Request authentication
Summary
The system must require authentication for all resources, except for the consultation or visualization of those specifically classified as public.
Description
Sometimes systems have information and other resources that are not considered public. These resources should be protected by a secure authentication mechanism that prevents unauthorized actors from accessing them.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Machine | 🟢 |
| Squad | 🟢 |
References
- CAPEC™-1. Accessing functionality not properly constrained by ACLs
- CAPEC™-36. Using unpublished interfaces
- CAPEC™-115. Authentication bypass
- CWE™-287. Improper authentication
- CWE™-306. Missing authentication for critical function
- CWE™-603. Use of client-side authentication
- CWE™-1390. Weak Authentication
- NERC CIP-003-8_3_2. Electronic access controls
- NERC CIP-005-5_R1_4. Electronic security perimeter
- NERC CIP-007-6_R5_1. System access control
- OWASP TOP 10-A2. Cryptographic failures
- OWASP TOP 10-A7. Identification and authentication failures
- SOC2®-CC6_1. Logical and physical access controls
- NIST Framework-PR_AC-7. Users, devices and other assets are authenticated (e.g., single-factor, multifactor) commensurate with the risk of the transaction
- NYDFS-500_12. Multi-factor authentication
- SANS 25-14. Improper Authentication
- SANS 25-15. Use of Hard-coded Credentials
- SANS 25-18. Missing Authentication for Critical Function
- POPIA-3A_19. Security measures on integrity and confidentiality of personal information
- POPIA-3A_23. Access to personal information
- PDPO-5_18. Data access request
- PDPO-S1_4. Security of personal data
- PDPO-S1_6. Access to personal data
- CMMC-AC_L1-3_1_2. Transaction & function control
- CMMC-IA_L1-3_5_2. Authentication
- CMMC-MP_L2-3_8_2. Media access
- HITRUST CSF-01_q. User identification and authentication
- HITRUST CSF-01_x. Mobile computing and communications
- FedRAMP-MP-2. Media access
- ISA/IEC 62443-IAC-1_2. Software process and device identification and authentication
- ISA/IEC 62443-CR-1_1-RE_1. Unique identification and authentication
- WASSEC-2_1. Authentication schemes
- WASSEC-6_2_1_2. Authentication - Insufficient authentication
- OSSTMM3-10_5_3. Telecommunications security (access verification) - Authentication
- WASC-W_17. Improper filesystem permissions
- WASC-W_01. Insufficient authentication
- FERPA-D_31_c. Conditions of prior consent required to disclose information
- NIST SSDF-PW_1_1. Design software to meet security requirements and mitigate security risks
- OWASP SCP-12. File management
- BSAFSS-IA_1-1. Software development environment authenticates users and operators
- BSAFSS-AA_1-3. Authorization and access controls
- OWASP MASVS-V4_1. Authentication and session management requirements
- OWASP MASVS-V4_10. Authentication and session management requirements
- NIST 800-171-1_17. Protect wireless access using authentication and encryption
- CWE TOP 25-287. Improper authentication
- CWE TOP 25-362. Concurrent execution using shared resource with improper synchronization (Race condition)
- OWASP ASVS-1_2_3. Authentication architecture
- OWASP ASVS-14_1_5. Build and deploy
- C2M2-4_1_a. Establish identities and manage authentication
- PCI DSS-8_3_3. Strong authentication for users and administrators is established
- SIG Core-G_3_4. Operations management
- SIG Core-I_1_3_1. Application security
- OWASP ASVS-4_3_1. Other access control considerations
- OWASP ASVS-9_2_3. Server communication security
- OWASP ASVS-13_4_1. GraphQL
- OWASP API Security Top 10-API2. Broken User Authentication
- OWASP API Security Top 10-API5. Broken Function Level Authorization
- CASA-1_2_3. Authentication Architecture
- CASA-1_4_4. Access Control Architecture
- CASA-2_10_1. Service Authentication
- CASA-4_3_1. Other Access Control Considerations
- CASA-14_1_5. Build and Deploy
- Resolution SB 2021 2126-Art_27_11. Security in Electronic Channels
- Resolution SB 2021 2126-Art_28_2. Security in Electronic Channels - ATMs
- Resolution SB 2021 2126-Art_28_5. Security in Electronic Channels - ATMs
- Resolution SB 2021 2126-Art_29_1. Security in Electronic Channels - Points of Sale (POS and PIN Pad)
Vulnerabilities
- 006. Authentication mechanism absence or evasion
- 018. Improper authentication for shared folders
- 020. Non-encrypted confidential information
- 056. Anonymous connection
- 075. Unauthorized access to files - APK Content Provider
- 081. Lack of multi-factor authentication
- 095. Data uniqueness not properly verified
- 099. Non-encrypted confidential information - S3 Server Side Encryption
- 201. Unauthorized access to files
- 202. Unauthorized access to files - Debug APK
- 203. Unauthorized access to files - S3 Bucket
- 204. Insufficient data authenticity validation
- 240. Authentication mechanism absence or evasion - OTP
- 241. Authentication mechanism absence or evasion - AWS
- 242. Authentication mechanism absence or evasion - WiFi
- 243. Authentication mechanism absence or evasion - Admin Console
- 244. Authentication mechanism absence or evasion - BIOS
- 245. Non-encrypted confidential information - Credit Cards
- 246. Non-encrypted confidential information - DB
- 247. Non-encrypted confidential information - AWS
- 248. Non-encrypted confidential information - LDAP
- 249. Non-encrypted confidential information - Credentials
- 251. Non-encrypted confidential information - JFROG
- 275. Non-encrypted confidential information - Local data
- 284. Non-encrypted confidential information - Base 64
- 298. Authentication mechanism absence or evasion - Redirect
- 299. Authentication mechanism absence or evasion - JFROG
- 300. Authentication mechanism absence or evasion - Azure
- 310. Unauthorized access to screen
- 365. Authentication mechanism absence or evasion - Response tampering
- 370. Authentication mechanism absence or evasion - Security Image
- 378. Non-encrypted confidential information - Hexadecimal
- 441. Non-encrypted confidential information - Azure
free trial
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.