Restrict access to critical processes
Summary
The system must restrict access to system functions that execute critical business processes, allowing only authorized users.
Description
Systems must enforce access controls on trusted enforcement points. They must also have a clear definition of user privileges and roles. Functions that execute critical business processes should only be available for authenticated users with roles that have the required privileges.
Supported In
This requirement is verified in following services
Plan | Supported |
---|---|
Essential | 🟢 |
Advanced | 🟢 |
References
- CAPEC™-13. Subverting environment variable values
- CAPEC™-122. Privilege abuse
- CAPEC™-690. Metadata Spoofing
- CIS-2_7. Allowlist authorized scripts
- CWE™-306. Missing authentication for critical function
- CWE™-78. Improper neutralization of special elements used in an OS command ("OS command injection")
- CWE™-98. Improper control of filename for include/require statement in PHP program ("PHP remote file inclusion")
- ePrivacy Directive-4_1a. Security of processing
- NIST 800-53-IA-2. Identification and authentication (organizational users)
- OWASP TOP 10-A1. Broken access control
- OWASP TOP 10-A7. Identification and authentication failures
- MITRE ATT&CK®-M1025. Privileged process integrity
- PA-DSS-5_2_8. Improper access controls
- CMMC-AC_L1-3_1_1. Authorized access control
- CMMC-AC_L1-3_1_2. Transaction & function control
- CMMC-CM_L2-3_4_5. Access restrictions for change
- HITRUST CSF-01_v. Information access restriction
- HITRUST CSF-01_w. Sensitive system isolation
- HITRUST CSF-09_d. Separation of development, test and operational environments
- FedRAMP-AC-22. Publicly accessible content
- FedRAMP-CM-5_5. Access restrictions for change - Limit production, operational privileges
- ISO/IEC 27002-8_4. Access to source code
- WASSEC-6_2_4_3. Command execution - OS command injection
- WASSEC-6_2_4_8. Command execution - Remote file includes
- WASC-A_12. Content spoofing
- WASC-A_31. OS commanding
- WASC-A_05. Remote file inclusion (RFI)
- ISSAF-P_6_1. Host security - Linux security (remote attacks)
- ISSAF-P_6_15. Host security - Linux security (local attacks)
- ISSAF-Q_16_20. Host security - Windows security (local attacks)
- ISSAF-U_11. Web application SQL injections - Get control on host
- ISSAF-V_13. Application security - Source code auditing (command injection)
- CWE TOP 25-77. Improper neutralization of special elements used in a command (command injection)
- CWE TOP 25-78. Improper neutralization of special elements used in an OS command (OS command injection)
- CWE TOP 25-306. Missing authentication for critical function
- OWASP ASVS-1_4_1. Access control architecture
- OWASP ASVS-5_2_5. Sanitization and sandboxing
- OWASP ASVS-5_3_8. Output encoding and injection prevention
- PCI DSS-1_4_3. Implement anti-spoofing measures
- OWASP ASVS-12_3_5. File execution
- OWASP API Security Top 10-API1. Broken Object Level Authorization
- OWASP API Security Top 10-API6. Unrestricted Access to Sensitive Business Flows
- ISO/IEC 27001-8_4. Access to source code
- CASA-1_4_1. Access Control Architecture
- CASA-5_2_5. Sanitization and Sandboxing
- CASA-5_3_8. Output Encoding and Injection Prevention
- Resolution SB 2021 2126-Art_26_11_d. Information Security
- FISMA-IA-2. Identification and authentication (organizational users)
- SANS 25-5. Improper neutralization of special elements used in an OS command (OS command injection)
- SANS 25-16. Improper neutralization of special elements used in a command (command injection)
- SANS 25-20. Missing authentication for critical function
Vulnerabilities
- 004. Remote command execution
- 032. Spoofing
- 039. Improper authorization control for web services
- 056. Anonymous connection
- 061. Remote File Inclusion
- 073. Improper authorization control for web services - RDS
- 101. Lack of protection against deletion
- 165. Insecure service configuration - AWS
- 256. Lack of protection against deletion - RDS
- 257. Lack of protection against deletion - EC2
- 258. Lack of protection against deletion - ELB
- 259. Lack of protection against deletion - DynamoDB
- 404. OS Command Injection
- 405. Excessive privileges - Access Mode
- 412. Lack of protection against deletion - Azure Key Vault
- 422. Server side template injection
- 434. Client-side template injection
- 445. Bucket takeover
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.