Summary

The system must restrict access to system functions that execute critical business processes, allowing only authorized users.

Description

Systems must enforce access controls on trusted enforcement points. They must also have a clear definition of user privileges and roles. Functions that execute critical business processes should only be available for authenticated users with roles that have the required privileges.

References

• CAPEC-13. Subverting environment variable values
• CAPEC-122. Privilege abuse
• CAPEC-690. Metadata Spoofing
• CIS-2_7. Allowlist authorized scripts
• CWE-306. Missing authentication for critical function
• CWE-78. Improper neutralization of special elements used in an OS command ("OS command injection")
• CWE-98. Improper control of filename for include/require statement in PHP program ("PHP remote file inclusion")
• EPRIVACY-4_1a. Security of processing
• NIST80053-IA-2. Identification and authentication (organizational users)
• OWASP10-A1. Broken access control
• OWASP10-A7. Identification and authentication failures
• MITRE-M1025. Privileged process integrity
• PADSS-5_2_8. Improper access controls
• CMMC-AC_L1-3_1_1. Authorized access control
• CMMC-AC_L1-3_1_2. Transaction & function control
• CMMC-CM_L2-3_4_5. Access restrictions for change
• HITRUST-01_v. Information access restriction
• HITRUST-01_w. Sensitive system isolation
• HITRUST-09_d. Separation of development, test and operational environments
• FEDRAMP-AC-22. Publicly accessible content
• FEDRAMP-CM-5_5. Access restrictions for change - Limit production, operational privileges
• ISO27002-8_4. Access to source code
• WASSEC-6_2_4_3. Command execution - OS command injection
• WASSEC-6_2_4_8. Command execution - Remote file includes
• WASC-A_12. Content spoofing
• WASC-A_31. OS commanding
• WASC-A_05. Remote file inclusion (RFI)
• ISSAF-P_6_1. Host security - Linux security (remote attacks)
• ISSAF-P_6_15. Host security - Linux security (local attacks)
• ISSAF-Q_16_20. Host security - Windows security (local attacks)
• ISSAF-U_11. Web application SQL injections - Get control on host
• ISSAF-V_13. Application security - Source code auditing (command injection)
• CWE25-77. Improper neutralization of special elements used in a command (command injection)
• CWE25-78. Improper neutralization of special elements used in an OS command (OS command injection)
• CWE25-306. Missing authentication for critical function
• ASVS-1_4_1. Access control architecture
• ASVS-5_2_5. Sanitization and sandboxing
• ASVS-5_3_8. Output encoding and injection prevention
• PCI-1_4_3. Implement anti-spoofing measures
• ASVS-12_3_5. File execution
• OWASPAPI-API1. Broken Object Level Authorization
• OWASPAPI-API6. Unrestricted Access to Sensitive Business Flows
• ISO27001-8_4. Access to source code
• CASA-1_4_1. Access Control Architecture
• CASA-5_2_5. Sanitization and Sandboxing
• CASA-5_3_8. Output Encoding and Injection Prevention
• RESOLSB-Art_26_11_d. Information Security
• FISMA-IA-2. Identification and authentication (organizational users)
• SANS25-5. Improper neutralization of special elements used in an OS command (OS command injection)
• SANS25-16. Improper neutralization of special elements used in a command (command injection)
• SANS25-20. Missing authentication for critical function
• OWASPLLM-LLM05:2025. Improper Output Handling

Weaknesses

• 004. Remote command execution
• 032. Spoofing
• 039. Improper authorization control for web services
• 056. Anonymous connection
• 061. Remote File Inclusion
• 073. Improper authorization control for web services - RDS
• 101. Lack of protection against deletion
• 165. Insecure service configuration - AWS
• 256. Lack of protection against deletion - RDS
• 257. Lack of protection against deletion - EC2
• 258. Lack of protection against deletion - ELB
• 259. Lack of protection against deletion - DynamoDB
• 404. OS Command Injection
• 405. Excessive privileges - Access Mode
• 412. Lack of protection against deletion - Azure Key Vault
• 422. Server side template injection
• 434. Client-side template injection
• 445. Bucket takeover
• 454. Improper output handling