088 – Request client certificates

Summary

Systems that manages business-critical information must require digital certificates from the client. This must be done especially during the authentication process.

Description

This control suggests the implementation of a security measure in which client systems interacting with or accessing business-critical information must present valid digital certificates. This practice enhances authentication, secure communication, and control access to sensitive business data.

Supported In

Advanced: True

References

• CIS-13_9. Deploy port-level access control
• CWE-299. Improper check for certificate revocation
• NIST80063-5_2_5. Verifier impersonation resistance
• OWASP10-A7. Identification and authentication failures
• PDPO-6_31. Matching procedure request
• IEC62443-IAC-1_9. Strength of public key authentication
• WASSEC-2_1. Authentication schemes
• NISTSSDF-PS_2_1. Provide a mechanism for verifying software release integrity
• ISSAF-V_6_4. Application security - Source code auditing (forms based authentication)
• PTES-6_7. Exploitation - Zero day angle
• ASVS-10_3_1. Application integrity
• CASA-9_2_4. Server Communication Security
• RESOLSB-Art_30_1. Security in Electronic Channels - Digital Banking

Weaknesses

• 163 – Insecure digital certificates
• 348 – Insecure digital certificates - Lifespan
• 350 – Insecure digital certificates - Chain of trust

Last updated

2024/01/18