least 20 characters
142. Change system default credentials
161. Define secure default options
229. Request access credentials
Y_3_4. Database Security - Database services countermeasures035. Manage privilege modifications
046. Manage the integrity of critical files