Restrict system objects
Summary
The system must restrict access to system objects that have sensitive content. It should only allow access to authorized users.
Description
Applications usually handle personal and confidential information, such as personal identifications, social security numbers, credentials and health histories. This data should be protected as a fundamental right, and therefore be stored and transmitted using secure mechanisms that prevent access to it by unauthorized actors. Furthermore, the access control model and role assignment policy must be implemented taking these restrictions into consideration.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Machine | 🟢 |
| Squad | 🟢 |
References
- CIS-3_3. Configure data access control lists
- CWE™-284. Improper access control
- CWE™-548. Exposure of information through directory listing
- CWE™-639. Authorization bypass through user-controlled key
- ePrivacy Directive-4_1a. Security of processing
- GDPR-32_4. Security of processing
- GDPR-R6. Ensuring a high level of data protection despite the increased exchange of data
- NERC CIP-003-8_3_1. Electronic access controls
- OWASP TOP 10-A1. Broken access control
- OWASP TOP 10-A2. Cryptographic failures
- OWASP TOP 10-A7. Identification and authentication failures
- NIST Framework-PR_DS-1. Data at rest is protected
- CPRA-1798_104. Compliance with right to know and disclosure requirements
- GLBA-501_A. Privacy obligation policy
- NY SHIELD Act-5575_B_2. Personal and private information
- MITRE ATT&CK®-M1022. Restrict file and directory permissions
- MITRE ATT&CK®-M1029. Remote data storage
- PA-DSS-2_5_7. Prevention of unauthorized substitution of cryptographic keys
- PA-DSS-5_2_8. Improper access controls
- PA-DSS-10_2_3. Remote access to customer's payment applications must be implemented securely
- PA-DSS-11_1. Use of strong cryptography and security protocols to safeguard sensitive cardholder data during transmission
- PDPA-9B_48D. Unauthorized disclosure of personal data
- POPIA-3A_19. Security measures on integrity and confidentiality of personal information
- POPIA-9_72. Transfers of personal information outside Republic
- PDPO-S1_4. Security of personal data
- CMMC-AC_L1-3_1_1. Authorized access control
- CMMC-AC_L1-3_1_2. Transaction & function control
- CMMC-CM_L2-3_4_5. Access restrictions for change
- CMMC-MP_L2-3_8_2. Media access
- CMMC-SC_L2-3_13_4. Shared resource control
- HITRUST CSF-01_h. Clear desk and clear screen policy
- HITRUST CSF-01_v. Information access restriction
- HITRUST CSF-06_d. Data protection and privacy of covered information
- HITRUST CSF-09_c. Segregation of duties
- HITRUST CSF-09_r. Security of system documentation
- FedRAMP-MP-2. Media access
- FedRAMP-SC-8. Transmission confidentiality and integrity
- FedRAMP-SC-28. Protection of information at rest
- ISO/IEC 27002-8_4. Access to source code
- ISO/IEC 27002-8_26. Application security requirements
- ISA/IEC 62443-IAC-1_2. Software process and device identification and authentication
- ISA/IEC 62443-DC-4_1. Information confidentiality
- WASSEC-6_2_2_2. Authorization - Insufficient authorization
- WASSEC-6_2_2_5. Authorization - Session weaknesses
- WASSEC-6_2_4_9. Command execution - Local file includes
- OSSTMM3-11_11_1. Data networks security - Privacy containment mapping
- OSSTMM3-11_11_2. Data networks security (segregation review) - Disclosure
- WASC-A_12. Content spoofing
- WASC-W_16. Directory indexing
- WASC-W_17. Improper filesystem permissions
- WASC-W_13. Information leakage
- WASC-W_02. Insufficient authorization
- ISSAF-K_9_1. Network security - Storage Area Network SAN (practices for the data-at-rest)
- ISSAF-P_6_15. Host security - Linux security (local attacks)
- ISSAF-Q_16_20. Host security - Windows security (local attacks)
- ISSAF-T_12_2. Web application assessment - Browsable directories check
- ISSAF-T_16_3. Web application assessment - Input Validation (PHP insertion)
- ISSAF-U_11. Web application SQL injections - Get control on host
- ISSAF-V_6_1. Application security - Source code auditing (authentication)
- PTES-5_2_3_2. Vulnerability analysis - Web application scanners (directory listing or brute forcing)
- PTES-7_2_1. Post exploitation - Rules of engagement (protect the client)
- OWASP Top 10 Privacy Risks-P1. Web application vulnerabilities
- OWASP Top 10 Privacy Risks-P2. Operator-sided data leakage
- OWASP Top 10 Privacy Risks-P7. Insufficient data quality
- OWASP SCP-5. Access control
- OWASP SCP-10. System configuration
- OWASP SCP-12. File management
- BSAFSS-SM_3-1. Supply chain data is protected
- BSAFSS-SM_6-1. Deployment procedures ensure that the usages of software are established
- OWASP ASVS-5_2_5. Sanitization and sandboxing
- OWASP ASVS-13_4_1. GraphQL
- C2M2-9_5_a. Implement data security for cybersecurity architecture
- C2M2-9_5_b. Implement data security for cybersecurity architecture
- PCI DSS-1_4_3. Implement anti-spoofing measures
- PCI DSS-1_4_4. Network connections between trusted and untrusted networks are controlled
- PCI DSS-3_7_7. Prevention of unauthorized substitution of cryptographic keys
- PCI DSS-7_2_5. Access to system components and data is defined and assigned
- PCI DSS-8_2_3. User identification for users and administrators are strictly managed
- OWASP ASVS-4_2_1. Operation level access control
- OWASP ASVS-4_3_1. Other access control considerations
- OWASP ASVS-9_2_3. Server communication security
- OWASP ASVS-12_3_2. File execution
- OWASP API Security Top 10-API1. Broken Object Level Authorization
- OWASP API Security Top 10-API5. Broken Function Level Authorization
- OWASP API Security Top 10-API6. Mass Assignment
- CAPEC™-680. Exploitation of Improperly Controlled Registers
- CAPEC™-690. Metadata Spoofing
- CAPEC™-691. Spoof Open-Source Software Metadata
- CAPEC™-692. Spoof Version Control System Commit Metadata
- ISO/IEC 27001-8_4. Access to source code
- ISO/IEC 27001-8_26. Application security requirements
- CASA-1_14_1. Configuration Architecture
- CASA-4_3_1. Other Access Control Considerations
- CASA-4_3_2. Other Access Control Considerations
- CASA-4_3_3. Other Access Control Considerations
- CASA-5_2_5. Sanitization and Sandboxing
- Resolution SB 2021 2126-Art_26_11_d. Information Security
Vulnerabilities
- 013. Insecure object reference
- 032. Spoofing
- 037. Technical information leak
- 038. Business information leak
- 039. Improper authorization control for web services
- 040. Exposed web services
- 066. Technical information leak - Console functions
- 073. Improper authorization control for web services - RDS
- 075. Unauthorized access to files - APK Content Provider
- 080. Business information leak - Customers or providers
- 116. XS-Leaks
- 123. Local file inclusion
- 125. Directory listing
- 201. Unauthorized access to files
- 202. Unauthorized access to files - Debug APK
- 203. Unauthorized access to files - S3 Bucket
- 204. Insufficient data authenticity validation
- 213. Business information leak - JWT
- 214. Business information leak - Credentials
- 215. Business information leak - Repository
- 216. Business information leak - Source Code
- 217. Business information leak - Credit Cards
- 218. Business information leak - Network Unit
- 219. Business information leak - Redis
- 220. Business information leak - Token
- 221. Business information leak - Users
- 222. Business information leak - DB
- 223. Business information leak - JFROG
- 224. Business information leak - AWS
- 225. Business information leak - Azure
- 226. Business information leak - Personal Information
- 227. Business information leak - NAC
- 228. Business information leak - Analytics
- 229. Business information leak - Power BI
- 230. Business information leak - Firestore
- 232. Technical information leak - Angular
- 234. Technical information leak - Stacktrace
- 235. Technical information leak - Headers
- 236. Technical information leak - SourceMap
- 237. Technical information leak - Print Functions
- 238. Technical information leak - API
- 239. Technical information leak - Errors
- 286. Insecure object reference - Personal information
- 287. Insecure object reference - Corporate information
- 288. Insecure object reference - Financial information
- 289. Technical information leak - Logs
- 290. Technical information leak - IPs
- 291. Business information leak - Financial Information
- 306. Insecure object reference - Files
- 307. Insecure object reference - Data
- 328. Insecure object reference - Session management
- 336. Business information leak - Corporate information
- 342. Technical information leak - Alert
- 349. Technical information leak - Credentials
- 362. Technical information leak - Content response
- 369. Insecure object reference - User deletion
- 405. Excessive privileges - Access Mode
- 422. Server side template injection
- 434. Client-side template injection
free trial
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.