229 – Request access credentials

Summary

The system must request at least one username and password from every actor that tries to authenticate.

Description

Sometimes systems have information and other resources that are not considered public. These resources should be protected by a secure authentication mechanism that prevents unauthorized actors from accessing them. The authentication mechanism should request at least a username and a password.

Supported In

Essential: True

Advanced: True

References

• CWE-284. Improper access control
• CWE-306. Missing authentication for critical function
• HIPAA-164_310_a_2_iii. Access control and validation procedures (addressable)
• HIPAA-164_312_a_1. Standard: access control
• HIPAA-164_312_d. Standard: person or entity authentication
• NIST80053-IA-1. Policy and procedures
• NIST80053-IA-2. Identification and authentication (organizational users)
• OWASP10-A7. Identification and authentication failures
• SOC2-P4_2. Additional criteria for privacy (related to use, retention, and disposal)
• OWASPM10-M2. Insecure data storage
• NYSHIELD-5575_B_2. Personal and private information
• NYDFS-500_12. Multi-factor authentication
• MITRE-M1032. Multi-factor authentication
• PADSS-3_1. Support and enforce the use of unique user IDs and secure authentication for all administrative access
• PADSS-3_1_4. Application employs methods to authenticate all users
• SANS25-13. Improper authentication
• SANS25-15. Deserialization of untrusted data
• SANS25-20. Missing authentication for critical function
• PDPA-5_21. Access to personal data
• POPIA-3A_19. Security measures on integrity and confidentiality of personal information
• POPIA-3A_23. Access to personal information
• PDPO-5_18. Data access request
• PDPO-S1_4. Security of personal data
• PDPO-S1_6. Access to personal data
• CMMC-AC_L1-3_1_2. Transaction & function control
• CMMC-IA_L1-3_5_2. Authentication
• CMMC-MP_L2-3_8_2. Media access
• HITRUST-01_x. Mobile computing and communications
• HITRUST-08_b. Physical entry controls
• FEDRAMP-MP-2. Media access
• ISO27002-8_4. Access to source code
• LGPD-19_II-1. Data Subjects Rights
• IEC62443-IAC-1_5. Authenticator management
• OSSTMM3-9_5_4. Wireless security (access verification) - Authentication
• WASC-W_01. Insufficient authentication
• FERPA-D_31_c. Conditions of prior consent required to disclose information
• ISSAF-Y_3_1. Database Security - Database services countermeasures
• OWASPRISKS-P7. Insufficient data quality
• OWASPSCP-5. Access control
• OWASPSCP-11. Database security
• OWASPSCP-14. General coding practices
• BSAFSS-SM_4-2. Software measures to prevent counterfeiting and tampering
• BSAFSS-IA_1-1. Software development environment authenticates users and operators
• BSAFSS-AA_1-3. Authorization and access controls
• NIST800171-1_17. Protect wireless access using authentication and encryption
• NIST800171-5_2. Authenticate or verify the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems
• CWE25-287. Improper authentication
• CWE25-306. Missing authentication for critical function
• CWE25-502. Deserialization of untrusted data
• ASVS-14_1_5. Build and deploy
• C2M2-4_1_b. Establish identities and manage authentication
• PCI-7_2_6. Access to system components and data is defined and assigned
• PCI-7_3_1. Access to system components and data is managed via an access control system
• PCI-7_3_2. Access to system components and data is managed via an access control system
• PCI-8_3_1. Strong authentication for users and administrators is established
• SIGLITE-SL_70. Are individual IDs required for user authentication to applications, operating systems, databases and network devices?
• SIGLITE-SL_71. Are passwords used?
• SIG-G_3_4. Operations management
• SIG-H_3. Access control
• ASVS-4_3_1. Other access control considerations
• OWASPAPI-API2. Broken Authentication
• ISO27001-8_4. Access to source code
• CASA-4_3_1. Other Access Control Considerations
• CASA-14_1_5. Build and Deploy
• FISMA-IA-1. Policy and procedures
• FISMA-IA-2. Identification and authentication (organizational users)
• OWASPMASVS-AUTH-1. The app uses secure authentication and authorization protocols and follows the relevant best practices
• NIST-PR_AA-03. Users, services, and hardware are authenticated

Weaknesses

• 240 – Authentication mechanism absence or evasion - OTP
• 241 – Authentication mechanism absence or evasion - AWS
• 242 – Authentication mechanism absence or evasion - WiFi
• 243 – Authentication mechanism absence or evasion - Admin Console
• 244 – Authentication mechanism absence or evasion - BIOS
• 245 – Non-encrypted confidential information - Credit Cards
• 246 – Non-encrypted confidential information - DB
• 247 – Non-encrypted confidential information - AWS
• 248 – Non-encrypted confidential information - LDAP
• 249 – Non-encrypted confidential information - Credentials
• 251 – Non-encrypted confidential information - JFROG
• 275 – Non-encrypted confidential information - Local data
• 284 – Non-encrypted confidential information - Base 64
• 298 – Authentication mechanism absence or evasion - Redirect
• 299 – Authentication mechanism absence or evasion - JFROG
• 300 – Authentication mechanism absence or evasion - Azure
• 365 – Authentication mechanism absence or evasion - Response tampering
• 370 – Authentication mechanism absence or evasion - Security Image
• 378 – Non-encrypted confidential information - Hexadecimal
• 441 – Non-encrypted confidential information - Azure
• 006 – Authentication mechanism absence or evasion
• 018 – Improper authentication for shared folders
• 020 – Non-encrypted confidential information
• 081 – Lack of multi-factor authentication
• 095 – Data uniqueness not properly verified
• 099 – Non-encrypted confidential information - S3 Server Side Encryption

Last updated

2024/03/05