Restrict access to critical processes
Summary
The system must restrict access to system functions that execute critical business processes, allowing only authorized users.
Description
Systems must enforce access controls on trusted enforcement points. They must also have a clear definition of user privileges and roles. Functions that execute critical business processes should only be available for authenticated users with roles that have the required privileges.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Machine | 🟢 |
| Squad | 🟢 |
References
- CAPEC™-13. Subverting environment variable values
- CAPEC™-122. Privilege abuse
- CAPEC™-690. Metadata Spoofing
- CIS-2_7. Allowlist authorized scripts
- CWE™-306. Missing authentication for critical function
- CWE™-78. Improper neutralization of special elements used in an OS command ("OS command injection")
- CWE™-98. Improper control of filename for include/require statement in PHP program ("PHP remote file inclusion")
- ePrivacy Directive-4_1a. Security of processing
- NIST 800-53-IA-2. Identification and authentication (organizational users)
- OWASP TOP 10-A1. Broken access control
- OWASP TOP 10-A7. Identification and authentication failures
- MITRE ATT&CK®-M1025. Privileged process integrity
- PA-DSS-5_2_8. Improper access controls
- SANS 25-17. Improper Neutralization of Special Elements used in a Command ('Command Injection')
- CMMC-AC_L1-3_1_1. Authorized access control
- CMMC-AC_L1-3_1_2. Transaction & function control
- CMMC-CM_L2-3_4_5. Access restrictions for change
- HITRUST CSF-01_v. Information access restriction
- HITRUST CSF-01_w. Sensitive system isolation
- HITRUST CSF-09_d. Separation of development, test and operational environments
- FedRAMP-AC-22. Publicly accessible content
- FedRAMP-CM-5_5. Access restrictions for change - Limit production, operational privileges
- ISO/IEC 27002-8_4. Access to source code
- WASSEC-6_2_4_3. Command execution - OS command injection
- WASSEC-6_2_4_8. Command execution - Remote file includes
- WASC-A_12. Content spoofing
- WASC-A_31. OS commanding
- WASC-A_05. Remote file inclusion (RFI)
- ISSAF-P_6_1. Host security - Linux security (remote attacks)
- ISSAF-P_6_15. Host security - Linux security (local attacks)
- ISSAF-Q_16_20. Host security - Windows security (local attacks)
- ISSAF-U_11. Web application SQL injections - Get control on host
- ISSAF-V_13. Application security - Source code auditing (command injection)
- CWE TOP 25-78. Improper neutralization of special elements used in an OS command (OS command injection)
- CWE TOP 25-306. Missing authentication for critical function
- OWASP ASVS-1_4_1. Access control architecture
- OWASP ASVS-5_2_5. Sanitization and sandboxing
- OWASP ASVS-5_3_8. Output encoding and injection prevention
- PCI DSS-1_4_3. Implement anti-spoofing measures
- OWASP ASVS-12_3_5. File execution
- OWASP API Security Top 10-API1. Broken Object Level Authorization
- ISO/IEC 27001-8_4. Access to source code
- CASA-1_4_1. Access Control Architecture
- CASA-5_2_5. Sanitization and Sandboxing
- CASA-5_3_8. Output Encoding and Injection Prevention
- Resolution SB 2021 2126-Art_26_11_d. Information Security
Vulnerabilities
- 004. Remote command execution
- 032. Spoofing
- 039. Improper authorization control for web services
- 056. Anonymous connection
- 061. Remote File Inclusion
- 073. Improper authorization control for web services - RDS
- 101. Lack of protection against deletion
- 165. Insecure service configuration - AWS
- 256. Lack of protection against deletion - RDS
- 257. Lack of protection against deletion - EC2
- 258. Lack of protection against deletion - ELB
- 259. Lack of protection against deletion - DynamoDB
- 404. OS Command Injection
- 405. Excessive privileges - Access Mode
- 412. Lack of protection against deletion - Azure Key Vault
- 422. Server side template injection
- 434. Client-side template injection
free trial
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.