Authenticate using standard protocols
Summary
The organization must implement the Single Sign On (SSO) process using standard protocols (e.g., SAML).
Description
When SSO is enabled, centralized control over user authentication and authorization is possible. The Identity Provider becomes the central authority for validating user identities, enforcing access policies, and managing user sessions.
References
- CWE-287. Improper authentication
- CWE-1390. Weak Authentication
- CAPEC-115. Authentication bypass
- SOC2-CC6_1. Logical and physical access controls
- NYSHIELD-5575_B_2. Personal and private information
- PADSS-3_1_4. Application employs methods to authenticate all users
- SANS25-22. Improper Privilege Management
- SANS25-24. Incorrect Authorization
- POPIA-3A_23. Access to personal information
- ISO27002-8_5. Secure authentication
- IEC62443-IAC-1_5. Authenticator management
- WASSEC-2_1. Authentication schemes
- WASC-W_01. Insufficient authentication
- NISTSSDF-PW_1_1. Design software to meet security requirements and mitigate security risks
- MVSP-2_1. Application design controls - Single Sign-On
- BSAFSS-IA_1-1. Software development environment authenticates users and operators
- BSAFSS-SI_2-1. Strong identity
- NIST800171-1_17. Protect wireless access using authentication and encryption
- ASVS-14_1_5. Build and deploy
- ASVS-1_2_2. Authentication architecture
- ASVS-13_3_2. SOAP web service
- OWASPAPI-API2. Broken Authentication
- ISO27001-8_5. Secure authentication
- CASA-1_2_2. Authentication Architecture
- CASA-1_4_4. Access Control Architecture
- CASA-2_10_1. Service Authentication
- CASA-14_1_5. Build and Deploy
- RESOLSB-Art_28_5. Security in Electronic Channels - ATMs
- OWASPMASVS-AUTH-1. The app uses secure authentication and authorization protocols and follows the relevant best practices
- CWE25-269. Improper Privilege Management
- CWE25-863. Incorrect Authorization
Weaknesses
- 006. Authentication mechanism absence or evasion
- 015. Insecure authentication method - Basic
- 240. Authentication mechanism absence or evasion - OTP
- 241. Authentication mechanism absence or evasion - AWS
- 242. Authentication mechanism absence or evasion - WiFi
- 243. Authentication mechanism absence or evasion - Admin Console
- 244. Authentication mechanism absence or evasion - BIOS
- 298. Authentication mechanism absence or evasion - Redirect
- 299. Authentication mechanism absence or evasion - JFROG
- 300. Authentication mechanism absence or evasion - Azure
- 309. Insecurely generated token - JWT
- 318. Insecurely generated token - Validation
- 365. Authentication mechanism absence or evasion - Response tampering
- 370. Authentication mechanism absence or evasion - Security Image
- 383. Insecurely generated token - OTP
- 388. Insecure authentication method - NTLM
- 397. Insecure authentication method - LDAP
- 449. Insecure authentication method
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.