Request authentication
Summary
The system must require authentication for all resources, except for the consultation or visualization of those specifically classified as public.
Description
Sometimes systems have information and other resources that are not considered public. These resources should be protected by a secure authentication mechanism that prevents unauthorized actors from accessing them.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Essential | 🟢 |
| Advanced | 🟢 |
References
- CAPECâ„¢-1. Accessing functionality not properly constrained by ACLs
- CAPECâ„¢-36. Using unpublished interfaces
- CAPECâ„¢-115. Authentication bypass
- CWEâ„¢-287. Improper authentication
- CWEâ„¢-306. Missing authentication for critical function
- CWEâ„¢-603. Use of client-side authentication
- CWEâ„¢-1390. Weak Authentication
- NERC CIP-003-8_3_2. Electronic access controls
- NERC CIP-005-5_R1_4. Electronic security perimeter
- NERC CIP-007-6_R5_1. System access control
- OWASP TOP 10-A2. Cryptographic failures
- OWASP TOP 10-A7. Identification and authentication failures
- SOC2®-CC6_1. Logical and physical access controls
- NYDFS-500_12. Multi-factor authentication
- SANS 25-13. Improper authentication
- SANS 25-18. Use of hard-coded credentials
- SANS 25-20. Missing authentication for critical function
- SANS 25-21. Concurrent execution using shared resource with improper synchronization (Race condition)
- POPIA-3A_19. Security measures on integrity and confidentiality of personal information
- POPIA-3A_23. Access to personal information
- PDPO-5_18. Data access request
- PDPO-S1_4. Security of personal data
- PDPO-S1_6. Access to personal data
- CMMC-AC_L1-3_1_2. Transaction & function control
- CMMC-IA_L1-3_5_2. Authentication
- CMMC-MP_L2-3_8_2. Media access
- HITRUST CSF-01_q. User identification and authentication
- HITRUST CSF-01_x. Mobile computing and communications
- FedRAMP-MP-2. Media access
- ISA/IEC 62443-IAC-1_2. Software process and device identification and authentication
- ISA/IEC 62443-CR-1_1-RE_1. Unique identification and authentication
- WASSEC-2_1. Authentication schemes
- WASSEC-6_2_1_2. Authentication - Insufficient authentication
- OSSTMM3-10_5_3. Telecommunications security (access verification) - Authentication
- WASC-W_17. Improper filesystem permissions
- WASC-W_01. Insufficient authentication
- FERPA-D_31_c. Conditions of prior consent required to disclose information
- NIST SSDF-PW_1_1. Design software to meet security requirements and mitigate security risks
- OWASP SCP-12. File management
- BSAFSS-IA_1-1. Software development environment authenticates users and operators
- BSAFSS-AA_1-3. Authorization and access controls
- NIST 800-171-1_17. Protect wireless access using authentication and encryption
- CWE TOP 25-287. Improper authentication
- CWE TOP 25-362. Concurrent execution using shared resource with improper synchronization (Race condition)
- CWE TOP 25-306. Missing authentication for critical function
- CWE TOP 25-798. Use of hard-coded credentials
- OWASP ASVS-1_2_3. Authentication architecture
- OWASP ASVS-14_1_5. Build and deploy
- C2M2-4_1_a. Establish identities and manage authentication
- PCI DSS-8_3_3. Strong authentication for users and administrators is established
- SIG Core-G_3_4. Operations management
- SIG Core-I_1_3_1. Application security
- OWASP ASVS-4_3_1. Other access control considerations
- OWASP ASVS-9_2_3. Server communication security
- OWASP ASVS-13_4_1. GraphQL
- OWASP API Security Top 10-API2. Broken Authentication
- OWASP API Security Top 10-API5. Broken Function Level Authorization
- CASA-1_2_3. Authentication Architecture
- CASA-1_4_4. Access Control Architecture
- CASA-2_10_1. Service Authentication
- CASA-4_3_1. Other Access Control Considerations
- CASA-14_1_5. Build and Deploy
- Resolution SB 2021 2126-Art_27_11. Security in Electronic Channels
- Resolution SB 2021 2126-Art_28_2. Security in Electronic Channels - ATMs
- Resolution SB 2021 2126-Art_28_5. Security in Electronic Channels - ATMs
- Resolution SB 2021 2126-Art_29_1. Security in Electronic Channels - Points of Sale (POS and PIN Pad)
- NIST CSF-PR_AA-03. Users, services, and hardware are authenticated
Vulnerabilities
- 006.Authentication mechanism absence or evasion
- 018.Improper authentication for shared folders
- 020.Non-encrypted confidential information
- 056.Anonymous connection
- 075.Unauthorized access to files - APK Content Provider
- 081.Lack of multi-factor authentication
- 095.Data uniqueness not properly verified
- 099.Non-encrypted confidential information - S3 Server Side Encryption
- 201.Unauthorized access to files
- 202.Unauthorized access to files - Debug APK
- 203.Unauthorized access to files - Cloud Storage Services
- 204.Insufficient data authenticity validation
- 240.Authentication mechanism absence or evasion - OTP
- 241.Authentication mechanism absence or evasion - AWS
- 242.Authentication mechanism absence or evasion - WiFi
- 243.Authentication mechanism absence or evasion - Admin Console
- 244.Authentication mechanism absence or evasion - BIOS
- 245.Non-encrypted confidential information - Credit Cards
- 246.Non-encrypted confidential information - DB
- 247.Non-encrypted confidential information - AWS
- 248.Non-encrypted confidential information - LDAP
- 249.Non-encrypted confidential information - Credentials
- 251.Non-encrypted confidential information - JFROG
- 275.Non-encrypted confidential information - Local data
- 284.Non-encrypted confidential information - Base 64
- 298.Authentication mechanism absence or evasion - Redirect
- 299.Authentication mechanism absence or evasion - JFROG
- 300.Authentication mechanism absence or evasion - Azure
- 310.Unauthorized access to screen
- 365.Authentication mechanism absence or evasion - Response tampering
- 370.Authentication mechanism absence or evasion - Security Image
- 378.Non-encrypted confidential information - Hexadecimal
- 441.Non-encrypted confidential information - Azure
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.