SoftwareSecurity2013/Group 6/Requirements
Uit Werkplaats
Inhoud
Overall Scope
- We are not responsible for checking session management
- We do look at Authentication
- We do look at Cryptography
- We do not look at Authorization
General Background Information
Subpages
- SoftwareSecurity2013/Group 6/Requirements/GeneralBackground
- SoftwareSecurity2013/Group 6/Requirements/V2
- SoftwareSecurity2013/Group 6/Requirements/V7
Table 2 – OWASP ASVS Authentication Requirements (V2)
Click on the 'ID' in the far left column to jump to the detailed explanation of each finding. Click on the link above to go to the top of the details page.
ID | Description | Outcome |
---|---|---|
V2.1 | Verify that all pages and resources require authentication except those specifically intended to be public. | Pass |
V2.2 | Verify that all password fields do not echo the user’s password when it is entered, and that password fields (or the forms that contain them) have autocomplete disabled. | Fail |
V2.3 | Verify that if a maximum number of authentication attempts is exceeded, the account is locked for a period of time long enough to deter brute force attacks. | Pass |
V2.4 | Verify that all authentication controls are enforced on the server side. | Pass |
V2.5 | Verify that all authentication controls (including libraries that call external authentication services) have a centralized implementation. | Mostly Convinced of Pass |
V2.6 | Verify that all authentication controls fail securely. | Fail (after 12) |
V2.7 | Verify that the strength of any authentication credentials are sufficient to withstand attacks that are typical of the threats in the deployed environment. | UNDECIDABLE |
V2.8 | Verify that all account management functions are at least as resistant to attack as the primary authentication mechanism. | Fail |
V2.9 | Verify that users can safely change their credentials using a mechanism that is at least as resistant to attack as the primary authentication mechanism. | Fail |
V2.10 | Verify that re-authentication is required before any application-specific sensitive operations are permitted. | Fail |
V2.11 | Verify that after an administratively-configurable period of time, authentication credentials expire. | Fail |
V2.12 | Verify that all authentication decisions are logged. | Fail |
V2.13 | Verify that account passwords are salted using a salt that is unique to that account (e.g., internal user ID, account creation) and hashed before storing. | Rejected (after 12) |
V2.14 | Verify that all authentication credentials for accessing services external to the application are encrypted and stored in a protected location (not in source code). | Fail |
Table 7 – OWASP ASVS Cryptography Requirements (V7)
Click on the 'ID' in the far left column to jump to the detailed explanation of each finding. Click on the link above to go to the top of the details page.
ID | Description | Outcome |
---|---|---|
V7.1 | Verify that all cryptographic functions used to protect secrets from the application user are implemented server side. | Pass |
V7.2 | Verify that all cryptographic modules fail securely. | Exception |
V7.3 | Verify that access to any master secret(s) is protected from unauthorized access (A master secret is an application credential stored as plaintext on disk that is used to protect access to security configuration information). | N / A |
V7.4 | Verify that password hashes are salted when they are created. | Pass |
V7.5 | Verify that cryptographic module failures are logged. | Fail |
V7.6 | Verify that all random numbers, random file names, random GUIDs, and random strings are generated using the cryptographic module’s approved random number generator when these random values are intended to be unguessable by an attacker. | Pass |