Request client certificates
Summary​
Systems that manages business-critical information must require digital certificates from the client. This must be done especially during the authentication process.
Description​
This control suggests the implementation of a security measure in which client systems interacting with or accessing business-critical information must present valid digital certificates. This practice enhances authentication, secure communication, and control access to sensitive business data.
Supported In​
This requirement is verified in following services
Plan | Supported |
---|---|
Essential | 🔴 |
Advanced | 🟢 |
References​
- CIS-13_9. Deploy port-level access control
- CWEâ„¢-299. Improper check for certificate revocation
- NIST 800-63B-5_2_5. Verifier impersonation resistance
- OWASP TOP 10-A7. Identification and authentication failures
- PDPO-6_31. Matching procedure request
- ISA/IEC 62443-IAC-1_9. Strength of public key authentication
- WASSEC-2_1. Authentication schemes
- NIST SSDF-PS_2_1. Provide a mechanism for verifying software release integrity
- ISSAF-V_6_4. Application security - Source code auditing (forms based authentication)
- PTES-6_7. Exploitation - Zero day angle
- OWASP ASVS-10_3_1. Application integrity
- CASA-9_2_4. Server Communication Security
- Resolution SB 2021 2126-Art_30_1. Security in Electronic Channels - Digital Banking
Vulnerabilities​
- 163. Insecure digital certificates
- 348. Insecure digital certificates - Lifespan
- 350. Insecure digital certificates - Chain of trust
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.