界: Security Features

ソフトウェアのセキュリティは、セキュリティ ソフトウェアではありません。ここでは、認証、アクセス制御、機密性、暗号化、権限管理などのトピックについて説明します。

Password Management

Abstract
パスワードを平文で保管するとシステムが危険にさらされる結果を招くことがあります。
Explanation
Password Management の問題が発生するのは、アプリケーションのプロパティや設定ファイルにパスワードが平文で保管される場合です。
例 1: 次のコードはプロパティ ファイルからパスワードを読み取り、そのパスワードを使用して URL リクエストのデフォルトの認証情報を設定しています。


...
var fs:FileStream = new FileStream();
fs.open(new File("config.properties"), FileMode.READ);
var password:String = fs.readMultiByte(fs.bytesAvailable, File.systemCharset);

URLRequestDefaults.setLoginCredentialsForHost(hostname, usr, password);
...


このコードは正常に動作しますが、config.properties にアクセスできる全員が passwordの値を読むことができます。不心得な従業員がこの情報へのアクセス権を持っている場合、システムに侵入するために使用されることがあります。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 256
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.1.1 Password Security Requirements (L1 L2 L3), 2.1.2 Password Security Requirements (L1 L2 L3), 2.1.3 Password Security Requirements (L1 L2 L3), 2.1.4 Password Security Requirements (L1 L2 L3), 2.1.7 Password Security Requirements (L1 L2 L3), 2.1.8 Password Security Requirements (L1 L2 L3), 2.1.9 Password Security Requirements (L1 L2 L3), 2.7.5 Out of Band Verifier Requirements (L2 L3), 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 2.10.4 Service Authentication Requirements (L2 L3), 3.5.2 Token-based Session Management (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 6.4.1 Secret Management (L2 L3), 8.2.2 Client-side Data Protection (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 10.2.1 Malicious Code Search (L2 L3), 10.2.3 Malicious Code Search (L3), 14.1.3 Build (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[16] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[17] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography, Control Objective C.2.1.2 - Web Software Access Controls
[34] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
desc.dataflow.actionscript.password_management
Abstract
パスワードを平文で保管するとシステムが危険にさらされる結果を招くことがあります。
Explanation
アプリケーションの設定ファイルなどのデータストアにパスワードが平文で保管されるている場合、Password Management の問題が発生します。
例 1: 次のコードはレジストリからパスワードを読み込み、そのパスワードを使用して新しいネットワーク認証情報を作成しています。


...
string password = regKey.GetValue(passKey).ToString());
NetworkCredential netCred =
           new NetworkCredential(username,password,domain);
...


このコードは正常に動作しますが、パスワードを保管するために使用されているレジストリ キーにアクセスできる全員が passwordの値を読み取れます。不心得な従業員がこの情報へのアクセス権を持っている場合、システムに侵入するために使用されることがあります。
References
[1] Scott Mitchell Protecting Connection Strings and Other Configuration Information Microsoft
[2] Standards Mapping - Common Weakness Enumeration CWE ID 256
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199
[10] Standards Mapping - FIPS200 IA
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.1.1 Password Security Requirements (L1 L2 L3), 2.1.2 Password Security Requirements (L1 L2 L3), 2.1.3 Password Security Requirements (L1 L2 L3), 2.1.4 Password Security Requirements (L1 L2 L3), 2.1.7 Password Security Requirements (L1 L2 L3), 2.1.8 Password Security Requirements (L1 L2 L3), 2.1.9 Password Security Requirements (L1 L2 L3), 2.7.5 Out of Band Verifier Requirements (L2 L3), 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 2.10.4 Service Authentication Requirements (L2 L3), 3.5.2 Token-based Session Management (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 6.4.1 Secret Management (L2 L3), 8.2.2 Client-side Data Protection (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 10.2.1 Malicious Code Search (L2 L3), 10.2.3 Malicious Code Search (L3), 14.1.3 Build (L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[17] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[18] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography, Control Objective C.2.1.2 - Web Software Access Controls
[35] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[36] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
desc.dataflow.dotnet.password_management
Abstract
パスワードを平文で保管するとシステムが危険にさらされる結果を招くことがあります。
Explanation
アプリケーションの設定ファイルなどのデータストアにパスワードが平文で保管されるている場合、Password Management の問題が発生します。
例 1: 次のコードでは、レジストリからパスワードを読み取り、そのパスワードを使用してデータベースに接続しています。


...
RegQueryValueEx(hkey,TEXT(.SQLPWD.),NULL,
                NULL,(LPBYTE)password, &size);
rc = SQLConnect(*hdbc, server, SQL_NTS, uid,
                SQL_NTS, password, SQL_NTS);
...


このコードは正常に動作しますが、パスワードの保存に使用されるレジストリ キーにアクセスできる全員が password の値を読み取ることができます。不心得な従業員がパスワード情報へのアクセス権を持っている場合、システムに侵入するために使用されることがあります。
References
[1] Windows Data Protection Microsoft
[2] Standards Mapping - Common Weakness Enumeration CWE ID 256
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199
[10] Standards Mapping - FIPS200 IA
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.1.1 Password Security Requirements (L1 L2 L3), 2.1.2 Password Security Requirements (L1 L2 L3), 2.1.3 Password Security Requirements (L1 L2 L3), 2.1.4 Password Security Requirements (L1 L2 L3), 2.1.7 Password Security Requirements (L1 L2 L3), 2.1.8 Password Security Requirements (L1 L2 L3), 2.1.9 Password Security Requirements (L1 L2 L3), 2.7.5 Out of Band Verifier Requirements (L2 L3), 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 2.10.4 Service Authentication Requirements (L2 L3), 3.5.2 Token-based Session Management (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 6.4.1 Secret Management (L2 L3), 8.2.2 Client-side Data Protection (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 10.2.1 Malicious Code Search (L2 L3), 10.2.3 Malicious Code Search (L3), 14.1.3 Build (L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[17] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[18] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography, Control Objective C.2.1.2 - Web Software Access Controls
[35] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[36] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
desc.dataflow.cpp.password_management
Abstract
パスワードを平文で保管するとシステムが危険にさらされる結果を招くことがあります。
Explanation
Password Management の問題が発生するのは、アプリケーションのプロパティや設定ファイルにパスワードが平文で保管される場合です。
例 1: 次のコードはプロパティファイルからパスワードを読み取り、そのパスワードを使用してデータベースに接続しています。


...
01  RECORD.
     05  UID              PIC X(10).
     05  PASSWORD         PIC X(10).
...
EXEC CICS
  READ
  FILE('CFG')
  INTO(RECORD)
  RIDFLD(ACCTNO)
  ...
END-EXEC.

EXEC SQL
  CONNECT :UID
  IDENTIFIED BY :PASSWORD
  AT :MYCONN
  USING :MYSERVER
END-EXEC.
...


このコードは正常に動作しますが、CFGにアクセスできる全員がパスワードの値を読むことができます。不心得な従業員がこの情報へのアクセス権を持っている場合、システムに侵入するために使用されることがあります。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 256
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.1.1 Password Security Requirements (L1 L2 L3), 2.1.2 Password Security Requirements (L1 L2 L3), 2.1.3 Password Security Requirements (L1 L2 L3), 2.1.4 Password Security Requirements (L1 L2 L3), 2.1.7 Password Security Requirements (L1 L2 L3), 2.1.8 Password Security Requirements (L1 L2 L3), 2.1.9 Password Security Requirements (L1 L2 L3), 2.7.5 Out of Band Verifier Requirements (L2 L3), 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 2.10.4 Service Authentication Requirements (L2 L3), 3.5.2 Token-based Session Management (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 6.4.1 Secret Management (L2 L3), 8.2.2 Client-side Data Protection (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 10.2.1 Malicious Code Search (L2 L3), 10.2.3 Malicious Code Search (L3), 14.1.3 Build (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[16] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[17] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography, Control Objective C.2.1.2 - Web Software Access Controls
[34] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
desc.dataflow.cobol.password_management
Abstract
パスワードを平文で保管するとシステムが危険にさらされる結果を招くことがあります。
Explanation
Password Management の問題が発生するのは、アプリケーションの設定ファイルやデータベースにパスワードが平文で保管されることが許可される場合です。
例 1: 次のコードは Web フォームからパスワードを読み取り、そのパスワードを使用してデータベースに接続しています。


<cfquery name = "GetCredentials" dataSource = "master">
SELECT   Username, Password
FROM     Credentials
WHERE    DataSource="users"
</cfquery>
...
<cfquery name = "GetSSNs" dataSource = "users"
 username = "#Username#" password = "#Password#">
SELECT   SSN
FROM     Users
</cfquery>
...


このコードは正常に動作しますが、テーブル masterにアクセスできる全員が UsernamePassword の値を読み取ることができます。不心得な従業員がこの情報へのアクセス権を持っている場合、システムに侵入するために使用されることがあります。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 256
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.1.1 Password Security Requirements (L1 L2 L3), 2.1.2 Password Security Requirements (L1 L2 L3), 2.1.3 Password Security Requirements (L1 L2 L3), 2.1.4 Password Security Requirements (L1 L2 L3), 2.1.7 Password Security Requirements (L1 L2 L3), 2.1.8 Password Security Requirements (L1 L2 L3), 2.1.9 Password Security Requirements (L1 L2 L3), 2.7.5 Out of Band Verifier Requirements (L2 L3), 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 2.10.4 Service Authentication Requirements (L2 L3), 3.5.2 Token-based Session Management (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 6.4.1 Secret Management (L2 L3), 8.2.2 Client-side Data Protection (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 10.2.1 Malicious Code Search (L2 L3), 10.2.3 Malicious Code Search (L3), 14.1.3 Build (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[16] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[17] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography, Control Objective C.2.1.2 - Web Software Access Controls
[34] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
desc.dataflow.cfml.password_management
Abstract
パスワードを平文で保管するとシステムが危険にさらされる結果を招くことがあります。
Explanation
Password Management の問題が発生するのは、アプリケーションのプロパティや設定ファイルにパスワードが平文で保管される場合です。
例 1: 次のコードでは、JSON ファイルからパスワードを読み取り、そのパスワードを使用してリクエストの認証ヘッダーを設定します。


...
file, _ := os.Open("config.json")
decoder := json.NewDecoder(file)
decoder.Decode(&values)

request.SetBasicAuth(values.Username, values.Password)
...


このコードは正常に動作しますが、config.json にアクセスできる全員が values.Password の値を読み取ることができます。不心得な従業員がこの情報へのアクセス権を持っている場合、システムに侵入するために使用されることがあります。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 256
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.1.1 Password Security Requirements (L1 L2 L3), 2.1.2 Password Security Requirements (L1 L2 L3), 2.1.3 Password Security Requirements (L1 L2 L3), 2.1.4 Password Security Requirements (L1 L2 L3), 2.1.7 Password Security Requirements (L1 L2 L3), 2.1.8 Password Security Requirements (L1 L2 L3), 2.1.9 Password Security Requirements (L1 L2 L3), 2.7.5 Out of Band Verifier Requirements (L2 L3), 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 2.10.4 Service Authentication Requirements (L2 L3), 3.5.2 Token-based Session Management (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 6.4.1 Secret Management (L2 L3), 8.2.2 Client-side Data Protection (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 10.2.1 Malicious Code Search (L2 L3), 10.2.3 Malicious Code Search (L3), 14.1.3 Build (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[16] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[17] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography, Control Objective C.2.1.2 - Web Software Access Controls
[34] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
desc.dataflow.golang.password_management
Abstract
パスワードを平文で保管するとシステムが危険にさらされる結果を招くことがあります。
Explanation
Password Management の問題が発生するのは、アプリケーションのプロパティや設定ファイルにパスワードが平文で保管される場合です。
例 1: 次のコードはプロパティファイルからパスワードを読み取り、そのパスワードを使用してデータベースに接続しています。


...
Properties prop = new Properties();
prop.load(new FileInputStream("config.properties"));
String password = prop.getProperty("password");

DriverManager.getConnection(url, usr, password);
...


このコードは正常に動作しますが、config.properties にアクセスできる全員が passwordの値を読むことができます。不心得な従業員がこの情報へのアクセス権を持っている場合、システムに侵入するために使用されることがあります。

モバイル環境では、デバイスをなくす機会が高いことを考慮すると、パスワード管理は特に重要です。
例 2: 次のコードでは、Android WebView store からユーザー名とパスワードを読み取り、それらを使用して保護されたページを表示するための Authentication を設定します。

...
webview.setWebViewClient(new WebViewClient() {
  public void onReceivedHttpAuthRequest(WebView view,
        HttpAuthHandler handler, String host, String realm) {
    String[] credentials = view.getHttpAuthUsernamePassword(host, realm);
    String username = credentials[0];
    String password = credentials[1];
    handler.proceed(username, password);
  }
});
...


WebView 認証情報はデフォルトで平文として保存されハッシュされません。このためユーザーのデバイスがルート化されている (またはエミュレータを使用している) 場合、そのユーザーは保存されている特定サイトのパスワードを読み取ることができます。
References
[1] SQLCipher.
[2] Standards Mapping - Common Weakness Enumeration CWE ID 256
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199
[10] Standards Mapping - FIPS200 IA
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.1.1 Password Security Requirements (L1 L2 L3), 2.1.2 Password Security Requirements (L1 L2 L3), 2.1.3 Password Security Requirements (L1 L2 L3), 2.1.4 Password Security Requirements (L1 L2 L3), 2.1.7 Password Security Requirements (L1 L2 L3), 2.1.8 Password Security Requirements (L1 L2 L3), 2.1.9 Password Security Requirements (L1 L2 L3), 2.7.5 Out of Band Verifier Requirements (L2 L3), 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 2.10.4 Service Authentication Requirements (L2 L3), 3.5.2 Token-based Session Management (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 6.4.1 Secret Management (L2 L3), 8.2.2 Client-side Data Protection (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 10.2.1 Malicious Code Search (L2 L3), 10.2.3 Malicious Code Search (L3), 14.1.3 Build (L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[17] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[18] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography, Control Objective C.2.1.2 - Web Software Access Controls
[35] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[36] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
desc.dataflow.java.password_management
Abstract
パスワードを平文で保管するとシステムが危険にさらされる結果を招くことがあります。
Explanation
アプリケーションにパスワードが平文で保管されている場合、Password Management の問題が発生します。
例 1: 次のコードは、ハードコーディングされたパスワードを使用してアプリケーションに接続し、アドレス帳のエントリを取得しています。


    ...
    obj = new XMLHttpRequest();
    obj.open('GET','/fetchusers.jsp?id='+form.id.value,'true','scott','tiger');
    ...


このコードは正常に実行されますが、含まれる Web ページにアクセスする全員がパスワードを閲覧できます。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 256
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.1.1 Password Security Requirements (L1 L2 L3), 2.1.2 Password Security Requirements (L1 L2 L3), 2.1.3 Password Security Requirements (L1 L2 L3), 2.1.4 Password Security Requirements (L1 L2 L3), 2.1.7 Password Security Requirements (L1 L2 L3), 2.1.8 Password Security Requirements (L1 L2 L3), 2.1.9 Password Security Requirements (L1 L2 L3), 2.7.5 Out of Band Verifier Requirements (L2 L3), 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 2.10.4 Service Authentication Requirements (L2 L3), 3.5.2 Token-based Session Management (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 6.4.1 Secret Management (L2 L3), 8.2.2 Client-side Data Protection (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 10.2.1 Malicious Code Search (L2 L3), 10.2.3 Malicious Code Search (L3), 14.1.3 Build (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[16] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[17] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography, Control Objective C.2.1.2 - Web Software Access Controls
[34] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
desc.dataflow.javascript.password_management
Abstract
パスワードを平文で保管するとシステムが危険にさらされる結果を招くことがあります。
Explanation
Password Management の問題が発生するのは、アプリケーションのプロパティや設定ファイルにパスワードが平文で保管される場合です。
例 1: 次のコードは、plist ファイルからパスワードを読み取り、読み取ったパスワードを使用してパスワードで保護されたファイルを解凍します。

...
NSDictionary *dict= [NSDictionary dictionaryWithContentsOfFile:[[NSBundle mainBundle] pathForResource:@"Config" ofType:@"plist"]];
NSString *password = [dict valueForKey:@"password"];
[SSZipArchive unzipFileAtPath:zipPath toDestination:destPath overwrite:TRUE password:password error:&error];
...

モバイル環境では、デバイスをなくす機会が高いことを考慮すると、パスワード管理は特に重要です。
References
[1] SQLCipher.
[2] Standards Mapping - Common Weakness Enumeration CWE ID 256
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199
[10] Standards Mapping - FIPS200 IA
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.1.1 Password Security Requirements (L1 L2 L3), 2.1.2 Password Security Requirements (L1 L2 L3), 2.1.3 Password Security Requirements (L1 L2 L3), 2.1.4 Password Security Requirements (L1 L2 L3), 2.1.7 Password Security Requirements (L1 L2 L3), 2.1.8 Password Security Requirements (L1 L2 L3), 2.1.9 Password Security Requirements (L1 L2 L3), 2.7.5 Out of Band Verifier Requirements (L2 L3), 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 2.10.4 Service Authentication Requirements (L2 L3), 3.5.2 Token-based Session Management (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 6.4.1 Secret Management (L2 L3), 8.2.2 Client-side Data Protection (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 10.2.1 Malicious Code Search (L2 L3), 10.2.3 Malicious Code Search (L3), 14.1.3 Build (L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[17] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[18] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography, Control Objective C.2.1.2 - Web Software Access Controls
[35] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[36] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
desc.dataflow.objc.password_management
Abstract
パスワードを平文で保管するとシステムが危険にさらされる結果を招くことがあります。
Explanation
Password Management の問題が発生するのは、アプリケーションのプロパティや設定ファイルにパスワードが平文で保管される場合です。
例 1: 次のコードはプロパティファイルからパスワードを読み取り、そのパスワードを使用してデータベースに接続しています。


...
$props = file('config.properties', FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
$password = $props[0];

$link = mysql_connect($url, $usr, $password);
if (!$link) {
    die('Could not connect: ' . mysql_error());
}
...


このコードは正常に動作しますが、config.properties にアクセスできる全員が passwordの値を読むことができます。不心得な従業員がこの情報へのアクセス権を持っている場合、システムに侵入するために使用されることがあります。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 256
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.1.1 Password Security Requirements (L1 L2 L3), 2.1.2 Password Security Requirements (L1 L2 L3), 2.1.3 Password Security Requirements (L1 L2 L3), 2.1.4 Password Security Requirements (L1 L2 L3), 2.1.7 Password Security Requirements (L1 L2 L3), 2.1.8 Password Security Requirements (L1 L2 L3), 2.1.9 Password Security Requirements (L1 L2 L3), 2.7.5 Out of Band Verifier Requirements (L2 L3), 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 2.10.4 Service Authentication Requirements (L2 L3), 3.5.2 Token-based Session Management (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 6.4.1 Secret Management (L2 L3), 8.2.2 Client-side Data Protection (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 10.2.1 Malicious Code Search (L2 L3), 10.2.3 Malicious Code Search (L3), 14.1.3 Build (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[16] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[17] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography, Control Objective C.2.1.2 - Web Software Access Controls
[34] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
desc.dataflow.php.password_management
Abstract
パスワードを平文でハードコーディングしたり保管したりすると、システムが危険にさらされる結果を招くことがあります。
Explanation
パスワードがハードコーディングされていたり、アプリケーションの設定ファイルなどのデータストアにパスワードが平文で保管されている場合、Password Management の問題が発生します。パスワードをハードコーディングするのはよくない発想です。パスワードをハードコーディングするとプロジェクトの開発者全員がパスワードを見ることができるだけでなく、問題の修復も非常に困難になります。コードが実運用に入ると、ソフトウェアにパッチを当てないとパスワードを変更できません。このパスワードによって保護されたアカウントが危険にさらされると、システムの所有者はセキュリティと可用性の二者択一を強いられます。
例 1: 次のコードは、ユーザーがデータベース サーバーにログインするために使用したパスワードを読み込み、期待される値と比較することでユーザー認証を行っています。


...
ip_address := OWA_SEC.get_client_ip;
IF ((OWA_SEC.get_user_id = 'scott') AND
    (OWA_SEC.get_password = 'tiger') AND
    (ip_address(1) = 144) and (ip_address(2) = 25)) THEN
        RETURN TRUE;
ELSE
        RETURN FALSE;
END IF;
...


このコードは正常に動作しますが、コードにアクセスできる全員がパスワードを入手できます。プログラムが頒布された後は、プログラムにパッチを適用しない限り、「tiger」というパスワードを持つデータベース ユーザー「scott」を変更することはできません。この情報へのアクセス権を持っている従業員が、権限を使用してシステムに侵入する可能性があります。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 256
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.1.1 Password Security Requirements (L1 L2 L3), 2.1.2 Password Security Requirements (L1 L2 L3), 2.1.3 Password Security Requirements (L1 L2 L3), 2.1.4 Password Security Requirements (L1 L2 L3), 2.1.7 Password Security Requirements (L1 L2 L3), 2.1.8 Password Security Requirements (L1 L2 L3), 2.1.9 Password Security Requirements (L1 L2 L3), 2.7.5 Out of Band Verifier Requirements (L2 L3), 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 2.10.4 Service Authentication Requirements (L2 L3), 3.5.2 Token-based Session Management (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 6.4.1 Secret Management (L2 L3), 8.2.2 Client-side Data Protection (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 10.2.1 Malicious Code Search (L2 L3), 10.2.3 Malicious Code Search (L3), 14.1.3 Build (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[16] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[17] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography, Control Objective C.2.1.2 - Web Software Access Controls
[34] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
desc.semantic.sql.password_management
Abstract
パスワードを平文で保管するとシステムが危険にさらされる結果を招くことがあります。
Explanation
Password Management の問題が発生するのは、アプリケーションのプロパティや設定ファイルにパスワードが平文で保管される場合です。
例 1: 次のコードはプロパティファイルからパスワードを読み取り、そのパスワードを使用してデータベースに接続しています。


...
props = os.open('config.properties')
password = props[0]

link = MySQLdb.connect (host = "localhost",
                           user = "testuser",
                           passwd = password,
                           db = "test")
...


このコードは正常に動作しますが、config.properties にアクセスできる全員が passwordの値を読むことができます。不心得な従業員がこの情報へのアクセス権を持っている場合、システムに侵入するために使用されることがあります。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 256
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.1.1 Password Security Requirements (L1 L2 L3), 2.1.2 Password Security Requirements (L1 L2 L3), 2.1.3 Password Security Requirements (L1 L2 L3), 2.1.4 Password Security Requirements (L1 L2 L3), 2.1.7 Password Security Requirements (L1 L2 L3), 2.1.8 Password Security Requirements (L1 L2 L3), 2.1.9 Password Security Requirements (L1 L2 L3), 2.7.5 Out of Band Verifier Requirements (L2 L3), 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 2.10.4 Service Authentication Requirements (L2 L3), 3.5.2 Token-based Session Management (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 6.4.1 Secret Management (L2 L3), 8.2.2 Client-side Data Protection (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 10.2.1 Malicious Code Search (L2 L3), 10.2.3 Malicious Code Search (L3), 14.1.3 Build (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[16] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[17] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography, Control Objective C.2.1.2 - Web Software Access Controls
[34] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
desc.dataflow.python.password_management
Abstract
パスワードを平文で保管するとシステムが危険にさらされる結果を招くことがあります。
Explanation
アプリケーションの設定ファイルなどのデータストアにパスワードが平文で保管されるている場合、Password Management の問題が発生します。
例 1: 次のコードでは、環境変数からパスワードを読み取り、そのパスワードを使用してデータベースに接続しています。


require 'pg'
...
passwd = ENV['PASSWD']
...
conn = PG::Connection.new(:dbname => "myApp_production", :user => username, :password => passwd, :sslmode => 'require')


このコードは正常に動作しますが、パスワードを保管するために使用されている環境変数にアクセスできる全員が PASSWDの値を読み取れます。不心得な従業員がこの情報へのアクセス権を持っている場合、システムに侵入するために使用されることがあります。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 256
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.1.1 Password Security Requirements (L1 L2 L3), 2.1.2 Password Security Requirements (L1 L2 L3), 2.1.3 Password Security Requirements (L1 L2 L3), 2.1.4 Password Security Requirements (L1 L2 L3), 2.1.7 Password Security Requirements (L1 L2 L3), 2.1.8 Password Security Requirements (L1 L2 L3), 2.1.9 Password Security Requirements (L1 L2 L3), 2.7.5 Out of Band Verifier Requirements (L2 L3), 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 2.10.4 Service Authentication Requirements (L2 L3), 3.5.2 Token-based Session Management (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 6.4.1 Secret Management (L2 L3), 8.2.2 Client-side Data Protection (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 10.2.1 Malicious Code Search (L2 L3), 10.2.3 Malicious Code Search (L3), 14.1.3 Build (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[16] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[17] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography, Control Objective C.2.1.2 - Web Software Access Controls
[34] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
desc.dataflow.ruby.password_management
Abstract
パスワードを平文で保管するとシステムが危険にさらされる結果を招くことがあります。
Explanation
Password Management の問題が発生するのは、アプリケーションのプロパティや設定ファイルにパスワードが平文で保管される場合です。
例 1: 次のコードはプロパティファイルからパスワードを読み取り、そのパスワードを使用してデータベースに接続しています。


...
val prop = new Properties()
prop.load(new FileInputStream("config.properties"))
val password = prop.getProperty("password")

DriverManager.getConnection(url, usr, password)
...


このコードは正常に動作しますが、config.propertiesにアクセスできる全員がpassword の値を読むことができます。不心得な従業員がパスワード情報へのアクセス権を持っている場合、システムに侵入するために使用されることがあります。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 256
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.1.1 Password Security Requirements (L1 L2 L3), 2.1.2 Password Security Requirements (L1 L2 L3), 2.1.3 Password Security Requirements (L1 L2 L3), 2.1.4 Password Security Requirements (L1 L2 L3), 2.1.7 Password Security Requirements (L1 L2 L3), 2.1.8 Password Security Requirements (L1 L2 L3), 2.1.9 Password Security Requirements (L1 L2 L3), 2.7.5 Out of Band Verifier Requirements (L2 L3), 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 2.10.4 Service Authentication Requirements (L2 L3), 3.5.2 Token-based Session Management (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 6.4.1 Secret Management (L2 L3), 8.2.2 Client-side Data Protection (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 10.2.1 Malicious Code Search (L2 L3), 10.2.3 Malicious Code Search (L3), 14.1.3 Build (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[16] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[17] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography, Control Objective C.2.1.2 - Web Software Access Controls
[34] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
desc.dataflow.scala.password_management
Abstract
パスワードを平文で保管するとシステムが危険にさらされる結果を招くことがあります。
Explanation
Password Management の問題が発生するのは、アプリケーションのプロパティや設定ファイルにパスワードが平文で保管される場合です。
例 1: 次のコードは、plist ファイルからパスワードを読み取り、読み取ったパスワードを使用してパスワードで保護されたファイルを解凍します。

...
var myDict: NSDictionary?
if let path = NSBundle.mainBundle().pathForResource("Config", ofType: "plist") {
    myDict = NSDictionary(contentsOfFile: path)
}
if let dict = myDict {
    zipArchive.unzipOpenFile(zipPath, password:dict["password"])
}
...

モバイル環境では、デバイスをなくす機会が高いことを考慮すると、パスワード管理は特に重要です。
References
[1] SQLCipher.
[2] Standards Mapping - Common Weakness Enumeration CWE ID 256
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199
[10] Standards Mapping - FIPS200 IA
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.1.1 Password Security Requirements (L1 L2 L3), 2.1.2 Password Security Requirements (L1 L2 L3), 2.1.3 Password Security Requirements (L1 L2 L3), 2.1.4 Password Security Requirements (L1 L2 L3), 2.1.7 Password Security Requirements (L1 L2 L3), 2.1.8 Password Security Requirements (L1 L2 L3), 2.1.9 Password Security Requirements (L1 L2 L3), 2.7.5 Out of Band Verifier Requirements (L2 L3), 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 2.10.4 Service Authentication Requirements (L2 L3), 3.5.2 Token-based Session Management (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 6.4.1 Secret Management (L2 L3), 8.2.2 Client-side Data Protection (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 10.2.1 Malicious Code Search (L2 L3), 10.2.3 Malicious Code Search (L3), 14.1.3 Build (L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[17] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[18] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography, Control Objective C.2.1.2 - Web Software Access Controls
[35] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[36] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
desc.dataflow.swift.password_management
Abstract
パスワードを平文で保管するとシステムが危険にさらされる結果を招くことがあります。
Explanation
Password Management の問題が発生するのは、アプリケーションのプロパティや設定ファイルにパスワードが平文で保管される場合です。
例 1: 次のコードはプロパティファイルからパスワードを読み取り、そのパスワードを使用してデータベースに接続しています。


...
Private Declare Function GetPrivateProfileString _
  Lib "kernel32" Alias "GetPrivateProfileStringA" _
  (ByVal lpApplicationName As String, _
  ByVal lpKeyName As Any, ByVal lpDefault As String, _
  ByVal lpReturnedString As String, ByVal nSize As Long, _
  ByVal lpFileName As String) As Long
...
Dim password As String
...
password = GetPrivateProfileString("MyApp", "Password", _
  "", value, Len(value), _
   App.Path & "\" & "Config.ini")
...
con.ConnectionString = "Driver={Microsoft ODBC for Oracle};Server=OracleServer.world;Uid=scott;Passwd=" & password &";"
...


このコードは正常に動作しますが、config.properties にアクセスできる全員が passwordの値を読むことができます。不心得な従業員がこの情報へのアクセス権を持っている場合、システムに侵入するために使用されることがあります。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 256
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.1.1 Password Security Requirements (L1 L2 L3), 2.1.2 Password Security Requirements (L1 L2 L3), 2.1.3 Password Security Requirements (L1 L2 L3), 2.1.4 Password Security Requirements (L1 L2 L3), 2.1.7 Password Security Requirements (L1 L2 L3), 2.1.8 Password Security Requirements (L1 L2 L3), 2.1.9 Password Security Requirements (L1 L2 L3), 2.7.5 Out of Band Verifier Requirements (L2 L3), 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 2.10.4 Service Authentication Requirements (L2 L3), 3.5.2 Token-based Session Management (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 6.4.1 Secret Management (L2 L3), 8.2.2 Client-side Data Protection (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 10.2.1 Malicious Code Search (L2 L3), 10.2.3 Malicious Code Search (L3), 14.1.3 Build (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[16] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[17] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography, Control Objective C.2.1.2 - Web Software Access Controls
[34] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
desc.dataflow.vb.password_management