228 – Authenticate using standard protocols

Summary

The organization must implement the Single Sign On (SSO) process using standard protocols (e.g., SAML).

Description

When SSO is enabled, centralized control over user authentication and authorization is possible. The Identity Provider becomes the central authority for validating user identities, enforcing access policies, and managing user sessions.

Supported In

Essential: True

Advanced: True

References

• CWE-287. Improper authentication
• CWE-1390. Weak Authentication
• CAPEC-115. Authentication bypass
• SOC2-CC6_1. Logical and physical access controls
• NYSHIELD-5575_B_2. Personal and private information
• PADSS-3_1_4. Application employs methods to authenticate all users
• SANS25-22. Improper Privilege Management
• SANS25-24. Incorrect Authorization
• POPIA-3A_23. Access to personal information
• ISO27002-8_5. Secure authentication
• IEC62443-IAC-1_5. Authenticator management
• WASSEC-2_1. Authentication schemes
• WASC-W_01. Insufficient authentication
• NISTSSDF-PW_1_1. Design software to meet security requirements and mitigate security risks
• MVSP-2_1. Application design controls - Single Sign-On
• BSAFSS-IA_1-1. Software development environment authenticates users and operators
• BSAFSS-SI_2-1. Strong identity
• NIST800171-1_17. Protect wireless access using authentication and encryption
• ASVS-14_1_5. Build and deploy
• ASVS-1_2_2. Authentication architecture
• ASVS-13_3_2. SOAP web service
• OWASPAPI-API2. Broken Authentication
• ISO27001-8_5. Secure authentication
• CASA-1_2_2. Authentication Architecture
• CASA-1_4_4. Access Control Architecture
• CASA-2_10_1. Service Authentication
• CASA-14_1_5. Build and Deploy
• RESOLSB-Art_28_5. Security in Electronic Channels - ATMs
• OWASPMASVS-AUTH-1. The app uses secure authentication and authorization protocols and follows the relevant best practices
• CWE25-269. Improper Privilege Management
• CWE25-863. Incorrect Authorization

Weaknesses

• 240 – Authentication mechanism absence or evasion - OTP
• 241 – Authentication mechanism absence or evasion - AWS
• 242 – Authentication mechanism absence or evasion - WiFi
• 243 – Authentication mechanism absence or evasion - Admin Console
• 244 – Authentication mechanism absence or evasion - BIOS
• 298 – Authentication mechanism absence or evasion - Redirect
• 299 – Authentication mechanism absence or evasion - JFROG
• 300 – Authentication mechanism absence or evasion - Azure
• 309 – Insecurely generated token - JWT
• 318 – Insecurely generated token - Validation
• 365 – Authentication mechanism absence or evasion - Response tampering
• 370 – Authentication mechanism absence or evasion - Security Image
• 383 – Insecurely generated token - OTP
• 388 – Insecure authentication method - NTLM
• 397 – Insecure authentication method - LDAP
• 449 – Insecure authentication method
• 006 – Authentication mechanism absence or evasion
• 015 – Insecure authentication method - Basic

Last updated

2024/02/05