Display access notification
Summary​
The system must notify, upon any access attempt, that access to the system is only available for authorized users.
Description​
Sometimes systems have information and other resources that are not considered public. These resources should be protected by a secure authentication mechanism that prevents unauthorized actors from accessing them. Whenever a non-authenticated actor attempts to access those resources, the system must notify them that the resources are only available to authorized users.
Supported In​
This requirement is verified in following services
Plan | Supported |
---|---|
Essential | 🟢 |
Advanced | 🟢 |
References​
- OWASP TOP 10-A7. Identification and authentication failures
- CERT-J-OBJ10-J. Do not use public static nonfinal fields
- NY SHIELD Act-5575_B_4. Personal and private information
- MITRE ATT&CK®-M1036. Account use policies
- SANS 25-13. Improper authentication
- CMMC-AC_L1-3_1_1. Authorized access control
- CMMC-AC_L2-3_1_8. Unsuccessful logon attempts
- CMMC-AC_L2-3_1_9. Privacy & security notices
- FedRAMP-AC-8. System use notification
- FedRAMP-SI-5. Security alerts, advisories, and directives
- LGPD-19_II-1. Data Subjects Rights
- ISA/IEC 62443-IAC-1_11. Unsuccessful login attempts
- ISA/IEC 62443-IAC-1_12. System use notification
- WASC-W_01. Insufficient authentication
- ISSAF-H_14_7. Network security - Intrusion detection (detection engine)
- OWASP MASVS-AUTH-1. The app uses secure authentication and authorization protocols and follows the relevant best practices
- CWE TOP 25-287. Improper authentication
Vulnerabilities​
- 006. Authentication mechanism absence or evasion
- 095. Data uniqueness not properly verified
- 099. Non-encrypted confidential information - S3 Server Side Encryption
- 240. Authentication mechanism absence or evasion - OTP
- 241. Authentication mechanism absence or evasion - AWS
- 242. Authentication mechanism absence or evasion - WiFi
- 243. Authentication mechanism absence or evasion - Admin Console
- 244. Authentication mechanism absence or evasion - BIOS
- 298. Authentication mechanism absence or evasion - Redirect
- 299. Authentication mechanism absence or evasion - JFROG
- 300. Authentication mechanism absence or evasion - Azure
- 365. Authentication mechanism absence or evasion - Response tampering
- 370. Authentication mechanism absence or evasion - Security Image
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.