Introduction

This section allows you to determine what is tested and what is not, and find out what is considered a vulnerability. It is also the basis for determining how rigorous a pentest was, based on tested and untested requirements. The security requirements are independent of the type of technology being used and are written as specific and understandable objectives. They are the security demands that you agree to follow and comply with. Through our hacking services, we determine if these are met or not.

The requirements are based on several standards related to information security.

Index

Architecture

• 048. Components with minimal dependencies
• 050. Control calls to interpreted code
• 051. Store source code in a repository
• 062. Define standard configurations
• 072. Set maximum response time
• 266. Disable insecure functionalities
• 320. Avoid client-side control enforcement
• 324. Control redirects
• 325. Protect WSDL files
• 327. Set a rate limit
• 348. Use consistent encoding
• 349. Include HTTP security headers
• 355. Serve files with specific extensions

Authentication

• 122. Validate credential ownership
• 153. Out of band transactions
• 225. Proper authentication responses
• 226. Avoid account lockouts
• 227. Display access notification
• 228. Authenticate using standard protocols
• 229. Request access credentials
• 231. Implement a biometric verification component
• 232. Require equipment identity
• 235. Define credential interface
• 236. Establish authentication time
• 237. Ascertain human interaction
• 238. Establish safe recovery
• 264. Request authentication
• 319. Make authentication options equally secure
• 328. Request MFA for critical systems
• 334. Avoid knowledge-based authentication
• 335. Define out of band token lifespan
• 362. Assign MFA mechanisms to a single account
• 368. Use of indistinguishable response time

Authorization

• 033. Restrict administrative access
• 034. Manage user accounts
• 035. Manage privilege modifications
• 095. Define users with privileges
• 096. Set user's required privileges
• 114. Deny access with inactive credentials
• 341. Use the principle of deny by default

Certificates

• 088. Request client certificates
• 089. Limit validity of certificates
• 090. Use valid certificates
• 091. Use internally signed certificates
• 092. Use externally signed certificates
• 093. Use consistent certificates
• 364. Provide extended validation (EV) certificates
• 373. Use certificate pinning

Credentials

• 126. Set a password regeneration mechanism
• 127. Store hashed passwords
• 128. Define unique data source
• 129. Validate previous passwords
• 130. Limit password lifespan
• 131. Deny multiple password changing attempts
• 132. Passphrases with at least 4 words
• 133. Passwords with at least 20 characters
• 134. Store passwords with salt
• 135. Passwords with random salt
• 136. Force temporary password change
• 137. Change temporary passwords of third parties
• 138. Define lifespan for temporary passwords
• 139. Set minimum OTP length
• 140. Define OTP lifespan
• 141. Force re-authentication
• 142. Change system default credentials
• 143. Unique access credentials
• 144. Remove inactive accounts periodically
• 332. Prevent the use of breached passwords
• 333. Store salt values separately
• 347. Invalidate previous OTPs
• 358. Notify upcoming expiration dates
• 367. Proper generation of temporary passwords
• 380. Define a password management tool

Cryptography

• 145. Protect system cryptographic keys
• 146. Remove cryptographic keys from RAM
• 147. Use pre-existent mechanisms
• 148. Set minimum size of asymmetric encryption
• 149. Set minimum size of symmetric encryption
• 150. Set minimum size for hash functions
• 151. Separate keys for encryption and signatures
• 223. Uniform distribution in random numbers
• 224. Use secure cryptographic mechanisms
• 336. Disable insecure TLS versions
• 338. Implement perfect forward secrecy
• 346. Use initialization vectors once
• 351. Assign unique keys to each device
• 361. Replace cryptographic keys
• 370. Use OAEP padding with RSA
• 371. Use GCM Padding with AES
• 372. Proper Use of Initialization Vector (IV)

Data

• 176. Restrict system objects
• 177. Avoid caching and temporary files
• 178. Use digital signatures
• 180. Use mock data
• 181. Transmit data using secure protocols
• 183. Delete sensitive data securely
• 184. Obfuscate application data
• 185. Encrypt sensitive information
• 300. Mask sensitive data
• 301. Notify configuration changes
• 305. Prioritize token usage
• 321. Avoid deserializing untrusted data
• 329. Keep client-side storage without sensitive data
• 365. Avoid exposing technical information
• 375. Remove sensitive data from client-side applications

Devices

• 205. Configure PIN
• 206. Configure communication protocols
• 209. Manage passwords in cache
• 210. Delete information from mobile devices
• 213. Allow geographic location
• 214. Allow data destruction
• 326. Detect rooted devices
• 350. Enable memory protection mechanisms
• 352. Enable trusted execution
• 353. Schedule firmware updates
• 354. Prevent firmware downgrades

Emails

• 115. Filter malicious emails
• 116. Disable images of unknown origin
• 117. Do not interpret HTML code
• 118. Inspect attachments
• 119. Hide recipients
• 121. Guarantee uniqueness of emails
• 123. Restrict the reading of emails

Files

• 036. Do not deploy temporary files
• 037. Parameters without sensitive data
• 039. Define maximum file size
• 040. Compare file format and extension
• 041. Scan files for malicious code
• 042. Validate file format
• 043. Define an explicit content type
• 044. Define an explicit charset
• 045. Remove metadata when sharing files
• 046. Manage the integrity of critical files
• 339. Avoid storing sensitive files in the web root
• 340. Use octet stream downloads

Legal

• 331. Guarantee legal compliance

Logs

• 075. Record exceptional events in logs
• 077. Avoid disclosing technical information
• 078. Disable debugging events
• 079. Record exact occurrence time of events
• 080. Prevent log modification
• 083. Avoid logging sensitive data
• 084. Allow transaction history queries
• 085. Allow session history queries
• 322. Avoid excessive logging
• 376. Register severity level
• 377. Store logs based on valid regulation
• 378. Use of log management system

Networks

• 247. Hide SSID on private networks
• 248. SSID without dictionary words
• 249. Locate access points
• 250. Manage access points
• 251. Change access point IP
• 252. Configure key encryption
• 253. Restrict network access
• 254. Change SSID name
• 255. Allow access only to the necessary ports
• 257. Access based on user credentials
• 258. Filter website content
• 259. Segment the organization network
• 356. Verify sub-domain names

Privacy

• 189. Specify the purpose of data collection
• 310. Request user consent
• 311. Demonstrate user consent
• 312. Allow user consent revocation
• 313. Inform inability to identify users
• 314. Provide processing confirmation
• 315. Provide processed data information
• 316. Allow rectification requests
• 317. Allow erasure requests
• 318. Notify third parties of changes
• 343. Respect the Do Not Track header
• 360. Remove unnecessary sensitive information

Services

• 262. Verify third-party components
• 265. Restrict access to critical processes
• 330. Verify Subresource Integrity

Session

• 023. Terminate inactive user sessions
• 024. Transfer information using session objects
• 025. Manage concurrent sessions
• 026. Encrypt client-side session information
• 027. Allow session lockout
• 028. Allow users to log out
• 029. Cookies with security attributes
• 030. Avoid object reutilization
• 031. Discard user session data
• 032. Avoid session ID leakages
• 357. Use stateless session tokens
• 369. Set a maximum lifetime in sessions

Social

• 260. Use alternative emails
• 261. Avoid exposing sensitive information

Source

• 152. Reuse database connections
• 154. Eliminate backdoors
• 155. Application free of malicious code
• 156. Source code without sensitive information
• 157. Use the strict mode
• 158. Use a secure programming language
• 159. Obfuscate code
• 160. Encode system outputs
• 161. Define secure default options
• 162. Avoid duplicate code
• 164. Use optimized structures
• 167. Close unused resources
• 168. Initialize variables explicitly
• 169. Use parameterized queries
• 171. Remove commented-out code
• 172. Encrypt connection strings
• 173. Discard unsafe inputs
• 174. Transactions without a distinguishable pattern
• 175. Protect pages from clickjacking
• 302. Declare dependencies explicitly
• 323. Exclude unverifiable files
• 337. Make critical logic flows thread safe
• 342. Validate request parameters
• 344. Avoid dynamic code execution
• 345. Establish protections against overflows
• 359. Avoid using generic exceptions
• 366. Associate type to variables
• 379. Keep low McCabe ciclomatic complexity
• 381. Use of absolute paths

System

• 186. Use the principle of least privilege
• 273. Define a fixed security suite
• 280. Restrict service root directory
• 284. Define maximum number of connections
• 363. Synchronize system clocks
• 374. Use of isolation methods in running applications

Virtualization

• 221. Disconnect unnecessary input devices
• 222. Deny access to the host machine

free trial

Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.