Request client certificates
Summary
Systems that manages business-critical information must require digital certificates from the client. This must be done especially during the authentication process.
Description
This control suggests the implementation of a security measure in which client systems interacting with or accessing business-critical information must present valid digital certificates. This practice enhances authentication, secure communication, and control access to sensitive business data.
References
- CIS-13_9. Deploy port-level access control
- CWE-299. Improper check for certificate revocation
- NIST80063-5_2_5. Verifier impersonation resistance
- OWASP10-A7. Identification and authentication failures
- PDPO-6_31. Matching procedure request
- IEC62443-IAC-1_9. Strength of public key authentication
- WASSEC-2_1. Authentication schemes
- NISTSSDF-PS_2_1. Provide a mechanism for verifying software release integrity
- ISSAF-V_6_4. Application security - Source code auditing (forms based authentication)
- PTES-6_7. Exploitation - Zero day angle
- ASVS-10_3_1. Application integrity
- CASA-9_2_4. Server Communication Security
- RESOLSB-Art_30_1. Security in Electronic Channels - Digital Banking
Weaknesses
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.