ISSAF

Summary

The Information Systems Security Assessment Framework is designed to evaluate the network, system and application controls in penetration testing methodology. The version used in this section is ISSAF 0.2.1B.

Definitions

Definition	Requirements
A_2_4. Assessment - Penetration	035. Manage privilege modifications
A_2_7. Assessment - Compromise remote users or sites	338. Implement perfect forward secrecy
D_8. Network security - Password security testing (countermeasures)	127. Store hashed passwords 133. Passwords with at least 20 characters 134. Store passwords with salt 135. Passwords with random salt 332. Prevent the use of breached passwords 334. Avoid knowledge-based authentication
E_1. Network security - Switch security assessment	062. Define standard configurations 273. Define a fixed security suite
D_1. Network security - Password security testing (gathering authentication credentials)	130. Limit password lifespan 132. Passphrases with at least 4 words 133. Passwords with at least 20 characters 139. Set minimum OTP length 332. Prevent the use of breached passwords
E_13. Network security - Switch security assessment (assess private VLAN attack)	255. Allow access only to the necessary ports
E_21. Network security - Switch security assessment (VLAN reconfiguration)	148. Set minimum size of asymmetric encryption 150. Set minimum size for hash functions
E_22. Network security - Switch security assessment (layer 2 port authentication)	072. Set maximum response time 327. Set a rate limit
F_1. Network security - Router security assessment (router identification)	266. Disable insecure functionalities
F_2. Network security - Router security assessment (common issues assessment)	062. Define standard configurations
F_5. Network security - Router security assessment (global countermeasures)	062. Define standard configurations
F_5_1. Network security - Router security assessment (turn on logging)	376. Register severity level
F_5_2. Network security - Router security assessment (limit telnet)	181. Transmit data using secure protocols
F_5_3. Network security - Router security assessment (protect passwords)	148. Set minimum size of asymmetric encryption 150. Set minimum size for hash functions
F_5_7. Network security - Router security assessment (disable non-essential services)	161. Define secure default options
F_5_9. Network security - Router security assessment (configure ingress filtering)	173. Discard unsafe inputs 320. Avoid client-side control enforcement 342. Validate request parameters
G_9_8. Network security - Firewalls (identify firewall architecture)	142. Change system default credentials 161. Define secure default options
G_12. Network security - Firewalls (port redirection)	153. Out of band transactions 173. Discard unsafe inputs 377. Store logs based on valid regulation
G_13_4. Network security - Firewalls (application level)	273. Define a fixed security suite
G_14. Network security - Firewalls (countermeasures)	153. Out of band transactions 253. Restrict network access 258. Filter website content
G_15. Network security - Firewalls (compromise remote users/sites)	153. Out of band transactions 181. Transmit data using secure protocols 320. Avoid client-side control enforcement
H_14_3. Network security - Intrusion detection (detection engine)	178. Use digital signatures
H_14_7. Network security - Intrusion detection (detection engine)	075. Record exceptional events in logs 080. Prevent log modification 227. Display access notification
H_14_13. Network security - Intrusion detection (detection engine)	072. Set maximum response time 327. Set a rate limit
H_14_17. Network security - Intrusion detection (detection engine)	148. Set minimum size of asymmetric encryption 149. Set minimum size of symmetric encryption 150. Set minimum size for hash functions 181. Transmit data using secure protocols 336. Disable insecure TLS versions
H_15_9. Network security - Intrusion detection (rule configuration and management interface)	152. Reuse database connections 172. Encrypt connection strings
H_16_5. Network security - Intrusion detection (logging systems)	075. Record exceptional events in logs 181. Transmit data using secure protocols
J_4. Network security - Anti-virus system (objective)	041. Scan files for malicious code 118. Inspect attachments 273. Define a fixed security suite
J_6_1. Network security - Anti-virus system (methodology)	273. Define a fixed security suite
J_6_4. Network security - Anti-virus system (methodology)	115. Filter malicious emails 118. Inspect attachments
J_7_2. Network security - Anti-virus system (check end user antivirus)	273. Define a fixed security suite 353. Schedule firmware updates
J_7_3_5. Network security - Anti-virus system (methodology)	040. Compare file format and extension 266. Disable insecure functionalities
K_9_1. Network security - Storage Area Network SAN (practices for the data-at-rest)	039. Define maximum file size 176. Restrict system objects 185. Encrypt sensitive information 249. Locate access points 329. Keep client-side storage without sensitive data 339. Avoid storing sensitive files in the web root
L_3_1. Network security - WLAN security (types of threats)	247. Hide SSID on private networks 253. Restrict network access
L_4_3. Network security - WLAN security (audit and review)	248. SSID without dictionary words 250. Manage access points 254. Change SSID name 255. Allow access only to the necessary ports 353. Schedule firmware updates
L_4_5_6. Network security - WLAN security (exploitation and attacks)	181. Transmit data using secure protocols
L_8. Network security - WLAN security (global countermeasures)	252. Configure key encryption
P_4. Host security - Linux security (identify ports and services)	237. Ascertain human interaction 266. Disable insecure functionalities 327. Set a rate limit
P_4_1. Host security - Linux security (identify ports and users)	266. Disable insecure functionalities
P_6_1. Host security - Linux security (remote attacks)	173. Discard unsafe inputs 265. Restrict access to critical processes 266. Disable insecure functionalities
P_6_3. Host security - Linux security (buffer overflows)	158. Use a secure programming language 164. Use optimized structures 173. Discard unsafe inputs 345. Establish protections against overflows
P_6_4. Host security - Linux security (stack based overflows)	345. Establish protections against overflows
P_6_5. Host security - Linux security (heap based overflows)	345. Establish protections against overflows
P_6_6. Host security - Linux security (integer overflows)	345. Establish protections against overflows
P_6_15. Host security - Linux security (local attacks)	035. Manage privilege modifications 096. Set user's required privileges 173. Discard unsafe inputs 176. Restrict system objects 265. Restrict access to critical processes 320. Avoid client-side control enforcement
P_6_16. Host security - Linux security (file and directory permission attacks)	323. Exclude unverifiable files
Q_8_6_1. Host security - Windows security (brute force passwords or remote attack)	237. Ascertain human interaction 327. Set a rate limit
Q_16_10. Host security - Windows security (SMB attacks)	134. Store passwords with salt 135. Passwords with random salt 150. Set minimum size for hash functions 266. Disable insecure functionalities
Q_16_13. Host security - Windows security (registry attacks)	154. Eliminate backdoors
Q_16_20. Host security - Windows security (local attacks)	035. Manage privilege modifications 096. Set user's required privileges 144. Remove inactive accounts periodically 173. Discard unsafe inputs 176. Restrict system objects 265. Restrict access to critical processes
Q_16_27. Host security - Windows security (DLL injection attack)	040. Compare file format and extension 041. Scan files for malicious code
Q_16_34. Host security - Windows security (denial of service attacks)	072. Set maximum response time 237. Ascertain human interaction
S_5_1. Web server security - Countermeasures (secure administrative access)	033. Restrict administrative access 096. Set user's required privileges 284. Define maximum number of connections
S_5_4. Web server security - Countermeasures (enable logging and do periodic analysis)	075. Record exceptional events in logs 080. Prevent log modification
S_5_7. Web server security - Countermeasures (Compartmentalize web server process)	374. Use of isolation methods in running applications
S_5_8. Web server security - Countermeasures (run as a non-root user)	326. Detect rooted devices
T_6_4. Web application assessment - Identifying web server vendor and version (default files)	161. Define secure default options
T_6_5. Web application assessment - Identifying web server vendor and version (by extension of pages on web server)	355. Serve files with specific extensions
T_6_6. Web application assessment - Identifying web server vendor and version (by error)	077. Avoid disclosing technical information 152. Reuse database connections 169. Use parameterized queries
T_6_10. Web application assessment - Test view source bugs	156. Source code without sensitive information
T_10_1. Web application assessment – Attack on secure HTTP	181. Transmit data using secure protocols 349. Include HTTP security headers
T_11_1. Web application assessment - Brute force attack	237. Ascertain human interaction 327. Set a rate limit
T_12_2. Web application assessment - Browsable directories check	176. Restrict system objects 266. Disable insecure functionalities
T_13_2. Web application assessment - Test invalidated parameters (Cross Site Scripting)	029. Cookies with security attributes 173. Discard unsafe inputs
T_13_3. Web application assessment - Test invalidated parameters (Cross Site Tracing)	029. Cookies with security attributes 266. Disable insecure functionalities
T_14_1. Web application assessment - URL manipulation	032. Avoid session ID leakages 336. Disable insecure TLS versions
T_14_2. Web application assessment - Hidden form fields manipulation	173. Discard unsafe inputs
T_14_3. Web application assessment - Cookie manipulation	029. Cookies with security attributes 329. Keep client-side storage without sensitive data
T_16_1. Web application assessment - Input validation (validate data)	029. Cookies with security attributes 077. Avoid disclosing technical information 173. Discard unsafe inputs 320. Avoid client-side control enforcement 342. Validate request parameters
T_16_2. Web application assessment - Input Validation (test buffer overflow)	327. Set a rate limit 345. Establish protections against overflows
T_16_3. Web application assessment - Input Validation (PHP insertion)	077. Avoid disclosing technical information 176. Restrict system objects
T_17. Web application assessment - Test SQL injection	169. Use parameterized queries 173. Discard unsafe inputs
T_19_1. Web application assessment - Global Countermeasures (client-side)	023. Terminate inactive user sessions 029. Cookies with security attributes 030. Avoid object reutilization 123. Restrict the reading of emails 173. Discard unsafe inputs 336. Disable insecure TLS versions 375. Remove sensitive data from client-side applications
T_19_2. Web application assessment - Global Countermeasures (server-side)	225. Proper authentication responses 261. Avoid exposing sensitive information 339. Avoid storing sensitive files in the web root 376. Register severity level
U_8. Web application SQL injections - Check SQL injection vulnerability	173. Discard unsafe inputs
U_9. Web application SQL injections - Bypass user authentication	143. Unique access credentials 144. Remove inactive accounts periodically 332. Prevent the use of breached passwords
U_11. Web application SQL injections - Get control on host	096. Set user's required privileges 173. Discard unsafe inputs 176. Restrict system objects 265. Restrict access to critical processes
U_15. Web application SQL injections – Countermeasures	037. Parameters without sensitive data 096. Set user's required privileges 156. Source code without sensitive information 158. Use a secure programming language 164. Use optimized structures 167. Close unused resources 169. Use parameterized queries 173. Discard unsafe inputs 342. Validate request parameters 359. Avoid using generic exceptions
V_6_1. Application security - Source code auditing (authentication)	176. Restrict system objects
V_6_3. Application security - Source code auditing (hash or digest authentication)	127. Store hashed passwords 333. Store salt values separately
V_6_4. Application security - Source code auditing (forms based authentication)	088. Request client certificates 090. Use valid certificates
V_7. Application security - Source code auditing (session management)	342. Validate request parameters
V_9. Application security - Source code auditing (data and input validation)	173. Discard unsafe inputs 237. Ascertain human interaction 342. Validate request parameters
V_10. Application security - Source code auditing (Cross Site Scripting XSS)	029. Cookies with security attributes 173. Discard unsafe inputs 324. Control redirects
V_11. Application security - Source code auditing (buffer overflows)	345. Establish protections against overflows
V_12. Application security - Source code auditing (error handling)	225. Proper authentication responses
V_13. Application security - Source code auditing (command injection)	173. Discard unsafe inputs 265. Restrict access to critical processes 266. Disable insecure functionalities
Y_2. Database Security - Oracle security assessment	181. Transmit data using secure protocols
Y_3_1. Database Security - Database services countermeasures	133. Passwords with at least 20 characters 142. Change system default credentials 161. Define secure default options 229. Request access credentials
Y_3_4. Database Security - Database services countermeasures	035. Manage privilege modifications 046. Manage the integrity of critical files

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.

ISSAF | Compliance | Fluid Attacks Help

ISSAF

Summary

Definitions