Display access notification
Summary​
The system must notify, upon any access attempt, that access to the system is only available for authorized users.
Description​
Sometimes systems have information and other resources that are not considered public. These resources should be protected by a secure authentication mechanism that prevents unauthorized actors from accessing them. Whenever a non-authenticated actor attempts to access those resources, the system must notify them that the resources are only available to authorized users.
Supported In​
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Machine | 🟢 |
| Squad | 🟢 |
References​
- OWASP TOP 10-A7. Identification and authentication failures
- NIST Framework-DE_DP-4. Event detection information is communicated
- CERT-J-OBJ10-J. Do not use public static nonfinal fields
- NY SHIELD Act-5575_B_4. Personal and private information
- MITRE ATT&CK®-M1036. Account use policies
- SANS 25-14. Improper Authentication
- CMMC-AC_L1-3_1_1. Authorized access control
- CMMC-AC_L2-3_1_8. Unsuccessful logon attempts
- CMMC-AC_L2-3_1_9. Privacy & security notices
- FedRAMP-AC-8. System use notification
- FedRAMP-SI-5. Security alerts, advisories, and directives
- LGPD-19_II-1. Data Subjects Rights
- ISA/IEC 62443-IAC-1_11. Unsuccessful login attempts
- ISA/IEC 62443-IAC-1_12. System use notification
- WASC-W_01. Insufficient authentication
- ISSAF-H_14_7. Network security - Intrusion detection (detection engine)
Vulnerabilities​
- 006. Authentication mechanism absence or evasion
- 095. Data uniqueness not properly verified
- 099. Non-encrypted confidential information - S3 Server Side Encryption
- 240. Authentication mechanism absence or evasion - OTP
- 241. Authentication mechanism absence or evasion - AWS
- 242. Authentication mechanism absence or evasion - WiFi
- 243. Authentication mechanism absence or evasion - Admin Console
- 244. Authentication mechanism absence or evasion - BIOS
- 298. Authentication mechanism absence or evasion - Redirect
- 299. Authentication mechanism absence or evasion - JFROG
- 300. Authentication mechanism absence or evasion - Azure
- 365. Authentication mechanism absence or evasion - Response tampering
- 370. Authentication mechanism absence or evasion - Security Image
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.