Define standard configurations
Summary
The organization must define standard configurations that correct all known vulnerabilities. These configurations must also be consistent with industry standards.
Description
System configuration is essential when it comes to security issues. The system must follow the industry's standard configurations that prevent all known vulnerabilities. These settings also contribute to ensuring the ongoing confidentiality, integrity, availability and resilience of systems and services.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Machine | 🟢 |
| Squad | 🟢 |
References
- BSIMM-SR3_3:_17. Use secure coding standards
- CAPEC™-125. Flooding
- CAPEC™-130. Excessive allocation
- CAPEC™-151. Identity spoofing
- CAPEC™-161. Infrastructure manipulation
- CAPEC™-697. DHCP Spoofing
- CIS-4_1. Establish and maintain a secure configuration process
- CIS-4_2. Establish and maintain a secure configuration process for network infrastructure
- CIS-13_10. Perform application layer filtering
- GDPR-32_1b. Security of processing
- OWASP TOP 10-A4. Insecure design
- OWASP TOP 10-A5. Security misconfiguration
- SOC2®-CC5_1. Control activities
- SOC2®-CC5_2. Control activities
- NIST Framework-PR_DS-4. Adequate capacity to ensure availability is maintained
- Agile Alliance-11. Best architectures, requirements, and designs
- NY SHIELD Act-5575_B_6. Personal and private information
- NYDFS-500_2. Cybersecurity program
- MITRE ATT&CK®-M1015. Active directory configuration
- MITRE ATT&CK®-M1016. Vulnerability scanning
- MITRE ATT&CK®-M1024. Restrict registry permissions
- MITRE ATT&CK®-M1028. Operating system configuration
- MITRE ATT&CK®-M1042. Disable or remove feature or program
- MITRE ATT&CK®-M1046. Boot integrity
- MITRE ATT&CK®-M1057. Data loss prevention
- PDPA-9B_48E. Improper use of personal data
- POPIA-3A_16. Quality of information
- POPIA-3A_19. Security measures on integrity and confidentiality of personal information
- PDPO-S1_4. Security of personal data
- CMMC-AT_L2-3_2_1. Role-based risk awareness
- CMMC-CM_L2-3_4_2. Security configuration enforcement
- CMMC-RA_L2-3_11_2. Vulnerability scan
- CMMC-SC_L2-3_13_16. Data at rest
- HITRUST CSF-10_d. Message integrity
- FedRAMP-RA-5. Vulnerability scanning
- FedRAMP-SA-10. Developer configuration management
- FedRAMP-SC-28. Protection of information at rest
- ISO/IEC 27002-8_9. Configuration management
- ISO/IEC 27002-8_27. Secure system architecture and engineering principles
- ISA/IEC 62443-RA-7_6. Network and security configuration settings
- WASSEC-6_2_3_1. Client-side attacks - Content spoofing
- WASSEC-6_2_3_6. Client-side attacks - Flash-related attack
- OSSTMM3-9_9_2. Wireless security (configuration verification) - Configuration controls
- OSSTMM3-11_7_2. Data networks security (controls verification) - Confidentiality
- OSSTMM3-11_7_3. Data networks security (controls verification) - Privacy
- OSSTMM3-11_7_4. Data networks security (controls verification) - Integrity
- OSSTMM3-11_9_1. Data networks security - Configuration controls
- WASC-A_26. HTTP request smuggling
- WASC-W_15. Application misconfiguration
- WASC-W_14. Server misconfiguration
- NIST SSDF-PW_1_3. Design software to meet security requirements and mitigate security risks
- NIST SSDF-PW_4_1. Reuse existing, well-secured software when feasible instead of duplicating functionality
- NIST SSDF-PW_6_2. Configure the compilation, interpreter, and build processes to improve executable security
- NIST SSDF-PW_9_1. Configure software to have secure settings by default
- NIST SSDF-RV_2_2. Assess, prioritize, and remediate vulnerabilities
- ISSAF-E_1. Network security - Switch security assessment
- ISSAF-F_2. Network security - Router security assessment (common issues assessment)
- ISSAF-F_5. Network security - Router security assessment (global countermeasures)
- PTES-7_3_1_6. Post exploitation - Network infrastructure analysis (ARP entries)
- PTES-7_4_4_1. Post Exploitation - Pillaging (user information on system)
- MVSP-2_3. Application design controls - Security Headers
- MVSP-3_3. Application implementation controls - Vulnerability prevention
- OWASP SCP-13. Memory management
- BSAFSS-TC_1-2. Developed software using security tools
- BSAFSS-TC_1-6. Developed software using security tools
- OWASP MASVS-V1_3. Architecture, design and threat modeling requirements
- OWASP MASVS-V1_10. Architecture, design and threat modeling requirements
- OWASP MASVS-V5_2. Network communication requirements
- NIST 800-171-4_2. Establish and enforce security configuration settings for information technology products
- NIST 800-115-3_4. System configuration review
- SWIFT CSCF-1_3. Virtualization platform protection
- OWASP SAMM-SA_2. Software design process toward known-secure services and secure-by-default designs
- OWASP SAMM-SA_3. Control the software design process and validate utilization of secure components
- OWASP ASVS-13_1_5. Generic web service security
- OWASP ASVS-14_4_1. HTTP security headers
- OWASP ASVS-14_4_4. HTTP security headers
- OWASP ASVS-14_4_6. HTTP security headers
- C2M2-2_1_d. Reduce cybersecurity vulnerabilities
- C2M2-9_3_b. Implement IT and OT asset security for cybersecurity architecture
- C2M2-9_3_e. Implement IT and OT asset security for cybersecurity architecture
- C2M2-9_4_c. Implement software security for cybersecurity architecture
- C2M2-9_5_b. Implement data security for cybersecurity architecture
- PCI DSS-2_2_6. Configure secure system parameters to prevent misuse
- SIG Core-I_1_3_2. Application security
- SIG Core-I_3_2_1. Application security
- SIG Core-U_1_2. Server security
- CWE™-15. External control of system or configuration setting
- CWE™-350. Reliance on reverse DNS resolution for a security-critical action
- CWE™-444. Inconsistent interpretation of HTTP requests ("HTTP request smuggling")
- OWASP ASVS-12_3_4. File execution
- OWASP ASVS-13_2_5. RESTful web service
- OWASP ASVS-14_1_1. Build and deploy
- OWASP ASVS-14_1_4. Build and deploy
- OWASP ASVS-14_4_3. HTTP security headers
- OWASP ASVS-14_4_5. HTTP security headers
- OWASP ASVS-14_4_7. HTTP security headers
- OWASP ASVS-14_5_1. HTTP request header validation
- OWASP MASVS-V8_5. Resilience requirements - Impede dynamic analysis and tampering
- OWASP API Security Top 10-API6. Mass Assignment
- OWASP API Security Top 10-API7. Security Misconfiguration
- ISO/IEC 27001-8_9. Configuration management
- ISO/IEC 27001-8_27. Secure system architecture and engineering principles
- CASA-14_1_1. Build and Deploy
- CASA-14_1_4. Build and Deploy
Vulnerabilities
- 043. Insecure or unset HTTP headers - Content-Security-Policy
- 071. Insecure or unset HTTP headers - Referrer-Policy
- 077. ARP spoofing
- 084. MDNS spoofing
- 110. HTTP request smuggling
- 111. Out-of-bounds read
- 115. Security controls bypass or absence
- 116. XS-Leaks
- 131. Insecure or unset HTTP headers - Strict Transport Security
- 132. Insecure or unset HTTP headers - X-Content-Type-Options
- 134. Insecure or unset HTTP headers - CORS
- 135. Insecure or unset HTTP headers - X-XSS Protection
- 136. Insecure or unset HTTP headers - Cache Control
- 137. Insecure or unset HTTP headers - X-Permitted-Cross-Domain-Policies
- 152. Insecure or unset HTTP headers - X-Frame Options
- 153. Insecure or unset HTTP headers - Accept
- 182. Email spoofing
- 206. Security controls bypass or absence - Anti hooking
- 207. Security controls bypass or absence - SSLPinning
- 208. Security controls bypass or absence - Antivirus
- 209. Security controls bypass or absence - Emulator
- 210. Security controls bypass or absence - Facial Recognition
- 212. Security controls bypass or absence - Cloudflare
- 305. Security controls bypass or absence - Data creation
- 329. Insecure or unset HTTP headers - Content-Type
- 345. Security controls bypass or absence - Session Invalidation
- 374. Security controls bypass or absence - Debug Protection
- 375. Security controls bypass or absence - Tampering Protection
- 376. Security controls bypass or absence - Reversing Protection
- 392. Security controls bypass or absence - Firewall
- 436. Security controls bypass or absence - Fingerprint
- 440. Insecure or unset HTTP headers - Permissions-Policy
free trial
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.