Reino: Environment

Esta sección incluye todo lo que está fuera del código fuente pero aun así es importante para la seguridad del producto que se está creando. Dado que todas las cuestiones incluidas en esta sección no están directamente relacionadas con el código fuente, las hemos separado de las demás secciones.

631 elementos encontrados

Debilidades

AWS Ansible Misconfiguration: Insufficient RDS Backup

YAML

Abstract

Una configuración establece un recurso sin configuraciones de copia de seguridad adecuadas.

Explanation

Las copias de seguridad son fundamentales para ofrecer protección contra la pérdida o corrupción de los datos. La configuración que socava las copias de seguridad incluye, entre otros:
- Deshabilitar la copia de seguridad de datos
- No realizar copias de seguridad de los datos con regularidad
- No comprobar periódicamente la integridad de las copias de seguridad
- Un período de retención de la copia de seguridad insuficiente

References

[1] Amazon Web Services, Inc. or its affiliates Backup and recovery approaches on AWS

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3

[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial

[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5

[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[6] Standards Mapping - CIS Google Cloud Computing Platform Benchmark partial

[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark availability

[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000366, CCI-003109

[9] Standards Mapping - FIPS200 CP

[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 CP-9 Information System Backup (P1)

[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 CP-9 System Backup

[12] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[13] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[14] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.1.5 General Data Protection (L3)

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 12.10.1

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 12.10.1

[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 2.2 - Secure Defaults

[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 2.2 - Secure Defaults

[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 2.2 - Secure Defaults

desc.structural.iac.aws.misconfiguration_insufficient_backup.base

AWS Ansible Misconfiguration: Insufficient S3 Backup

YAML

Abstract

Una configuración establece un recurso sin configuraciones de copia de seguridad adecuadas.

Explanation

Las copias de seguridad son fundamentales para ofrecer protección contra la pérdida o corrupción de los datos. La configuración que socava las copias de seguridad incluye, entre otros:
- Deshabilitar la copia de seguridad de datos
- No realizar copias de seguridad de los datos con regularidad
- No comprobar periódicamente la integridad de las copias de seguridad
- Un período de retención de la copia de seguridad insuficiente

References

[1] Amazon Web Services, Inc. or its affiliates Backup and recovery approaches on AWS

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3

[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial

[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5

[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[6] Standards Mapping - CIS Google Cloud Computing Platform Benchmark partial

[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark availability

[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000366, CCI-003109

[9] Standards Mapping - FIPS200 CP

[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 CP-9 Information System Backup (P1)

[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 CP-9 System Backup

[12] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[13] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[14] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.1.5 General Data Protection (L3)

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 12.10.1

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 12.10.1

[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 2.2 - Secure Defaults

[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 2.2 - Secure Defaults

[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 2.2 - Secure Defaults

desc.structural.iac.aws.misconfiguration_insufficient_backup.base

AWS Ansible Misconfiguration: Insufficient S3 Logging

YAML

Abstract

La plantilla define un servicio con registros de auditoría insuficientes.

Explanation

La ausencia de registros de auditoría limita la capacidad de detectar y responder a incidentes relacionados con la seguridad e impide la investigación forense.

Los valores de configuración que socavan las capacidades de registro incluyen, entre otros:
- deshabilitar deliberadamente el registro de auditoría
- excluir acciones de usuarios, grupos o procesos específicos del registro
- proteger inadecuadamente la integridad del registro
- no habilitar el registro de auditoría opcional
- reducir la frecuencia de muestreo del registro

References

[1] Open Web Application Security Project (OWASP) Logging Cheat Sheet

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity

[6] Standards Mapping - Common Weakness Enumeration CWE ID 778

[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172

[8] Standards Mapping - FIPS200 CM

[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)

[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation

[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring

[12] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures

[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2

[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking

[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking

[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking

[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II

desc.structural.iac.misconfiguration_insufficient_logging.base

AWS Ansible Misconfiguration: Insufficient S3 Monitoring

YAML

Abstract

Una configuración establece un recurso que carece de supervisión.

Explanation

Cualquier respuesta tardía a las infracciones socava la capacidad de una organización para limitar el impacto de una infracción.

Los valores de configuración que socavan las capacidades de supervisión incluyen, entre otros:
- deshabilitar deliberadamente la supervisión
- no habilitar la supervisión opcional
- no especificar eventos relevantes para exportar a los servicios de supervisión
- excluir acciones de usuarios, grupos, procesos y regiones geográficas específicos de la supervisión

References

[1] Paul Cichonski,Tom Millar,Tim Grance,Karen Scarfone NIST Special Publication 800-61 Revision 2 - Computer Security Incident Handling Guide

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity

[6] Standards Mapping - Common Weakness Enumeration CWE ID 778

[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172

[8] Standards Mapping - FIPS200 CM

[9] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)

[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation

[12] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring

[13] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures

[14] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2

[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking

[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking

[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking

[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II

desc.structural.iac.misconfiguration_insufficient_monitoring.base

AWS Ansible Misconfiguration: Insufficient Stack Monitoring

YAML

Abstract

Una configuración establece un recurso que carece de supervisión.

Explanation

Cualquier respuesta tardía a las infracciones socava la capacidad de una organización para limitar el impacto de una infracción.

Los valores de configuración que socavan las capacidades de supervisión incluyen, entre otros:
- deshabilitar deliberadamente la supervisión
- no habilitar la supervisión opcional
- no especificar eventos relevantes para exportar a los servicios de supervisión
- excluir acciones de usuarios, grupos, procesos y regiones geográficas específicos de la supervisión

References

[1] Paul Cichonski,Tom Millar,Tim Grance,Karen Scarfone NIST Special Publication 800-61 Revision 2 - Computer Security Incident Handling Guide

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity

[6] Standards Mapping - Common Weakness Enumeration CWE ID 778

[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172

[8] Standards Mapping - FIPS200 CM

[9] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)

[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation

[12] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring

[13] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures

[14] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2

[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking

[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking

[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking

[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II

desc.structural.iac.misconfiguration_insufficient_monitoring.base

AWS Ansible Misconfiguration: Privileged Batch Container

YAML

Abstract

Una configuración establece un contenedor con permisos elevados para ejecutar trabajos.

Explanation

De forma predeterminada, un contenedor no puede ejecutar la mayoría de las operaciones de administración de redes y sistemas. El modo privilegiado elimina tales restricciones. Esto amplía drásticamente la superficie de ataque de los trabajos maliciosos.

References

[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.5

[2] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Cloud Computing Platform Benchmark partial

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[7] Standards Mapping - CIS Kubernetes Benchmark partial

[8] Standards Mapping - Common Weakness Enumeration CWE ID 250

[9] Standards Mapping - Common Weakness Enumeration Top 25 2019 [3] CWE ID 020

[10] Standards Mapping - Common Weakness Enumeration Top 25 2020 [3] CWE ID 020

[11] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020

[12] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020

[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084

[14] Standards Mapping - FIPS200 CM

[15] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1)

[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege

[18] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[19] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[20] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[21] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[22] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[23] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[24] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3)

[25] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection

[35] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 020

[36] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 250

[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3500 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3500 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3500 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3500 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3500 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3500 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3500 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II

[57] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

desc.structural.iac.misconfiguration_privileged_container.base

AWS Ansible Misconfiguration: RDS Auto-Upgrade Disabled

YAML

Abstract

Una configuración desactiva las actualizaciones automáticas de software.

Explanation

Las actualizaciones automáticas de software, que garantizan la aplicación oportuna de parches a las vulnerabilidades de software conocidas, están deshabilitadas.

References

[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2

[2] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Cloud Computing Platform Benchmark complete

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[7] Standards Mapping - CIS Kubernetes Benchmark complete

[8] Standards Mapping - FIPS200 CM

[9] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-2 Flaw Remediation (P1)

[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-2 Flaw Remediation

[12] Standards Mapping - OWASP Top 10 2017 A9 Using Components with Known Vulnerabilities

[13] Standards Mapping - OWASP Top 10 2021 A06 Vulnerable and Outdated Components

[14] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.2

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.3.3

[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 10.2 - Threat and Vulnerability Management

[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 10.2 - Threat and Vulnerability Management

[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 10.2 - Threat and Vulnerability Management, Control Objective C.1.6 - Web Software Components & Services

desc.structural.iac.misconfiguration_auto_upgrade_disabled.base

<
1
2
3
4
5
6
7
8
9
10
11
>