Fluid Attacks logo
Login
Contact Us
Young hacker smiling
Zero false positives

Expert intelligence + effective automation

Contact logo Contact Us
GET A DEMO

R264. Request authentication

This document details the security requirements and guidelines related to secure user authentication management in the organization. In this case, it is recommended that the system require authentication for all resources not explicitly classified as public.

Requirement

The system must require authentication for all resources, except for the consultation or visualization of those specifically classified as public.

Description

Sometimes systems have information and other resources that are not considered public. These resources should be protected by a secure authentication mechanism that prevents unauthorized actors from accessing them.

References

  1. CWE-287: Improper Authentication When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

  2. CWE-306: Missing Authentication for Critical Function The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

  3. OWASP-ASVS v4.0.1 V1.2 Authentication Architectural Requirements.(1.2.2) Verify that communications between application components, including APIs, middleware and data layers, are authenticated. Components should have the least necessary privileges needed.

  4. OWASP-ASVS v4.0.1 V1.2 Authentication Architectural Requirements.(1.2.3) Verify that the application uses a single vetted authentication mechanism that is known to be secure, can be extended to include strong authentication, and has sufficient logging and monitoring to detect account abuse or breaches.


Service status - Terms of Use