Request access credentials
Summary
The system must request at least one username and password from every actor that tries to authenticate.
Description
Sometimes systems have information and other resources that are not considered public. These resources should be protected by a secure authentication mechanism that prevents unauthorized actors from accessing them. The authentication mechanism should request at least a username and a password.
Supported In
This requirement is verified in following services:
| Plan | Supported |
|---|---|
| Machine | 🟢 |
| Squad | 🟢 |
References
- CWE™-284. Improper access control
- CWE™-306. Missing authentication for critical function
- HIPAA-164_310_a_2_iii. Access control and validation procedures (addressable)
- HIPAA-164_312_a_1. Standard: access control
- HIPAA-164_312_d. Standard: person or entity authentication
- NIST 800-53-IA-1. Policy and procedures
- NIST 800-53-IA-2. Identification and authentication (organizational users)
- OWASP TOP 10-A7. Identification and authentication failures
- SOC2®-P4_2. Additional criteria for privacy (related to use, retention, and disposal)
- OWASP-M TOP 10-M2. Insecure data storage
- NIST Framework-PR_AC-7. Users, devices and other assets are authenticated (e.g., single-factor, multifactor) commensurate with the risk of the transaction
- NY SHIELD Act-5575_B_2. Personal and private information
- NYDFS-500_12. Multi-factor authentication
- MITRE ATT&CK®-M1032. Multi-factor authentication
- PA-DSS-3_1. Support and enforce the use of unique user IDs and secure authentication for all administrative access
- PA-DSS-3_1_4. Application employs methods to authenticate all users
- SANS 25-15. Use of Hard-coded Credentials
- SANS 25-18. Missing Authentication for Critical Function
- PDPA-5_21. Access to personal data
- POPIA-3A_19. Security measures on integrity and confidentiality of personal information
- POPIA-3A_23. Access to personal information
- PDPO-5_18. Data access request
- PDPO-S1_4. Security of personal data
- PDPO-S1_6. Access to personal data
- CMMC-AC_L1-3_1_2. Transaction & function control
- CMMC-IA_L1-3_5_2. Authentication
- CMMC-MP_L2-3_8_2. Media access
- HITRUST CSF-01_x. Mobile computing and communications
- HITRUST CSF-08_b. Physical entry controls
- FedRAMP-MP-2. Media access
- ISO/IEC 27002-8_4. Access to source code
- LGPD-19_II-1. Data Subjects Rights
- ISA/IEC 62443-IAC-1_5. Authenticator management
- OSSTMM3-9_5_4. Wireless security (access verification) - Authentication
- WASC-W_01. Insufficient authentication
- FERPA-D_31_c. Conditions of prior consent required to disclose information
- ISSAF-Y_3_1. Database Security - Database services countermeasures
- OWASP Top 10 Privacy Risks-P7. Insufficient data quality
- OWASP SCP-5. Access control
- OWASP SCP-11. Database security
- OWASP SCP-14. General coding practices
- BSAFSS-SM_4-2. Software measures to prevent counterfeiting and tampering
- BSAFSS-IA_1-1. Software development environment authenticates users and operators
- BSAFSS-AA_1-3. Authorization and access controls
- OWASP MASVS-V2_1. Security verification requirements
- OWASP MASVS-V4_1. Authentication and session management requirements
- NIST 800-171-1_17. Protect wireless access using authentication and encryption
- NIST 800-171-5_2. Authenticate or verify the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems
- CWE TOP 25-287. Improper authentication
- OWASP ASVS-14_1_5. Build and deploy
- C2M2-4_1_b. Establish identities and manage authentication
- PCI DSS-7_2_6. Access to system components and data is defined and assigned
- PCI DSS-7_3_1. Access to system components and data is managed via an access control system
- PCI DSS-7_3_2. Access to system components and data is managed via an access control system
- PCI DSS-8_3_1. Strong authentication for users and administrators is established
- SIG Lite-SL_70. Are individual IDs required for user authentication to applications, operating systems, databases and network devices?
- SIG Lite-SL_71. Are passwords used?
- SIG Core-G_3_4. Operations management
- SIG Core-H_3. Access control
- OWASP ASVS-4_3_1. Other access control considerations
- OWASP API Security Top 10-API2. Broken User Authentication
- ISO/IEC 27001-8_4. Access to source code
- CASA-4_3_1. Other Access Control Considerations
- CASA-14_1_5. Build and Deploy
Vulnerabilities
- 006. Authentication mechanism absence or evasion
- 018. Improper authentication for shared folders
- 020. Non-encrypted confidential information
- 081. Lack of multi-factor authentication
- 095. Data uniqueness not properly verified
- 099. Non-encrypted confidential information - S3 Server Side Encryption
- 240. Authentication mechanism absence or evasion - OTP
- 241. Authentication mechanism absence or evasion - AWS
- 242. Authentication mechanism absence or evasion - WiFi
- 243. Authentication mechanism absence or evasion - Admin Console
- 244. Authentication mechanism absence or evasion - BIOS
- 245. Non-encrypted confidential information - Credit Cards
- 246. Non-encrypted confidential information - DB
- 247. Non-encrypted confidential information - AWS
- 248. Non-encrypted confidential information - LDAP
- 249. Non-encrypted confidential information - Credentials
- 251. Non-encrypted confidential information - JFROG
- 275. Non-encrypted confidential information - Local data
- 284. Non-encrypted confidential information - Base 64
- 298. Authentication mechanism absence or evasion - Redirect
- 299. Authentication mechanism absence or evasion - JFROG
- 300. Authentication mechanism absence or evasion - Azure
- 365. Authentication mechanism absence or evasion - Response tampering
- 370. Authentication mechanism absence or evasion - Security Image
- 378. Non-encrypted confidential information - Hexadecimal
free trial
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.