Summary

The system must require authentication for all resources, except for the consultation or visualization of those specifically classified as public.

Description

Sometimes systems have information and other resources that are not considered public. These resources should be protected by a secure authentication mechanism that prevents unauthorized actors from accessing them.

References

• CAPEC-1. Accessing functionality not properly constrained by ACLs
• CAPEC-36. Using unpublished interfaces
• CAPEC-115. Authentication bypass
• CWE-287. Improper authentication
• CWE-306. Missing authentication for critical function
• CWE-603. Use of client-side authentication
• CWE-1390. Weak Authentication
• NERCCIP-003-8_3_2. Electronic access controls
• NERCCIP-005-5_R1_4. Electronic security perimeter
• NERCCIP-007-6_R5_1. System access control
• OWASP10-A2. Cryptographic failures
• OWASP10-A7. Identification and authentication failures
• SOC2-CC6_1. Logical and physical access controls
• NYDFS-500_12. Multi-factor authentication
• SANS25-13. Improper authentication
• SANS25-18. Use of hard-coded credentials
• SANS25-20. Missing authentication for critical function
• SANS25-21. Concurrent execution using shared resource with improper synchronization (Race condition)
• POPIA-3A_19. Security measures on integrity and confidentiality of personal information
• POPIA-3A_23. Access to personal information
• PDPO-5_18. Data access request
• PDPO-S1_4. Security of personal data
• PDPO-S1_6. Access to personal data
• CMMC-AC_L1-3_1_2. Transaction & function control
• CMMC-IA_L1-3_5_2. Authentication
• CMMC-MP_L2-3_8_2. Media access
• HITRUST-01_q. User identification and authentication
• HITRUST-01_x. Mobile computing and communications
• FEDRAMP-MP-2. Media access
• IEC62443-IAC-1_2. Software process and device identification and authentication
• IEC62443-CR-1_1-RE_1. Unique identification and authentication
• WASSEC-2_1. Authentication schemes
• WASSEC-6_2_1_2. Authentication - Insufficient authentication
• OSSTMM3-10_5_3. Telecommunications security (access verification) - Authentication
• WASC-W_17. Improper filesystem permissions
• WASC-W_01. Insufficient authentication
• FERPA-D_31_c. Conditions of prior consent required to disclose information
• NISTSSDF-PW_1_1. Design software to meet security requirements and mitigate security risks
• OWASPSCP-12. File management
• BSAFSS-IA_1-1. Software development environment authenticates users and operators
• BSAFSS-AA_1-3. Authorization and access controls
• NIST800171-1_17. Protect wireless access using authentication and encryption
• CWE25-287. Improper authentication
• CWE25-362. Concurrent execution using shared resource with improper synchronization (Race condition)
• CWE25-306. Missing authentication for critical function
• CWE25-798. Use of hard-coded credentials
• ASVS-1_2_3. Authentication architecture
• ASVS-14_1_5. Build and deploy
• C2M2-4_1_a. Establish identities and manage authentication
• PCI-8_3_3. Strong authentication for users and administrators is established
• SIG-G_3_4. Operations management
• SIG-I_1_3_1. Application security
• ASVS-4_3_1. Other access control considerations
• ASVS-9_2_3. Server communication security
• ASVS-13_4_1. GraphQL
• OWASPAPI-API2. Broken Authentication
• OWASPAPI-API5. Broken Function Level Authorization
• CASA-1_2_3. Authentication Architecture
• CASA-1_4_4. Access Control Architecture
• CASA-2_10_1. Service Authentication
• CASA-4_3_1. Other Access Control Considerations
• CASA-14_1_5. Build and Deploy
• RESOLSB-Art_27_11. Security in Electronic Channels
• RESOLSB-Art_28_2. Security in Electronic Channels - ATMs
• RESOLSB-Art_28_5. Security in Electronic Channels - ATMs
• RESOLSB-Art_29_1. Security in Electronic Channels - Points of Sale (POS and PIN Pad)
• NIST-PR_AA-03. Users, services, and hardware are authenticated

Weaknesses

• 006. Authentication mechanism absence or evasion
• 018. Improper authentication for shared folders
• 020. Non-encrypted confidential information
• 056. Anonymous connection
• 075. Unauthorized access to files - APK Content Provider
• 081. Lack of multi-factor authentication
• 095. Data uniqueness not properly verified
• 099. Non-encrypted confidential information - S3 Server Side Encryption
• 201. Unauthorized access to files
• 202. Unauthorized access to files - Debug APK
• 203. Unauthorized access to files - Cloud Storage Services
• 204. Insufficient data authenticity validation
• 240. Authentication mechanism absence or evasion - OTP
• 241. Authentication mechanism absence or evasion - AWS
• 242. Authentication mechanism absence or evasion - WiFi
• 243. Authentication mechanism absence or evasion - Admin Console
• 244. Authentication mechanism absence or evasion - BIOS
• 245. Non-encrypted confidential information - Credit Cards
• 246. Non-encrypted confidential information - DB
• 247. Non-encrypted confidential information - AWS
• 248. Non-encrypted confidential information - LDAP
• 249. Non-encrypted confidential information - Credentials
• 251. Non-encrypted confidential information - JFROG
• 275. Non-encrypted confidential information - Local data
• 284. Non-encrypted confidential information - Base 64
• 298. Authentication mechanism absence or evasion - Redirect
• 299. Authentication mechanism absence or evasion - JFROG
• 300. Authentication mechanism absence or evasion - Azure
• 310. Unauthorized access to screen
• 365. Authentication mechanism absence or evasion - Response tampering
• 370. Authentication mechanism absence or evasion - Security Image
• 378. Non-encrypted confidential information - Hexadecimal
• 441. Non-encrypted confidential information - Azure