ISSAF

Summary

The Information Systems Security Assessment Framework is designed to evaluate the network, system and application controls in penetration testing methodology. The version used in this section is ISSAF 0.2.1B.

Definitions

Definition	Requirements
ISSAF-A_2_4. Assessment - Penetration	035. Manage privilege modifications
ISSAF-A_2_7. Assessment - Compromise remote users or sites	338. Implement perfect forward secrecy
ISSAF-D_8. Network security - Password security testing (countermeasures)	127. Store hashed passwords 133. Passwords with at least 20 characters 134. Store passwords with salt 135. Passwords with random salt 332. Prevent the use of breached passwords 334. Avoid knowledge-based authentication
ISSAF-E_1. Network security - Switch security assessment	273. Define a fixed security suite 062. Define standard configurations
ISSAF-D_1. Network security - Password security testing (gathering authentication credentials)	130. Limit password lifespan 132. Passphrases with at least 4 words 133. Passwords with at least 20 characters 139. Set minimum OTP length 332. Prevent the use of breached passwords
ISSAF-E_13. Network security - Switch security assessment (assess private VLAN attack)	255. Allow access only to the necessary ports
ISSAF-E_21. Network security - Switch security assessment (VLAN reconfiguration)	148. Set minimum size of asymmetric encryption 150. Set minimum size for hash functions
ISSAF-E_22. Network security - Switch security assessment (layer 2 port authentication)	327. Set a rate limit 072. Set maximum response time
ISSAF-F_1. Network security - Router security assessment (router identification)	266. Disable insecure functionalities
ISSAF-F_2. Network security - Router security assessment (common issues assessment)	062. Define standard configurations
ISSAF-F_5. Network security - Router security assessment (global countermeasures)	062. Define standard configurations
ISSAF-F_5_1. Network security - Router security assessment (turn on logging)	376. Register severity level
ISSAF-F_5_2. Network security - Router security assessment (limit telnet)	181. Transmit data using secure protocols
ISSAF-F_5_3. Network security - Router security assessment (protect passwords)	148. Set minimum size of asymmetric encryption 150. Set minimum size for hash functions
ISSAF-F_5_7. Network security - Router security assessment (disable non-essential services)	161. Define secure default options
ISSAF-F_5_9. Network security - Router security assessment (configure ingress filtering)	173. Discard unsafe inputs 320. Avoid client-side control enforcement 342. Validate request parameters
ISSAF-G_9_8. Network security - Firewalls (identify firewall architecture)	142. Change system default credentials 161. Define secure default options
ISSAF-G_12. Network security - Firewalls (port redirection)	153. Out of band transactions 173. Discard unsafe inputs 377. Store logs based on valid regulation
ISSAF-G_13_4. Network security - Firewalls (application level)	273. Define a fixed security suite
ISSAF-G_14. Network security - Firewalls (countermeasures)	153. Out of band transactions 253. Restrict network access 258. Filter website content
ISSAF-G_15. Network security - Firewalls (compromise remote users/sites)	153. Out of band transactions 181. Transmit data using secure protocols 320. Avoid client-side control enforcement
ISSAF-H_14_3. Network security - Intrusion detection (detection engine)	178. Use digital signatures
ISSAF-H_14_7. Network security - Intrusion detection (detection engine)	227. Display access notification 075. Record exceptional events in logs 080. Prevent log modification
ISSAF-H_14_13. Network security - Intrusion detection (detection engine)	327. Set a rate limit 072. Set maximum response time
ISSAF-H_14_17. Network security - Intrusion detection (detection engine)	148. Set minimum size of asymmetric encryption 149. Set minimum size of symmetric encryption 150. Set minimum size for hash functions 181. Transmit data using secure protocols 336. Disable insecure TLS versions
ISSAF-H_15_9. Network security - Intrusion detection (rule configuration and management interface)	152. Reuse database connections 172. Encrypt connection strings
ISSAF-H_16_5. Network security - Intrusion detection (logging systems)	181. Transmit data using secure protocols 075. Record exceptional events in logs
ISSAF-J_4. Network security - Anti-virus system (objective)	118. Inspect attachments 273. Define a fixed security suite 041. Scan files for malicious code
ISSAF-J_6_1. Network security - Anti-virus system (methodology)	273. Define a fixed security suite
ISSAF-J_6_4. Network security - Anti-virus system (methodology)	115. Filter malicious emails 118. Inspect attachments
ISSAF-J_7_2. Network security - Anti-virus system (check end user antivirus)	273. Define a fixed security suite 353. Schedule firmware updates
ISSAF-J_7_3_5. Network security - Anti-virus system (methodology)	266. Disable insecure functionalities 040. Compare file format and extension
ISSAF-K_9_1. Network security - Storage Area Network SAN (practices for the data-at-rest)	176. Restrict system objects 185. Encrypt sensitive information 249. Locate access points 329. Keep client-side storage without sensitive data 339. Avoid storing sensitive files in the web root 039. Define maximum file size
ISSAF-L_3_1. Network security - WLAN security (types of threats)	247. Hide SSID on private networks 253. Restrict network access
ISSAF-L_4_3. Network security - WLAN security (audit and review)	248. SSID without dictionary words 250. Manage access points 254. Change SSID name 255. Allow access only to the necessary ports 353. Schedule firmware updates
ISSAF-L_4_5_6. Network security - WLAN security (exploitation and attacks)	181. Transmit data using secure protocols
ISSAF-L_8. Network security - WLAN security (global countermeasures)	252. Configure key encryption
ISSAF-P_4. Host security - Linux security (identify ports and services)	237. Ascertain human interaction 266. Disable insecure functionalities 327. Set a rate limit
ISSAF-P_4_1. Host security - Linux security (identify ports and users)	266. Disable insecure functionalities
ISSAF-P_6_1. Host security - Linux security (remote attacks)	173. Discard unsafe inputs 265. Restrict access to critical processes 266. Disable insecure functionalities
ISSAF-P_6_3. Host security - Linux security (buffer overflows)	158. Use a secure programming language 164. Use optimized structures 173. Discard unsafe inputs 345. Establish protections against overflows
ISSAF-P_6_4. Host security - Linux security (stack based overflows)	345. Establish protections against overflows
ISSAF-P_6_5. Host security - Linux security (heap based overflows)	345. Establish protections against overflows
ISSAF-P_6_6. Host security - Linux security (integer overflows)	345. Establish protections against overflows
ISSAF-P_6_15. Host security - Linux security (local attacks)	173. Discard unsafe inputs 176. Restrict system objects 265. Restrict access to critical processes 320. Avoid client-side control enforcement 035. Manage privilege modifications 096. Set user's required privileges
ISSAF-P_6_16. Host security - Linux security (file and directory permission attacks)	323. Exclude unverifiable files
ISSAF-Q_8_6_1. Host security - Windows security (brute force passwords or remote attack)	237. Ascertain human interaction 327. Set a rate limit
ISSAF-Q_16_10. Host security - Windows security (SMB attacks)	134. Store passwords with salt 135. Passwords with random salt 150. Set minimum size for hash functions 266. Disable insecure functionalities
ISSAF-Q_16_13. Host security - Windows security (registry attacks)	154. Eliminate backdoors
ISSAF-Q_16_20. Host security - Windows security (local attacks)	144. Remove inactive accounts periodically 173. Discard unsafe inputs 176. Restrict system objects 265. Restrict access to critical processes 035. Manage privilege modifications 096. Set user's required privileges
ISSAF-Q_16_27. Host security - Windows security (DLL injection attack)	040. Compare file format and extension 041. Scan files for malicious code
ISSAF-Q_16_34. Host security - Windows security (denial of service attacks)	237. Ascertain human interaction 072. Set maximum response time
ISSAF-S_5_1. Web server security - Countermeasures (secure administrative access)	284. Define maximum number of connections 033. Restrict administrative access 096. Set user's required privileges
ISSAF-S_5_4. Web server security - Countermeasures (enable logging and do periodic analysis)	075. Record exceptional events in logs 080. Prevent log modification
ISSAF-S_5_7. Web server security - Countermeasures (Compartmentalize web server process)	374. Use of isolation methods in running applications
ISSAF-S_5_8. Web server security - Countermeasures (run as a non-root user)	326. Detect rooted devices
ISSAF-T_6_4. Web application assessment - Identifying web server vendor and version (default files)	161. Define secure default options
ISSAF-T_6_5. Web application assessment - Identifying web server vendor and version (by extension of pages on web server)	355. Serve files with specific extensions
ISSAF-T_6_6. Web application assessment - Identifying web server vendor and version (by error)	152. Reuse database connections 169. Use parameterized queries 077. Avoid disclosing technical information
ISSAF-T_6_10. Web application assessment - Test view source bugs	156. Source code without sensitive information
ISSAF-T_10_1. Web application assessment – Attack on secure HTTP	181. Transmit data using secure protocols 349. Include HTTP security headers
ISSAF-T_11_1. Web application assessment - Brute force attack	237. Ascertain human interaction 327. Set a rate limit
ISSAF-T_12_2. Web application assessment - Browsable directories check	176. Restrict system objects 266. Disable insecure functionalities
ISSAF-T_13_2. Web application assessment - Test invalidated parameters (Cross Site Scripting)	173. Discard unsafe inputs 029. Cookies with security attributes
ISSAF-T_13_3. Web application assessment - Test invalidated parameters (Cross Site Tracing)	266. Disable insecure functionalities 029. Cookies with security attributes
ISSAF-T_14_1. Web application assessment - URL manipulation	336. Disable insecure TLS versions 032. Avoid session ID leakages
ISSAF-T_14_2. Web application assessment - Hidden form fields manipulation	173. Discard unsafe inputs
ISSAF-T_14_3. Web application assessment - Cookie manipulation	329. Keep client-side storage without sensitive data 029. Cookies with security attributes
ISSAF-T_16_1. Web application assessment - Input validation (validate data)	173. Discard unsafe inputs 320. Avoid client-side control enforcement 342. Validate request parameters 029. Cookies with security attributes 077. Avoid disclosing technical information
ISSAF-T_16_2. Web application assessment - Input Validation (test buffer overflow)	327. Set a rate limit 345. Establish protections against overflows
ISSAF-T_16_3. Web application assessment - Input Validation (PHP insertion)	176. Restrict system objects 077. Avoid disclosing technical information
ISSAF-T_17. Web application assessment - Test SQL injection	169. Use parameterized queries 173. Discard unsafe inputs
ISSAF-T_19_1. Web application assessment - Global Countermeasures (client-side)	123. Restrict the reading of emails 173. Discard unsafe inputs 336. Disable insecure TLS versions 375. Remove sensitive data from client-side applications 023. Terminate inactive user sessions 029. Cookies with security attributes 030. Avoid object reutilization
ISSAF-T_19_2. Web application assessment - Global Countermeasures (server-side)	225. Proper authentication responses 261. Avoid exposing sensitive information 339. Avoid storing sensitive files in the web root 376. Register severity level
ISSAF-U_8. Web application SQL injections - Check SQL injection vulnerability	173. Discard unsafe inputs
ISSAF-U_9. Web application SQL injections - Bypass user authentication	143. Unique access credentials 144. Remove inactive accounts periodically 332. Prevent the use of breached passwords
ISSAF-U_11. Web application SQL injections - Get control on host	173. Discard unsafe inputs 176. Restrict system objects 265. Restrict access to critical processes 096. Set user's required privileges
ISSAF-U_15. Web application SQL injections – Countermeasures	156. Source code without sensitive information 158. Use a secure programming language 164. Use optimized structures 167. Close unused resources 169. Use parameterized queries 173. Discard unsafe inputs 342. Validate request parameters 359. Avoid using generic exceptions 037. Parameters without sensitive data 096. Set user's required privileges
ISSAF-V_6_1. Application security - Source code auditing (authentication)	176. Restrict system objects
ISSAF-V_6_3. Application security - Source code auditing (hash or digest authentication)	127. Store hashed passwords 333. Store salt values separately
ISSAF-V_6_4. Application security - Source code auditing (forms based authentication)	088. Request client certificates 090. Use valid certificates
ISSAF-V_7. Application security - Source code auditing (session management)	342. Validate request parameters
ISSAF-V_9. Application security - Source code auditing (data and input validation)	173. Discard unsafe inputs 237. Ascertain human interaction 342. Validate request parameters
ISSAF-V_10. Application security - Source code auditing (Cross Site Scripting XSS)	173. Discard unsafe inputs 324. Control redirects 029. Cookies with security attributes
ISSAF-V_11. Application security - Source code auditing (buffer overflows)	345. Establish protections against overflows
ISSAF-V_12. Application security - Source code auditing (error handling)	225. Proper authentication responses
ISSAF-V_13. Application security - Source code auditing (command injection)	173. Discard unsafe inputs 265. Restrict access to critical processes 266. Disable insecure functionalities
ISSAF-Y_2. Database Security - Oracle security assessment	181. Transmit data using secure protocols
ISSAF-Y_3_1. Database Security - Database services countermeasures	133. Passwords with at least 20 characters 142. Change system default credentials 161. Define secure default options 229. Request access credentials
ISSAF-Y_3_4. Database Security - Database services countermeasures	035. Manage privilege modifications 046. Manage the integrity of critical files

Last updated

2023/09/18