R027. Allow session lockout

Requirement

The system must provide users the option to manually lock their session from any resource protected by authentication.

References

  1. NIST 800-53 AC-2 (2) El sistema de información automáticamente remueve o deshabilita las cuentas temporales y de emergencia luego de un periodo de tiempo definido por la organización para cada tipo de cuenta.

  2. NIST 800-53 AC-2 (13) The organization disables accounts of users posing a significant risk within [Assignment: organization-defined time period] of discovery of the risk.

  3. OWASP Top 10 A2:2017-Broken Authentication. Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently.

  4. PCI DSS v3.2.1 - Requirement 6.5.10 Address common coding vulnerabilities in software-development processes such as broken authentication and session management.

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy