R264. Request authentication
The system must require authentication for all resources, except for the consultation or visualization of those specifically classified as public.
Sometimes systems have information and other resources that are not considered public. These resources should be protected by a secure authentication mechanism that prevents unauthorized actors from accessing them.
CWE-287: Improper Authentication When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
CWE-306: Missing Authentication for Critical Function The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
OWASP-ASVS v4.0.1 V1.2 Authentication Architectural Requirements.(1.2.2) Verify that communications between application components, including APIs, middleware and data layers, are authenticated. Components should have the least necessary privileges needed.
OWASP-ASVS v4.0.1 V1.2 Authentication Architectural Requirements.(1.2.3) Verify that the application uses a single vetted authentication mechanism that is known to be secure, can be extended to include strong authentication, and has sufficient logging and monitoring to detect account abuse or breaches.