213 見つかった項目
脆弱性

Azure ARM Misconfiguration: Insecure Storage Account Storage

Abstract
構成は、保存時の暗号化なしでリソースを作成します。
Explanation
保存時の暗号化が有効になっていません。そのため、データが不正アクセスや盗難の危険にさらされます。
References
[1] Standards Mapping - CIS Microsoft Azure Foundations Benchmark Recommendation 3.2
[2] Standards Mapping - Common Weakness Enumeration CWE ID 311
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[4] Standards Mapping - FIPS200 MP
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 6.1.1 Data Classification (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[10] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[11] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[12] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[13] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[26] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[27] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[51] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.structural.iac.misconfiguration_insecure_storage.base
Abstract
構成は、保存時の暗号化なしでリソースを作成します。
Explanation
保存時の暗号化が有効になっていません。そのため、データが不正アクセスや盗難の危険にさらされます。
References
[1] Standards Mapping - CIS Microsoft Azure Foundations Benchmark Recommendation 3.2
[2] Standards Mapping - Common Weakness Enumeration CWE ID 311
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[4] Standards Mapping - FIPS200 MP
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 6.1.1 Data Classification (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[10] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[11] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[12] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[13] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[26] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[27] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[51] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.structural.iac.misconfiguration_insecure_storage.base

Azure ARM Misconfiguration: Insecure Storage Account Transport

Abstract
サービスは、転送中に堅牢な暗号化を強制しません。
Explanation
データ通信チャネルの保護が不十分な場合、重要な組織データが盗難、改ざん、または開示の危険にさらされる可能性があります。
References
[1] Standards Mapping - CIS Microsoft Azure Foundations Benchmark Recommendation 3.1
[2] Standards Mapping - Common Weakness Enumeration CWE ID 311
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123
[4] Standards Mapping - FIPS200 CM, SC
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), MA-4 Nonlocal Maintenance (P2), SC-8 Transmission Confidentiality and Integrity (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, MA-4 Nonlocal Maintenance, SC-8 Transmission Confidentiality and Integrity
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[10] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[11] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[12] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[13] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[14] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications
[29] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 319
[30] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[31] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260.1 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.structural.iac.misconfiguration_insecure_transport.base
Abstract
このテンプレートは、転送中の暗号化を強制しないストレージ アカウントを定義します。
Explanation
暗号化されていない通信チャネルは、盗聴や改ざんされる傾向があります。

デフォルトでは、apiVersion 2019-04-01 以降、Azure ストレージ アカウントにはリクエストに応答するための安全な接続が必要とされますが、この要件は supportsHttpsTrafficOnly プロパティを使用して無効化できます。

転送セキュリティを無効にすると、データが不正アクセス、盗難、改ざんの危険にさらされます。

例 1: 次のテンプレートの例は、安全な転送を強制しないストレージ アカウントを示しています。

{
    "name": "Storage1",
    "type": "Microsoft.Storage/storageAccounts",
    "apiVersion": "2021-02-01",
    ...
    "properties": {
        "supportsHttpsTrafficOnly": false
    }
}
References
[1] Microsoft Require secure transfer to ensure secure connections
[2] Microsoft Security recommendations for Blob storage
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark Recommendation 3.1
[4] Standards Mapping - Common Weakness Enumeration CWE ID 311
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123
[6] Standards Mapping - FIPS200 CM, SC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), MA-4 Nonlocal Maintenance (P2), SC-8 Transmission Confidentiality and Integrity (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, MA-4 Nonlocal Maintenance, SC-8 Transmission Confidentiality and Integrity
[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[12] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[13] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[14] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[15] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[16] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications
[31] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 319
[32] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[33] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
[58] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.structural.json.azure_arm_misconfiguration_insecure_storage_account_transport.base

Azure ARM Misconfiguration: Insufficient AKS Monitoring

Abstract
このテンプレートは、ログ イベントを Azure Monitor に送信しない AKS クラスターを定義します。
Explanation
デフォルトでは、Azure Kubernetes Service (AKS) クラスターは、ログ イベントを Azure Monitor に送信しません。そのため、悪意のある動作が検出されなくなり、違反が発生した場合のフォレンジック分析が妨げられる可能性があります。

例 1: 次のテンプレートの例は、ログ イベントを Azure Monitor に送信しない AKS クラスターを示しています。

{
    "name": "[split(parameters('aksResourceId'),'/')[8]]",
    "type": "Microsoft.ContainerService/managedClusters",
    "apiVersion": "2018-03-31",
    "properties": {
        "mode": "Incremental",
        "id": "[parameters('aksResourceId')]",
    }
}
References
[1] CISA Alert (AA20-245A)- Technical Approaches to Uncovering and Remediating Malicious Activity
[2] Microsoft Enable monitoring of Azure Kubernetes Service (AKS) cluster already deployed
[3] Microsoft Enable monitoring of a new Azure Kubernetes Service (AKS) cluster
[4] Microsoft Azure security baseline for Azure Kubernetes Service
[5] Standards Mapping - Common Weakness Enumeration CWE ID 778
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[7] Standards Mapping - FIPS200 CM
[8] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[11] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[14] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[15] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10, Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3680.4 CAT II, APP3680.5 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3680.4 CAT II, APP3680.5 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3680.4 CAT II, APP3680.5 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3680.4 CAT II, APP3680.5 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3680.4 CAT II, APP3680.5 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3680.4 CAT II, APP3680.5 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3680.4 CAT II, APP3680.5 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000830 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000830 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000830 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000830 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000830 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000830 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000830 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000830 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000830 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000830 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000830 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000830 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000830 CAT II
[54] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.json.azure_arm_misconfiguration_insufficient_aks_monitoring.base

Azure ARM Misconfiguration: Insufficient Application Insights Logging

Abstract
このテンプレートは、監査保持期間が十分でないログ設定を定義しています。
Explanation
保持期間が短いと、調査の際に組織が参照できるログ情報の量が減ります。業界標準では、データの種類と組織に求められる法的義務に応じて、異なる保持期間を推奨しています。
References
[1] Karen Kent, Murugiah Souppaya NIST SP800-92 - Guide to Computer Security Log Management
[2] John Edwards The 7 deadly sins of records retention
[3] Microsoft Playbook for addressing common security requirements with Azure SQL Database and Azure SQL Managed Instance
[4] Microsoft Auditing for Azure SQL Database and Azure Synapse Analytics
[5] Standards Mapping - Common Weakness Enumeration CWE ID 778
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[7] Standards Mapping - FIPS200 CM
[8] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[11] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[14] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[15] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2017 A10 Insufficient Logging and Monitoring
[18] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10, Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3680.4 CAT II, APP3680.5 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3680.4 CAT II, APP3680.5 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3680.4 CAT II, APP3680.5 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3680.4 CAT II, APP3680.5 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3680.4 CAT II, APP3680.5 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3680.4 CAT II, APP3680.5 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3680.4 CAT II, APP3680.5 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000830 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000830 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000830 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000830 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000830 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000830 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000830 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000830 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000830 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000830 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000830 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000830 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000830 CAT II
[54] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.json.azure_arm_misconfiguration_insufficient_sql_server_logging.base

Azure ARM Misconfiguration: Insufficient Application Insights Monitoring

Abstract
このテンプレートは、すべてのアクティビティ ログ管理イベントを収集しない Azure Monitor ログ プロファイルを定義します。
Explanation
監査記録がないと、セキュリティ関連のインシデントを検出して対応する機能が制限され、フォレンジック調査が妨げられます。

例 1: 次のテンプレートの例では、すべてのアクティビティ ログ管理イベントを収集しない Azure Monitor ログ プロファイルを定義しています。

{
    "name": "string",
    "type": "microsoft.insights/logprofiles",
    "apiVersion": "2016-03-01",
    ...
    "properties": {
        ...
        "categories": [
            "Write"
        ],
        ...
    }
}
References
[1] Microsoft Azure Activity log
[2] Microsoft Overview of Azure platform logs
[3] Microsoft Azure Activity Log event schema - Administrative Category
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark Recommendation 5.1.2
[5] Standards Mapping - Common Weakness Enumeration CWE ID 778
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[7] Standards Mapping - FIPS200 CM
[8] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[11] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[14] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[15] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2017 A10 Insufficient Logging and Monitoring
[18] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10, Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3680.4 CAT II, APP3680.5 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3680.4 CAT II, APP3680.5 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3680.4 CAT II, APP3680.5 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3680.4 CAT II, APP3680.5 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3680.4 CAT II, APP3680.5 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3680.4 CAT II, APP3680.5 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3680.4 CAT II, APP3680.5 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000830 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000830 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000830 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000830 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000830 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000830 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000830 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000830 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000830 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000830 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000830 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000830 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000830 CAT II
[54] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.json.azure_arm_misconfiguration_insufficient_application_insights_monitoring.base

Azure ARM Misconfiguration: Insufficient Microsoft Defender Monitoring

Abstract
このテンプレートは、セキュリティ アラートの電子メール通知なしで、セキュリティ連絡先を定義します。
Explanation
監視されていないシステムは、検出なしで防御を調査して侵入する方法を攻撃者に提供します。

セキュリティ担当者がセキュリティ関連のイベントについてタイムリーに警告されていないと、インシデントに遅れずに対応して攻撃や違反の影響を減らすことができません。

例 1: 次のテンプレートの例では、セキュリティ連絡先を定義していますが、その連絡先へのセキュリティ アラートの電子メール通知の配信を明示的に無効にしています。

{
    "name": "Security Officer",
    "type": "Microsoft.Security/securityContacts",
    "apiVersion": "2020-01-01-preview",
    "properties": {
        "emails": "secofficer@example.com",
        "phone": "1212131314",
        "alertNotifications": {
        "state": "Off",
        "minimalSeverity": "High"
        },
        ...
}
References
[1] Microsoft Security alerts - a reference guide
[2] Microsoft Security alerts and incidents in Microsoft Defender for Cloud
[3] Paul Cichonski,Tom Millar,Tim Grance,Karen Scarfone NIST Special Publication 800-61 Revision 2 - Computer Security Incident Handling Guide
[4] Standards Mapping - Common Weakness Enumeration CWE ID 778
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[6] Standards Mapping - FIPS200 CM
[7] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[13] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[14] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2017 A10 Insufficient Logging and Monitoring
[17] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10, Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3680.4 CAT II, APP3680.5 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3680.4 CAT II, APP3680.5 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3680.4 CAT II, APP3680.5 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3680.4 CAT II, APP3680.5 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3680.4 CAT II, APP3680.5 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3680.4 CAT II, APP3680.5 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3680.4 CAT II, APP3680.5 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000830 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000830 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000830 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000830 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000830 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000830 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000830 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000830 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000830 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000830 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000830 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000830 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000830 CAT II
[53] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.json.azure_arm_misconfiguration_insufficient_microsoft_defender_monitoring

Azure ARM Misconfiguration: Insufficient SQL Server Logging

Abstract
このテンプレートは、監査保持期間が十分でないログ設定を定義しています。
Explanation
保持期間が短いと、調査の際に組織が参照できるログ情報の量が減ります。業界標準では、データの種類と組織に求められる法的義務に応じて、異なる保持期間を推奨しています。
References
[1] Karen Kent, Murugiah Souppaya NIST SP800-92 - Guide to Computer Security Log Management
[2] John Edwards The 7 deadly sins of records retention
[3] Microsoft Playbook for addressing common security requirements with Azure SQL Database and Azure SQL Managed Instance
[4] Microsoft Auditing for Azure SQL Database and Azure Synapse Analytics
[5] Standards Mapping - CIS Microsoft Azure Foundations Benchmark Recommendation 4.1.6
[6] Standards Mapping - Common Weakness Enumeration CWE ID 778
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[12] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[16] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2017 A10 Insufficient Logging and Monitoring
[19] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10, Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3680.4 CAT II, APP3680.5 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3680.4 CAT II, APP3680.5 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3680.4 CAT II, APP3680.5 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3680.4 CAT II, APP3680.5 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3680.4 CAT II, APP3680.5 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3680.4 CAT II, APP3680.5 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3680.4 CAT II, APP3680.5 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000830 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000830 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000830 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000830 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000830 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000830 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000830 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000830 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000830 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000830 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000830 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000830 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000830 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.json.azure_arm_misconfiguration_insufficient_sql_server_logging.base

Azure ARM Misconfiguration: Insufficient SQL Server Monitoring

Abstract
このテンプレートは、監査ログなしで Azure SQL Server を定義します。
Explanation
監査記録がないと、セキュリティ関連のインシデントを検出して対応する機能が制限され、フォレンジック調査が妨げられます。

例 1: 次のテンプレートの例は、監査が有効になっていない Azure SQL Server の設定を示しています。

{
    "name": "ProdSQLServer",
    "type": "Microsoft.Sql/servers",
    "apiVersion": "2021-02-01-preview",
    ...
    "properties": {
        "collation": "SQL_Latin1_General_CP1_CI_AS",
        ...
        "resources": []
    }
    ...
}
References
[1] Microsoft Playbook for addressing common security requirements with Azure SQL Database and Azure SQL Managed Instance
[2] Microsoft Auditing for Azure SQL Database and Azure Synapse Analytics
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark Recommendation 4.1.1
[4] Standards Mapping - Common Weakness Enumeration CWE ID 778
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[6] Standards Mapping - FIPS200 CM
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[13] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[14] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10, Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3680.4 CAT II, APP3680.5 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3680.4 CAT II, APP3680.5 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3680.4 CAT II, APP3680.5 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3680.4 CAT II, APP3680.5 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3680.4 CAT II, APP3680.5 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3680.4 CAT II, APP3680.5 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3680.4 CAT II, APP3680.5 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000830 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000830 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000830 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000830 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000830 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000830 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000830 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000830 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000830 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000830 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000830 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000830 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000830 CAT II
[53] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.json.azure_arm_misconfiguration_insufficient_sql_server_monitoring

Azure ARM Misconfiguration: IoT Hub Missing Customer-Managed Encryption Key

Abstract
構成は、保存データに対してカスタマーマネージド暗号鍵を指定しません。
Explanation
カスタマーマネージド キーは、保存データの暗号化には使用されません。

カスタマーマネージド キーを使用すると、組織は、選択した暗号鍵を使用してデータを暗号化できます。これにより、組織は暗号化プロセスをより適切に制御できます。

そのため、カスタマーマネージド キーは通常、次のような要件 (これに限らない) に対処するソリューションの一部です。
- 機密データへのアクセスの監査ログ
- データ所在地
- キーの交換、無効化、または破棄
References
[1] Standards Mapping - CIS Microsoft Azure Foundations Benchmark Recommendation 3.12
[2] Standards Mapping - Common Weakness Enumeration CWE ID 311
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[4] Standards Mapping - FIPS200 MP
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[10] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[11] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[18] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.misconfiguration_missing_customer_managed_encryption_key.base
Abstract
構成は、保存データに対してカスタマーマネージド暗号鍵を指定しません。
Explanation
カスタマーマネージド キーは、保存データの暗号化には使用されません。

カスタマーマネージド キーを使用すると、組織は、選択した暗号鍵を使用してデータを暗号化できます。これにより、組織は暗号化プロセスをより適切に制御できます。

そのため、カスタマーマネージド キーは通常、次のような要件 (これに限らない) に対処するソリューションの一部です。
- 機密データへのアクセスの監査ログ
- データ所在地
- キーの交換、無効化、または破棄
References
[1] Standards Mapping - CIS Microsoft Azure Foundations Benchmark Recommendation 3.12
[2] Standards Mapping - Common Weakness Enumeration CWE ID 311
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[4] Standards Mapping - FIPS200 MP
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[10] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[11] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[18] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.misconfiguration_missing_customer_managed_encryption_key.base

Azure ARM Misconfiguration: NetApp Missing Customer-Managed Encryption Key

Abstract
構成は、保存データに対してカスタマーマネージド暗号鍵を指定しません。
Explanation
カスタマーマネージド キーは、保存データの暗号化には使用されません。

カスタマーマネージド キーを使用すると、組織は、選択した暗号鍵を使用してデータを暗号化できます。これにより、組織は暗号化プロセスをより適切に制御できます。

そのため、カスタマーマネージド キーは通常、次のような要件 (これに限らない) に対処するソリューションの一部です。
- 機密データへのアクセスの監査ログ
- データ所在地
- キーの交換、無効化、または破棄
References
[1] Standards Mapping - CIS Microsoft Azure Foundations Benchmark Recommendation 3.12
[2] Standards Mapping - Common Weakness Enumeration CWE ID 311
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[4] Standards Mapping - FIPS200 MP
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[10] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[11] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[18] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.misconfiguration_missing_customer_managed_encryption_key.base
Abstract
構成は、保存データに対してカスタマーマネージド暗号鍵を指定しません。
Explanation
カスタマーマネージド キーは、保存データの暗号化には使用されません。

カスタマーマネージド キーを使用すると、組織は、選択した暗号鍵を使用してデータを暗号化できます。これにより、組織は暗号化プロセスをより適切に制御できます。

そのため、カスタマーマネージド キーは通常、次のような要件 (これに限らない) に対処するソリューションの一部です。
- 機密データへのアクセスの監査ログ
- データ所在地
- キーの交換、無効化、または破棄
References
[1] Standards Mapping - CIS Microsoft Azure Foundations Benchmark Recommendation 3.12
[2] Standards Mapping - Common Weakness Enumeration CWE ID 311
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[4] Standards Mapping - FIPS200 MP
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[10] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[11] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[18] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.misconfiguration_missing_customer_managed_encryption_key.base

Azure ARM Misconfiguration: Public Access Allowed

Abstract
ストレージ コンテナーと BLOB に対して匿名の読み取りアクセスが有効化されています。
Explanation
デフォルトでは、ストレージ コンテナーのデータへの匿名アクセスは許可されず、コンテナーとその BLOB に対するすべてのリクエストで認証が必要です。パブリック アクセスが必要でない限り、ストレージ コンテナーとその BLOB データへの未認証アクセスは許可しないでください。

例 1:

  "allowBlobPublicAccess": true
References
[1] Microsoft.Storage storageAccounts template reference
[2] Configure anonymous public read access for containers and blobs
[3] Standards Mapping - Common Weakness Enumeration CWE ID 284
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-000804, CCI-002165
[5] Standards Mapping - FIPS200 AC
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, IA-8 Identification and Authentication (Non-Organizational Users)
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 14.1.3 Build (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[12] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[13] Standards Mapping - OWASP Top 10 2007 A10 Failure to Restrict URL Access
[14] Standards Mapping - OWASP Top 10 2010 A8 Failure to Restrict URL Access
[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2, Requirement 7.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.10, Requirement 7.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8, Requirement 7.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8, Requirement 7.2
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8, Requirement 7.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8, Requirement 7.2
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8, Requirement 7.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 7.3.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 7.3.2
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.2 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.2 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.2 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.2 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.2 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.2 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.2 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[53] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15), Insufficient Authentication (WASC-01)
[54] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.config.json.azure_arm_misconfiguration_public_access_allowed

Azure ARM Misconfiguration: Service Bus Missing Customer-Managed Encryption Key

Abstract
構成は、保存データに対してカスタマーマネージド暗号鍵を指定しません。
Explanation
カスタマーマネージド キーは、保存データの暗号化には使用されません。

カスタマーマネージド キーを使用すると、組織は、選択した暗号鍵を使用してデータを暗号化できます。これにより、組織は暗号化プロセスをより適切に制御できます。

そのため、カスタマーマネージド キーは通常、次のような要件 (これに限らない) に対処するソリューションの一部です。
- 機密データへのアクセスの監査ログ
- データ所在地
- キーの交換、無効化、または破棄
References
[1] Standards Mapping - CIS Microsoft Azure Foundations Benchmark Recommendation 3.12
[2] Standards Mapping - Common Weakness Enumeration CWE ID 311
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[4] Standards Mapping - FIPS200 MP
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[10] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[11] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[18] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.misconfiguration_missing_customer_managed_encryption_key.base
Abstract
構成は、保存データに対してカスタマーマネージド暗号鍵を指定しません。
Explanation
カスタマーマネージド キーは、保存データの暗号化には使用されません。

カスタマーマネージド キーを使用すると、組織は、選択した暗号鍵を使用してデータを暗号化できます。これにより、組織は暗号化プロセスをより適切に制御できます。

そのため、カスタマーマネージド キーは通常、次のような要件 (これに限らない) に対処するソリューションの一部です。
- 機密データへのアクセスの監査ログ
- データ所在地
- キーの交換、無効化、または破棄
References
[1] Standards Mapping - CIS Microsoft Azure Foundations Benchmark Recommendation 3.12
[2] Standards Mapping - Common Weakness Enumeration CWE ID 311
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[4] Standards Mapping - FIPS200 MP
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[10] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[11] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[18] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.misconfiguration_missing_customer_managed_encryption_key.base

Azure ARM Misconfiguration: Storage Account Missing Customer-Managed Encryption Key

Abstract
構成は、保存データに対してカスタマーマネージド暗号鍵を指定しません。
Explanation
カスタマーマネージド キーは、保存データの暗号化には使用されません。

カスタマーマネージド キーを使用すると、組織は、選択した暗号鍵を使用してデータを暗号化できます。これにより、組織は暗号化プロセスをより適切に制御できます。

そのため、カスタマーマネージド キーは通常、次のような要件 (これに限らない) に対処するソリューションの一部です。
- 機密データへのアクセスの監査ログ
- データ所在地
- キーの交換、無効化、または破棄
References
[1] Standards Mapping - CIS Microsoft Azure Foundations Benchmark Recommendation 3.12
[2] Standards Mapping - Common Weakness Enumeration CWE ID 311
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[4] Standards Mapping - FIPS200 MP
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[10] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[11] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[18] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.misconfiguration_missing_customer_managed_encryption_key.base
Abstract
構成は、保存データに対してカスタマーマネージド暗号鍵を指定しません。
Explanation
カスタマーマネージド キーは、保存データの暗号化には使用されません。

カスタマーマネージド キーを使用すると、組織は、選択した暗号鍵を使用してデータを暗号化できます。これにより、組織は暗号化プロセスをより適切に制御できます。

そのため、カスタマーマネージド キーは通常、次のような要件 (これに限らない) に対処するソリューションの一部です。
- 機密データへのアクセスの監査ログ
- データ所在地
- キーの交換、無効化、または破棄
References
[1] Standards Mapping - CIS Microsoft Azure Foundations Benchmark Recommendation 3.12
[2] Standards Mapping - Common Weakness Enumeration CWE ID 311
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[4] Standards Mapping - FIPS200 MP
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[10] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[11] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[18] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.misconfiguration_missing_customer_managed_encryption_key.base

Azure ARM Misconfiguration: Weak App Service Authentication

Abstract
構成は、脆弱な認証メカニズムを使用します。
Explanation
脆弱な認証メカニズムは、組織を不正アクセスの危険にさらします。

認証メカニズムは、次のようなさまざまな理由で失敗する可能性があります。
- パスワードが脆弱である
- 不適切な検証
- 資格情報の管理が弱い
References
[1] Standards Mapping - CIS Microsoft Azure Foundations Benchmark Recommendation 9.4
[2] Standards Mapping - Common Weakness Enumeration CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001813, CCI-001958
[9] Standards Mapping - FIPS200 CM
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), IA-3 Device Identification and Authentication (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, IA-3 Device Identification and Authentication, IA-8 Identification and Authentication (Non-Organizational Users)
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[16] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[17] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[18] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[20] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[21] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001410 CAT II, APSC-DV-001650 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001410 CAT II, APSC-DV-001650 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001410 CAT II, APSC-DV-001650 CAT II
[50] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)
desc.structural.iac.misconfiguration_weak_authentication.base
Abstract
構成は、脆弱な認証メカニズムを使用します。
Explanation
脆弱な認証メカニズムは、組織を不正アクセスの危険にさらします。

認証メカニズムは、次のようなさまざまな理由で失敗する可能性があります。
- パスワードが脆弱である
- 不適切な検証
- 資格情報の管理が弱い
References
[1] Standards Mapping - CIS Microsoft Azure Foundations Benchmark Recommendation 9.4
[2] Standards Mapping - Common Weakness Enumeration CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001813, CCI-001958
[9] Standards Mapping - FIPS200 CM
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), IA-3 Device Identification and Authentication (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, IA-3 Device Identification and Authentication, IA-8 Identification and Authentication (Non-Organizational Users)
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[16] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[17] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[18] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[20] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[21] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001410 CAT II, APSC-DV-001650 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001410 CAT II, APSC-DV-001650 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001410 CAT II, APSC-DV-001650 CAT II
[50] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)
desc.structural.iac.misconfiguration_weak_authentication.base

Azure ARM Misconfiguration: Weak SignalR Authentication

Abstract
構成は、脆弱な認証メカニズムを使用します。
Explanation
脆弱な認証メカニズムは、組織を不正アクセスの危険にさらします。

認証メカニズムは、次のようなさまざまな理由で失敗する可能性があります。
- パスワードが脆弱である
- 不適切な検証
- 資格情報の管理が弱い
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 287
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001813, CCI-001958
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), IA-3 Device Identification and Authentication (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, IA-3 Device Identification and Authentication, IA-8 Identification and Authentication (Non-Organizational Users)
[12] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[16] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[19] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[20] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001410 CAT II, APSC-DV-001650 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001410 CAT II, APSC-DV-001650 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001410 CAT II, APSC-DV-001650 CAT II
[49] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)
desc.structural.iac.misconfiguration_weak_authentication.base
Abstract
構成は、脆弱な認証メカニズムを使用します。
Explanation
脆弱な認証メカニズムは、組織を不正アクセスの危険にさらします。

認証メカニズムは、次のようなさまざまな理由で失敗する可能性があります。
- パスワードが脆弱である
- 不適切な検証
- 資格情報の管理が弱い
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 287
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001813, CCI-001958
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), IA-3 Device Identification and Authentication (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, IA-3 Device Identification and Authentication, IA-8 Identification and Authentication (Non-Organizational Users)
[12] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[16] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[19] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[20] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001410 CAT II, APSC-DV-001650 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001410 CAT II, APSC-DV-001650 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001410 CAT II, APSC-DV-001650 CAT II
[49] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)
desc.structural.iac.misconfiguration_weak_authentication.base

Insecure Transport: Weak SSL Protocol

Abstract
SSLv2、SSLv23、SSLv3、TLSv1.0、および TLSv1.1 プロトコルには安全性を損なう欠陥が含まれているため、機密性の高いデータの送信には使用しないでください。
Explanation
Transport Layer Security (TLS) プロトコルおよび Secure Sockets Layer (SSL) プロトコルは、クライアントと Web サーバーの間で転送されるデータの真正性、機密性および完全性を保証するための保護メカニズムを提供します。TLS と SSL の両方とも複数回の改訂を経て定期的にバージョンが更新されています。それぞれの新リビジョンは、以前のバージョンで見つかったセキュリティの脆弱性を解決するために設計されています。安全ではない TLS/SSL のバージョンを使用すると、データ保護の強度が脆弱化し、攻撃者が機密情報を侵害したり、盗んだり、改変したりする可能性が生じます。

脆弱なバージョンの TLS/SSL には、次のような性質のいくつかが含まれる場合があります。

- 中間者 (man-in-the-middle) 攻撃に対する保護が行われない
- 認証と暗号化に同じ鍵が使用される
- メッセージ認証制御が脆弱である
- TCP 接続の切断に対して保護が行われない
- 脆弱な暗号スイートが使用される

このような性質があると、攻撃者による機密データの傍受、改変、改竄が可能になることがあります。
References
[1] Kerry A. McKay and David A. Cooper NIST Special Publication 800-52 Revision 2: Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations NIST
[2] David Wagner and Bruce Schneier Analysis of the SSL 3.0 protocol
[3] CVE 2014-3566
[4] Standards Mapping - Common Weakness Enumeration CWE ID 327
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-000382, CCI-001453, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123
[6] Standards Mapping - FIPS200 CM, SC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), CM-7 Least Functionality (P1), IA-2 Identification and Authentication (Organizational Users) (P1), MA-4 Nonlocal Maintenance (P2), SC-8 Transmission Confidentiality and Integrity (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, CM-7 Least Functionality, IA-2 Identification and Authentication (Organizational Users), MA-4 Nonlocal Maintenance, SC-8 Transmission Confidentiality and Integrity
[10] Standards Mapping - OWASP API 2023 API10 Unsafe Consumption of APIs
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[13] Standards Mapping - OWASP Mobile 2024 M5 Insecure Communication
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-NETWORK-1
[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[16] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[17] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[18] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications
[33] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 327
[34] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 327
[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 327
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3260.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3260 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3260 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3260 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3260 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3260 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3260 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[59] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
desc.structural.dotnet.insecure_transport_weak_ssl_protocol
Abstract
SSLv2、SSLv23、SSLv3、TLSv1.0、および TLSv1.1 プロトコルには安全性を損なう欠陥が含まれているため、機密性の高いデータの送信には使用しないでください。
Explanation
Transport Layer Security (TLS) プロトコルおよび Secure Sockets Layer (SSL) プロトコルは、クライアントと Web サーバーの間で転送されるデータの真正性、機密性および完全性を保証するための保護メカニズムを提供します。TLS と SSL の両方とも複数回の改訂を経て定期的にバージョンが更新されています。それぞれの新リビジョンは、以前のバージョンで見つかったセキュリティの脆弱性を解決するために設計されています。安全ではない TLS/SSL のバージョンを使用すると、データ保護の強度が脆弱化し、攻撃者が機密情報を侵害したり、盗んだり、改変したりする可能性が生じます。

脆弱なバージョンの TLS/SSL には、次のような性質のいくつかが含まれる場合があります。

- 中間者 (man-in-the-middle) 攻撃に対する保護が行われない
- 認証と暗号化に同じ鍵が使用される
- メッセージ認証制御が脆弱である
- TCP 接続の切断に対して保護が行われない
- 脆弱な暗号スイートが使用される

このような性質があると、攻撃者による機密データの傍受、改変、改竄が可能になることがあります。
References
[1] Kerry A. McKay and David A. Cooper NIST Special Publication 800-52 Revision 2: Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations NIST
[2] David Wagner and Bruce Schneier Analysis of the SSL 3.0 protocol
[3] CVE 2014-3566
[4] Standards Mapping - Common Weakness Enumeration CWE ID 327
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-000382, CCI-001453, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123
[6] Standards Mapping - FIPS200 CM, SC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), CM-7 Least Functionality (P1), IA-2 Identification and Authentication (Organizational Users) (P1), MA-4 Nonlocal Maintenance (P2), SC-8 Transmission Confidentiality and Integrity (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, CM-7 Least Functionality, IA-2 Identification and Authentication (Organizational Users), MA-4 Nonlocal Maintenance, SC-8 Transmission Confidentiality and Integrity
[10] Standards Mapping - OWASP API 2023 API10 Unsafe Consumption of APIs
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[13] Standards Mapping - OWASP Mobile 2024 M5 Insecure Communication
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-NETWORK-1
[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[16] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[17] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[18] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications
[33] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 327
[34] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 327
[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 327
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3260.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3260 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3260 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3260 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3260 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3260 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3260 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[59] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
desc.semantic.cpp.insecure_transport_weak_ssl_protocol
Abstract
SSLv2、SSLv23、SSLv3、TLSv1.0、および TLSv1.1 プロトコルには安全性を損なう欠陥が含まれているため、機密性の高いデータの送信には使用しないでください。
Explanation
Transport Layer Security (TLS) プロトコルおよび Secure Sockets Layer (SSL) プロトコルは、クライアントと Web サーバーの間で転送されるデータの真正性、機密性および完全性を保証するための保護メカニズムを提供します。TLS と SSL の両方とも複数回の改訂を経て定期的にバージョンが更新されています。それぞれの新リビジョンは、以前のバージョンで見つかったセキュリティの脆弱性を解決するために設計されています。安全ではない TLS/SSL のバージョンを使用すると、データ保護の強度が脆弱化し、攻撃者が機密情報を侵害したり、盗んだり、改変したりする可能性が生じます。

脆弱なバージョンの TLS/SSL には、次のような性質のいくつかが含まれる場合があります。

- 中間者 (man-in-the-middle) 攻撃に対する保護が行われない
- 認証と暗号化に同じ鍵が使用される
- メッセージ認証制御が脆弱である
- TCP 接続の切断に対して保護が行われない
- 脆弱な暗号スイートが使用される

このような性質があると、攻撃者による機密データの傍受、改変、改竄が可能になることがあります。
References
[1] Kerry A. McKay and David A. Cooper NIST Special Publication 800-52 Revision 2: Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations NIST
[2] David Wagner and Bruce Schneier Analysis of the SSL 3.0 protocol
[3] CVE 2014-3566
[4] Standards Mapping - Common Weakness Enumeration CWE ID 327
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-000382, CCI-001453, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123
[6] Standards Mapping - FIPS200 CM, SC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), CM-7 Least Functionality (P1), IA-2 Identification and Authentication (Organizational Users) (P1), MA-4 Nonlocal Maintenance (P2), SC-8 Transmission Confidentiality and Integrity (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, CM-7 Least Functionality, IA-2 Identification and Authentication (Organizational Users), MA-4 Nonlocal Maintenance, SC-8 Transmission Confidentiality and Integrity
[10] Standards Mapping - OWASP API 2023 API10 Unsafe Consumption of APIs
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[13] Standards Mapping - OWASP Mobile 2024 M5 Insecure Communication
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-NETWORK-1
[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[16] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[17] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[18] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications
[33] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 327
[34] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 327
[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 327
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3260.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3260 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3260 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3260 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3260 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3260 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3260 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[59] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
desc.semantic.golang.insecure_transport_weak_ssl_protocol
Abstract
SSLv2、SSLv23、SSLv3、TLSv1.0、および TLSv1.1 プロトコルには安全性を損なう欠陥が含まれているため、機密性の高いデータの送信には使用しないでください。
Explanation
Transport Layer Security (TLS) プロトコルおよび Secure Sockets Layer (SSL) プロトコルは、クライアントと Web サーバーの間で転送されるデータの真正性、機密性および完全性を保証するための保護メカニズムを提供します。TLS と SSL の両方とも複数回の改訂を経て定期的にバージョンが更新されています。それぞれの新リビジョンは、以前のバージョンで見つかったセキュリティの脆弱性を解決するために設計されています。安全ではない TLS/SSL のバージョンを使用すると、データ保護の強度が脆弱化し、攻撃者が機密情報を侵害したり、盗んだり、改変したりする可能性が生じます。

脆弱なバージョンの TLS/SSL には、次のような性質のいくつかが含まれる場合があります。

- 中間者 (man-in-the-middle) 攻撃に対する保護が行われない
- 認証と暗号化に同じ鍵が使用される
- メッセージ認証制御が脆弱である
- TCP 接続の切断に対して保護が行われない
- 脆弱な暗号スイートが使用される

このような性質があると、攻撃者による機密データの傍受、改変、改竄が可能になることがあります。
References
[1] Kerry A. McKay and David A. Cooper NIST Special Publication 800-52 Revision 2: Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations NIST
[2] David Wagner and Bruce Schneier Analysis of the SSL 3.0 protocol
[3] CVE 2014-3566
[4] Standards Mapping - Common Weakness Enumeration CWE ID 327
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-000382, CCI-001453, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123
[6] Standards Mapping - FIPS200 CM, SC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), CM-7 Least Functionality (P1), IA-2 Identification and Authentication (Organizational Users) (P1), MA-4 Nonlocal Maintenance (P2), SC-8 Transmission Confidentiality and Integrity (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, CM-7 Least Functionality, IA-2 Identification and Authentication (Organizational Users), MA-4 Nonlocal Maintenance, SC-8 Transmission Confidentiality and Integrity
[10] Standards Mapping - OWASP API 2023 API10 Unsafe Consumption of APIs
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[13] Standards Mapping - OWASP Mobile 2024 M5 Insecure Communication
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-NETWORK-1
[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[16] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[17] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[18] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications
[33] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 327
[34] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 327
[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 327
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3260.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3260 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3260 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3260 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3260 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3260 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3260 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[59] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
desc.semantic.java.insecure_transport_weak_ssl_protocol
Abstract
SSLv2、SSLv23、SSLv3、TLSv1.0、および TLSv1.1 プロトコルには安全性を損なう欠陥が含まれているため、機密性の高いデータの送信には使用しないでください。
Explanation
Transport Layer Security (TLS) プロトコルおよび Secure Sockets Layer (SSL) プロトコルは、クライアントと Web サーバーの間で転送されるデータの真正性、機密性および完全性を保証するための保護メカニズムを提供します。TLS と SSL の両方とも複数回の改訂を経て定期的にバージョンが更新されています。それぞれの新リビジョンは、以前のバージョンで見つかったセキュリティの脆弱性を解決するために設計されています。安全ではない TLS/SSL のバージョンを使用すると、データ保護の強度が脆弱化し、攻撃者が機密情報を侵害したり、盗んだり、改変したりする可能性が生じます。

脆弱なバージョンの TLS/SSL には、次のような性質のいくつかが含まれる場合があります。

- 中間者 (man-in-the-middle) 攻撃に対する保護が行われない
- 認証と暗号化に同じ鍵が使用される
- メッセージ認証制御が脆弱である
- TCP 接続の切断に対して保護が行われない
- 脆弱な暗号スイートが使用される

このような性質があると、攻撃者による機密データの傍受、改変、改竄が可能になることがあります。

例 1: 次の Node.js スニペットは、セキュア接続でサーバーを作成しようとします。


...
var options = {
  port: 443,
  path: '/',
  key : fs.readFileSync('my-server-key.pem'),
  cert : fs.readFileSync('server-cert.pem'),
  ...
}
https.createServer(options);
...


Node.js は secureProtocol のデフォルト値を SSLv23_method に設定するので、secureProtocol を明確にオーバーライドしなければ、サーバーは本質的に安全ではなくなります。
References
[1] Kerry A. McKay and David A. Cooper NIST Special Publication 800-52 Revision 2: Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations NIST
[2] David Wagner and Bruce Schneier Analysis of the SSL 3.0 protocol
[3] CVE 2014-3566
[4] Standards Mapping - Common Weakness Enumeration CWE ID 327
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-000382, CCI-001453, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123
[6] Standards Mapping - FIPS200 CM, SC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), CM-7 Least Functionality (P1), IA-2 Identification and Authentication (Organizational Users) (P1), MA-4 Nonlocal Maintenance (P2), SC-8 Transmission Confidentiality and Integrity (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, CM-7 Least Functionality, IA-2 Identification and Authentication (Organizational Users), MA-4 Nonlocal Maintenance, SC-8 Transmission Confidentiality and Integrity
[10] Standards Mapping - OWASP API 2023 API10 Unsafe Consumption of APIs
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[13] Standards Mapping - OWASP Mobile 2024 M5 Insecure Communication
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-NETWORK-1
[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[16] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[17] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[18] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications
[33] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 327
[34] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 327
[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 327
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3260.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3260 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3260 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3260 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3260 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3260 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3260 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[59] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
desc.structural.javascript.insecure_transport_weak_ssl_protocol
Abstract
このテンプレートでは、古い TLS バージョンの使用を許可します。
Explanation
Transport Layer Security (TLS) プロトコルおよび Secure Sockets Layer (SSL) プロトコルは、クライアントと Web サーバーの間で転送されるデータの真正性、機密性および完全性を保証するための保護メカニズムを提供します。TLS と SSL の両方とも複数回の改訂を経て定期的にバージョンが更新されています。新しい改訂では毎回、前のバージョンで見つかったセキュリティの脆弱性に対応しています。安全ではない TLS/SSL のバージョンを使用すると、データ保護の強度が弱まり、攻撃者による機密情報の侵害、盗難、改変の可能性が生じます。

安全でないバージョンの TLS/SSL には、次のような性質のいくつかが含まれる場合があります。

- 中間者 (man-in-the-middle) 攻撃に対する保護が行われない
- 認証と暗号化に同じ鍵が使用される
- メッセージ認証制御が脆弱である
- TCP 接続の切断に対して保護が行われない

このような性質があると、攻撃者による機密データの傍受、改変、改竄が可能になることがあります。
References
[1] National Security Agency Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations
[2] Microsoft Secure a custom DNS name with a TLS/SSL binding in Azure App Service
[3] Microsoft Security in Azure App Service
[4] Microsoft Custom configuration settings for App Service Environments - Disable TLS 1.0 and TLS 1.1
[5] Microsoft Harden an Azure Active Directory Domain Services managed domain
[6] Microsoft UPDATE: Transport Layer Security 1.0 and 1.1 disablement
[7] Standards Mapping - Common Weakness Enumeration CWE ID 327
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-000382, CCI-001453, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123
[9] Standards Mapping - FIPS200 CM, SC
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), CM-7 Least Functionality (P1), IA-2 Identification and Authentication (Organizational Users) (P1), MA-4 Nonlocal Maintenance (P2), SC-8 Transmission Confidentiality and Integrity (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, CM-7 Least Functionality, IA-2 Identification and Authentication (Organizational Users), MA-4 Nonlocal Maintenance, SC-8 Transmission Confidentiality and Integrity
[13] Standards Mapping - OWASP API 2023 API10 Unsafe Consumption of APIs
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[16] Standards Mapping - OWASP Mobile 2024 M5 Insecure Communication
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-NETWORK-1
[18] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[19] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[20] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[21] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[22] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[23] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications
[36] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 327
[37] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 327
[38] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 327
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3260.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3260 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3260 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3260 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3260 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3260 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3260 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[61] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[62] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
desc.structural.json.azure_arm_misconfiguration_insecure_active_directory_domain_service_transport.base
Abstract
SSLv2、SSLv23、SSLv3、TLSv1.0、および TLSv1.1 プロトコルには安全性を損なう欠陥が含まれているため、機密性の高いデータの送信には使用しないでください。
Explanation
Transport Layer Security (TLS) プロトコルおよび Secure Sockets Layer (SSL) プロトコルは、クライアントと Web サーバーの間で転送されるデータの真正性、機密性および完全性を保証するための保護メカニズムを提供します。TLS と SSL の両方とも複数回の改訂を経て定期的にバージョンが更新されています。それぞれの新リビジョンは、以前のバージョンで見つかったセキュリティの脆弱性を解決するために設計されています。安全ではない TLS/SSL のバージョンを使用すると、データ保護の強度が脆弱化し、攻撃者が機密情報を侵害したり、盗んだり、改変したりする可能性が生じます。

脆弱なバージョンの TLS/SSL には、次のような性質のいくつかが含まれる場合があります。

- 中間者 (man-in-the-middle) 攻撃に対する保護が行われない
- 認証と暗号化に同じ鍵が使用される
- メッセージ認証制御が脆弱である
- TCP 接続の切断に対して保護が行われない
- 脆弱な暗号スイートが使用される

このような性質があると、攻撃者による機密データの傍受、改変、改竄が可能になることがあります。

例 1: 次の例では、デフォルトの SSL バージョン (SSL v3.0) を使用しています。

NSURLSessionConfiguration *configuration = [NSURLSessionConfiguration ephemeralSessionConfiguration];
[configuration setTLSMinimumSupportedProtocol = kSSLProtocol3];
NSURLSession *mySession = [NSURLSession sessionWithConfiguration:configuration delegate:self delegateQueue:operationQueue];
References
[1] Kerry A. McKay and David A. Cooper NIST Special Publication 800-52 Revision 2: Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations NIST
[2] David Wagner and Bruce Schneier Analysis of the SSL 3.0 protocol
[3] CVE 2014-3566
[4] Standards Mapping - Common Weakness Enumeration CWE ID 327
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-000382, CCI-001453, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123
[6] Standards Mapping - FIPS200 CM, SC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), CM-7 Least Functionality (P1), IA-2 Identification and Authentication (Organizational Users) (P1), MA-4 Nonlocal Maintenance (P2), SC-8 Transmission Confidentiality and Integrity (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, CM-7 Least Functionality, IA-2 Identification and Authentication (Organizational Users), MA-4 Nonlocal Maintenance, SC-8 Transmission Confidentiality and Integrity
[10] Standards Mapping - OWASP API 2023 API10 Unsafe Consumption of APIs
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[13] Standards Mapping - OWASP Mobile 2024 M5 Insecure Communication
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-NETWORK-1
[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[16] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[17] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[18] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications
[33] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 327
[34] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 327
[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 327
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3260.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3260 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3260 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3260 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3260 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3260 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3260 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[59] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
desc.structural.objc.insecure_transport_weak_ssl_protocol
Abstract
SSLv2、SSLv23、SSLv3、TLSv1.0、および TLSv1.1 プロトコルには安全性を損なう欠陥が含まれているため、機密性の高いデータの送信には使用しないでください。
Explanation
Transport Layer Security (TLS) プロトコルおよび Secure Sockets Layer (SSL) プロトコルは、クライアントと Web サーバーの間で転送されるデータの真正性、機密性および完全性を保証するための保護メカニズムを提供します。TLS と SSL の両方とも複数回の改訂を経て定期的にバージョンが更新されています。それぞれの新リビジョンは、以前のバージョンで見つかったセキュリティの脆弱性を解決するために設計されています。安全ではない TLS/SSL のバージョンを使用すると、データ保護の強度が脆弱化し、攻撃者が機密情報を侵害したり、盗んだり、改変したりする可能性が生じます。

脆弱なバージョンの TLS/SSL には、次のような性質のいくつかが含まれる場合があります。

- 中間者 (man-in-the-middle) 攻撃に対する保護が行われない
- 認証と暗号化に同じ鍵が使用される
- メッセージ認証制御が脆弱である
- TCP 接続の切断に対して保護が行われない
- 脆弱な暗号スイートが使用される

このような性質があると、攻撃者による機密データの傍受、改変、改竄が可能になることがあります。
References
[1] Kerry A. McKay and David A. Cooper NIST Special Publication 800-52 Revision 2: Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations NIST
[2] David Wagner and Bruce Schneier Analysis of the SSL 3.0 protocol
[3] CVE 2014-3566
[4] Standards Mapping - Common Weakness Enumeration CWE ID 327
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-000382, CCI-001453, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123
[6] Standards Mapping - FIPS200 CM, SC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), CM-7 Least Functionality (P1), IA-2 Identification and Authentication (Organizational Users) (P1), MA-4 Nonlocal Maintenance (P2), SC-8 Transmission Confidentiality and Integrity (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, CM-7 Least Functionality, IA-2 Identification and Authentication (Organizational Users), MA-4 Nonlocal Maintenance, SC-8 Transmission Confidentiality and Integrity
[10] Standards Mapping - OWASP API 2023 API10 Unsafe Consumption of APIs
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[13] Standards Mapping - OWASP Mobile 2024 M5 Insecure Communication
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-NETWORK-1
[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[16] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[17] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[18] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications
[33] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 327
[34] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 327
[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 327
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3260.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3260 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3260 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3260 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3260 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3260 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3260 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[59] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
desc.semantic.php.insecure_transport_weak_ssl_protocol
Abstract
SSLv2、SSLv23、SSLv3、TLSv1.0、および TLSv1.1 プロトコルには安全性を損なう欠陥が含まれているため、機密性の高いデータの送信には使用しないでください。
Explanation
Transport Layer Security (TLS) プロトコルおよび Secure Sockets Layer (SSL) プロトコルは、クライアントと Web サーバーの間で転送されるデータの真正性、機密性および完全性を保証するための保護メカニズムを提供します。TLS と SSL の両方とも複数回の改訂を経て定期的にバージョンが更新されています。それぞれの新リビジョンは、以前のバージョンで見つかったセキュリティの脆弱性を解決するために設計されています。安全ではない TLS/SSL のバージョンを使用すると、データ保護の強度が脆弱化し、攻撃者が機密情報を侵害したり、盗んだり、改変したりする可能性が生じます。

脆弱なバージョンの TLS/SSL には、次のような性質のいくつかが含まれる場合があります。

- 中間者 (man-in-the-middle) 攻撃に対する保護が行われない
- 認証と暗号化に同じ鍵が使用される
- メッセージ認証制御が脆弱である
- TCP 接続の切断に対して保護が行われない
- 脆弱な暗号スイートが使用される

このような性質があると、攻撃者による機密データの傍受、改変、改竄が可能になることがあります。
References
[1] Kerry A. McKay and David A. Cooper NIST Special Publication 800-52 Revision 2: Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations NIST
[2] David Wagner and Bruce Schneier Analysis of the SSL 3.0 protocol
[3] CVE 2014-3566
[4] Standards Mapping - Common Weakness Enumeration CWE ID 327
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-000382, CCI-001453, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123
[6] Standards Mapping - FIPS200 CM, SC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), CM-7 Least Functionality (P1), IA-2 Identification and Authentication (Organizational Users) (P1), MA-4 Nonlocal Maintenance (P2), SC-8 Transmission Confidentiality and Integrity (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, CM-7 Least Functionality, IA-2 Identification and Authentication (Organizational Users), MA-4 Nonlocal Maintenance, SC-8 Transmission Confidentiality and Integrity
[10] Standards Mapping - OWASP API 2023 API10 Unsafe Consumption of APIs
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[13] Standards Mapping - OWASP Mobile 2024 M5 Insecure Communication
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-NETWORK-1
[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[16] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[17] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[18] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications
[33] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 327
[34] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 327
[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 327
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3260.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3260 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3260 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3260 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3260 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3260 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3260 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[59] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
desc.structural.python.insecure_transport_weak_ssl_protocol
Abstract
SSLv2、SSLv23、SSLv3、TLSv1.0、および TLSv1.1 プロトコルには安全性を損なう欠陥が含まれているため、機密性の高いデータの送信には使用しないでください。
Explanation
Transport Layer Security (TLS) プロトコルおよび Secure Sockets Layer (SSL) プロトコルは、クライアントと Web サーバーの間で転送されるデータの真正性、機密性および完全性を保証するための保護メカニズムを提供します。TLS と SSL の両方とも複数回の改訂を経て定期的にバージョンが更新されています。それぞれの新リビジョンは、以前のバージョンで見つかったセキュリティの脆弱性を解決するために設計されています。安全ではない TLS/SSL のバージョンを使用すると、データ保護の強度が脆弱化し、攻撃者が機密情報を侵害したり、盗んだり、改変したりする可能性が生じます。

脆弱なバージョンの TLS/SSL には、次のような性質のいくつかが含まれる場合があります。

- 中間者 (man-in-the-middle) 攻撃に対する保護が行われない
- 認証と暗号化に同じ鍵が使用される
- メッセージ認証制御が脆弱である
- TCP 接続の切断に対して保護が行われない
- 脆弱な暗号スイートが使用される

このような性質があると、攻撃者による機密データの傍受、改変、改竄が可能になることがあります。
References
[1] Kerry A. McKay and David A. Cooper NIST Special Publication 800-52 Revision 2: Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations NIST
[2] David Wagner and Bruce Schneier Analysis of the SSL 3.0 protocol
[3] CVE 2014-3566
[4] Standards Mapping - Common Weakness Enumeration CWE ID 327
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-000382, CCI-001453, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123
[6] Standards Mapping - FIPS200 CM, SC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), CM-7 Least Functionality (P1), IA-2 Identification and Authentication (Organizational Users) (P1), MA-4 Nonlocal Maintenance (P2), SC-8 Transmission Confidentiality and Integrity (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, CM-7 Least Functionality, IA-2 Identification and Authentication (Organizational Users), MA-4 Nonlocal Maintenance, SC-8 Transmission Confidentiality and Integrity
[10] Standards Mapping - OWASP API 2023 API10 Unsafe Consumption of APIs
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[13] Standards Mapping - OWASP Mobile 2024 M5 Insecure Communication
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-NETWORK-1
[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[16] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[17] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[18] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications
[33] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 327
[34] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 327
[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 327
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3260.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3260 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3260 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3260 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3260 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3260 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3260 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[59] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
desc.structural.ruby.insecure_transport_weak_ssl_protocol
Abstract
SSLv2、SSLv23、SSLv3、TLSv1.0、および TLSv1.1 プロトコルには安全性を損なう欠陥が含まれているため、機密性の高いデータの送信には使用しないでください。
Explanation
Transport Layer Security (TLS) プロトコルおよび Secure Sockets Layer (SSL) プロトコルは、クライアントと Web サーバーの間で転送されるデータの真正性、機密性および完全性を保証するための保護メカニズムを提供します。TLS と SSL の両方とも複数回の改訂を経て定期的にバージョンが更新されています。それぞれの新リビジョンは、以前のバージョンで見つかったセキュリティの脆弱性を解決するために設計されています。安全ではない TLS/SSL のバージョンを使用すると、データ保護の強度が脆弱化し、攻撃者が機密情報を侵害したり、盗んだり、改変したりする可能性が生じます。

脆弱なバージョンの TLS/SSL には、次のような性質のいくつかが含まれる場合があります。

- 中間者 (man-in-the-middle) 攻撃に対する保護が行われない
- 認証と暗号化に同じ鍵が使用される
- メッセージ認証制御が脆弱である
- TCP 接続の切断に対して保護が行われない
- 脆弱な暗号スイートが使用される

このような性質があると、攻撃者による機密データの傍受、改変、改竄が可能になることがあります。

例 1: 次の例では、SSL v3.0 を使用するようにセッションを構成します。

let configuration : NSURLSessionConfiguration = NSURLSessionConfiguration.defaultSessionConfiguration()
let mySession = NSURLSession(configuration: configuration, delegate: self, delegateQueue: operationQueue)
References
[1] Kerry A. McKay and David A. Cooper NIST Special Publication 800-52 Revision 2: Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations NIST
[2] David Wagner and Bruce Schneier Analysis of the SSL 3.0 protocol
[3] CVE 2014-3566
[4] Standards Mapping - Common Weakness Enumeration CWE ID 327
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-000382, CCI-001453, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123
[6] Standards Mapping - FIPS200 CM, SC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), CM-7 Least Functionality (P1), IA-2 Identification and Authentication (Organizational Users) (P1), MA-4 Nonlocal Maintenance (P2), SC-8 Transmission Confidentiality and Integrity (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, CM-7 Least Functionality, IA-2 Identification and Authentication (Organizational Users), MA-4 Nonlocal Maintenance, SC-8 Transmission Confidentiality and Integrity
[10] Standards Mapping - OWASP API 2023 API10 Unsafe Consumption of APIs
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[13] Standards Mapping - OWASP Mobile 2024 M5 Insecure Communication
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-NETWORK-1
[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[16] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[17] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[18] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications
[33] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 327
[34] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 327
[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 327
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3260.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3260 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3260 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3260 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3260 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3260 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3260 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001510 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[59] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
desc.controlflow.swift.insecure_transport_weak_ssl_protocol

Key Management: Hardcoded Encryption Key

Abstract
ハードコーディングされた暗号鍵はセキュリティを危険にさらす可能性があり、この問題への対策は簡単ではありません。
Explanation
暗号鍵をハードコーディングすることは推奨されません。これによりプロジェクトの開発者全員が暗号鍵を見ることができ、問題の修復が非常に困難になるためです。 コードが実運用に入ると、暗号鍵を変更するにはソフトウェアパッチが必要になります。この暗号鍵によって保護されたアカウントが危険にさらされると、システムの所有者はセキュリティと可用性の二者択一を強いられます。

例 1: 次のコードは、ハードコーディングされている暗号鍵を使用しています。


...
encryptionKey = "lakdsljkalkjlksdfkl".
...


このコードにアクセスできる全員が、暗号鍵にアクセスすることができます。アプリケーションが頒布された後は、プログラムにパッチを適用しない限り、暗号鍵を変更することはできません。この情報へのアクセス権を持っている従業員が、権限を使用してシステムに侵入できます。さらに、攻撃者がアプリケーションの実行可能ファイルにアクセスできれば、暗号鍵の値を解読できます。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 321
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [19] CWE ID 798
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [20] CWE ID 798
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [16] CWE ID 798
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287, [15] CWE ID 798
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287, [18] CWE ID 798
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287, [22] CWE ID 798
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1), SC-13 Cryptographic Protection (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management, SC-13 Cryptographic Protection
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.9.1 Cryptographic Software and Devices Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.4 Service Authentication Requirements (L2 L3), 3.5.2 Token-based Session Management (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.4.1 Secret Management (L2 L3), 6.4.2 Secret Management (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 10.2.3 Malicious Code Search (L3)
[14] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[15] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-2
[17] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[18] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[35] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 259
[36] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 798
[37] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 798
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3350 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3350 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3350 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3350 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3350 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3350 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3350 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II
[61] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.structural.abap.key_management_hardcoded_encryption_key
Abstract
ハードコーディングされた暗号鍵はセキュリティを危険にさらす可能性があり、この問題への対策は簡単ではありません。
Explanation
暗号鍵をハードコーディングすることは推奨されません。これによりプロジェクトの開発者全員が暗号鍵を見ることができ、問題の修復が非常に困難になるためです。 コードが実運用に入ると、暗号鍵を変更するにはソフトウェアパッチが必要になります。この暗号鍵によって保護されたアカウントが危険にさらされると、システムの所有者はセキュリティと可用性の二者択一を強いられます。

例 1: 次のコードは、ハードコーディングされている暗号鍵を使用しています。


    ...
    var encryptionKey:String = "lakdsljkalkjlksdfkl";
    var key:ByteArray = Hex.toArray(Hex.fromString(encryptionKey));
    ...
    var aes.ICipher = Crypto.getCipher("aes-cbc", key, padding);
    ...


このコードにアクセスできる全員が、暗号鍵にアクセスすることができます。アプリケーションが頒布された後は、プログラムにパッチを適用しない限り、暗号鍵を変更することはできません。この情報へのアクセス権を持っている従業員が、権限を使用してシステムに侵入できます。さらに、攻撃者がアプリケーションの実行可能ファイルにアクセスできれば、暗号鍵の値を解読できます。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 321
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [19] CWE ID 798
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [20] CWE ID 798
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [16] CWE ID 798
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287, [15] CWE ID 798
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287, [18] CWE ID 798
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287, [22] CWE ID 798
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1), SC-13 Cryptographic Protection (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management, SC-13 Cryptographic Protection
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.9.1 Cryptographic Software and Devices Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.4 Service Authentication Requirements (L2 L3), 3.5.2 Token-based Session Management (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.4.1 Secret Management (L2 L3), 6.4.2 Secret Management (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 10.2.3 Malicious Code Search (L3)
[14] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[15] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-2
[17] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[18] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[35] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 259
[36] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 798
[37] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 798
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3350 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3350 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3350 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3350 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3350 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3350 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3350 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II
[61] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.structural.actionscript.key_management_hardcoded_encryption_key
Abstract
ハードコーディングされた暗号鍵はセキュリティを危険にさらす可能性があり、この問題への対策は簡単ではありません。
Explanation
暗号化キーはハードコーディングしないでください。これにより、暗号化キーがプロジェクトの開発者全員に見えてしまい、問題の修正が極めて困難になるためです。コードの運用後に暗号鍵を変更するには、ソフトウェア パッチが必要です。暗号鍵が保護するアカウントが危険にさらされると、組織はセキュリティとシステム可用性のいずれかを選択することを迫られます。

例 1: 次のコードは、ハードコード暗号化鍵を使用して AES 暗号を実行します。


...
Blob encKey = Blob.valueOf('YELLOW_SUBMARINE');
Blob encrypted = Crypto.encrypt('AES128', encKey, iv, input);
...


このコードにアクセスできる全員が、暗号鍵を閲覧できます。アプリケーションが頒布された後は、ソフトウェア パッチを適用する以外に暗号鍵を変更することはできません。この情報へのアクセス権を持っている従業員が、権限を使用してシステムに侵入する可能性があります。アプリケーションの実行可能ファイルにアクセスできる攻撃者は、暗号鍵の値を抽出できます。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 321
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [19] CWE ID 798
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [20] CWE ID 798
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [16] CWE ID 798
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287, [15] CWE ID 798
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287, [18] CWE ID 798
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287, [22] CWE ID 798
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1), SC-13 Cryptographic Protection (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management, SC-13 Cryptographic Protection
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.9.1 Cryptographic Software and Devices Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.4 Service Authentication Requirements (L2 L3), 3.5.2 Token-based Session Management (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.4.1 Secret Management (L2 L3), 6.4.2 Secret Management (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 10.2.3 Malicious Code Search (L3)
[14] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[15] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-2
[17] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[18] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[35] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 259
[36] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 798
[37] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 798
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3350 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3350 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3350 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3350 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3350 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3350 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3350 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II
[61] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.structural.apex.key_management_hardcoded_encryption_key
Abstract
ハードコーディングされた暗号鍵はセキュリティを危険にさらす可能性があり、この問題への対策は簡単ではありません。
Explanation
暗号鍵をハードコーディングすることは推奨されません。これによりプロジェクトの開発者全員が暗号鍵を見ることができ、問題の修復が非常に困難になるためです。 コードが実運用に入ると、暗号鍵を変更するにはソフトウェアパッチが必要になります。この暗号鍵によって保護されたアカウントが危険にさらされると、システムの所有者はセキュリティと可用性の二者択一を強いられます。

例 1: The following code uses a hardcoded encryption key:


...
using (SymmetricAlgorithm algorithm = SymmetricAlgorithm.Create("AES"))
{
  string encryptionKey = "lakdsljkalkjlksdfkl";
  byte[] keyBytes = Encoding.ASCII.GetBytes(encryptionKey);
  algorithm.Key = keyBytes;
  ...
}


このコードにアクセスできる全員が、暗号鍵にアクセスすることができます。アプリケーションが頒布された後は、プログラムにパッチを適用しない限り、暗号鍵を変更することはできません。この情報へのアクセス権を持っている従業員が、権限を使用してシステムに侵入できます。さらに、攻撃者がアプリケーションの実行可能ファイルにアクセスできれば、暗号鍵の値を解読できます。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 321
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [19] CWE ID 798
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [20] CWE ID 798
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [16] CWE ID 798
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287, [15] CWE ID 798
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287, [18] CWE ID 798
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287, [22] CWE ID 798
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1), SC-13 Cryptographic Protection (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management, SC-13 Cryptographic Protection
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.9.1 Cryptographic Software and Devices Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.4 Service Authentication Requirements (L2 L3), 3.5.2 Token-based Session Management (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.4.1 Secret Management (L2 L3), 6.4.2 Secret Management (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 10.2.3 Malicious Code Search (L3)
[14] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[15] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-2
[17] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[18] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[35] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 259
[36] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 798
[37] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 798
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3350 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3350 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3350 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3350 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3350 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3350 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3350 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II
[61] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.semantic.dotnet.key_management_hardcoded_encryption_key
Abstract
ハードコーディングされた暗号鍵はセキュリティを危険にさらす可能性があり、この問題への対策は簡単ではありません。
Explanation
暗号鍵をハードコーディングするのはよくない発想です。暗号鍵をハードコーディングするとプロジェクトの開発者全員が暗号鍵を見ることができるだけでなく、問題の修復も非常に困難です。コードが実運用に入ると、ソフトウェアにパッチを当てない暗号鍵を変更できません。この暗号鍵によって保護されたアカウントが危険にさらされると、システムの所有者はセキュリティと可用性の二者択一を強いられます。

例 1: 次のコードは、ハードコーディングされている暗号鍵を使用しています。


...
char encryptionKey[] = "lakdsljkalkjlksdfkl";
...


このコードにアクセスできる全員が、暗号鍵にアクセスすることができます。プログラムが頒布された後は、プログラムにパッチを適用しない限り、暗号鍵を変更することはできません。この情報へのアクセス権を持っている従業員が、権限を使用してシステムに侵入する可能性があります。攻撃者がアプリケーションの実行可能ファイルにアクセスできる場合、使用される暗号鍵の値が含まれているコードを逆アセンブルすることができます。
References
[1] Windows Data Protection Microsoft
[2] Encrypting Your App's Files Apple
[3] Standards Mapping - Common Weakness Enumeration CWE ID 321
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [19] CWE ID 798
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [20] CWE ID 798
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [16] CWE ID 798
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287, [15] CWE ID 798
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287, [18] CWE ID 798
[9] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287, [22] CWE ID 798
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[11] Standards Mapping - FIPS200 IA
[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1), SC-13 Cryptographic Protection (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management, SC-13 Cryptographic Protection
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.9.1 Cryptographic Software and Devices Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.4 Service Authentication Requirements (L2 L3), 3.5.2 Token-based Session Management (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.4.1 Secret Management (L2 L3), 6.4.2 Secret Management (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 10.2.3 Malicious Code Search (L3)
[16] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[17] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[18] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-2
[19] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[20] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[21] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[22] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[23] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[24] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[37] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 259
[38] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 798
[39] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 798
[40] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3350 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3350 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3350 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3350 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3350 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3350 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3350 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II
[61] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II
[62] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II
[63] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.structural.cpp.hardcoded_encryption_key
Abstract
ハードコーディングされた暗号鍵はセキュリティを危険にさらす可能性があり、この問題への対策は簡単ではありません。
Explanation
暗号鍵をハードコーディングすることは推奨されません。これによりプロジェクトの開発者全員が暗号鍵を見ることができ、問題の修復が非常に困難になるためです。 コードが実運用に入ると、暗号鍵を変更するにはソフトウェアパッチが必要になります。この暗号鍵によって保護されたアカウントが危険にさらされると、システムの所有者はセキュリティと可用性の二者択一を強いられます。

例 1: 次のコードは、ハードコーディングされている暗号鍵を使用しています。


	...
	<cfset encryptionKey = "lakdsljkalkjlksdfkl" />
	<cfset encryptedMsg = encrypt(msg, encryptionKey, 'AES', 'Hex') />
	...


このコードにアクセスできる全員が、暗号鍵にアクセスすることができます。アプリケーションが頒布された後は、プログラムにパッチを適用しない限り、暗号鍵を変更することはできません。この情報へのアクセス権を持っている従業員が、権限を使用してシステムに侵入できます。さらに、攻撃者がアプリケーションの実行可能ファイルにアクセスできれば、暗号鍵の値を解読できます。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 321
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [19] CWE ID 798
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [20] CWE ID 798
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [16] CWE ID 798
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287, [15] CWE ID 798
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287, [18] CWE ID 798
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287, [22] CWE ID 798
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1), SC-13 Cryptographic Protection (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management, SC-13 Cryptographic Protection
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.9.1 Cryptographic Software and Devices Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.4 Service Authentication Requirements (L2 L3), 3.5.2 Token-based Session Management (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.4.1 Secret Management (L2 L3), 6.4.2 Secret Management (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 10.2.3 Malicious Code Search (L3)
[14] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[15] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-2
[17] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[18] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[35] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 259
[36] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 798
[37] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 798
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3350 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3350 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3350 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3350 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3350 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3350 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3350 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II
[61] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.structural.cfml.key_management_hardcoded_encryption_key
Abstract
ハードコーディングされた暗号鍵はセキュリティを危険にさらす可能性があり、この問題への対策は簡単ではありません。
Explanation
暗号鍵をハードコーディングすることは推奨されません。プロジェクトの開発者全員が暗号鍵を見ることができ、問題の修復が非常に困難になるためです。そのコードが実運用に入ったら、暗号鍵の変更にはソフトウェア パッチを必要とします。この暗号鍵によって保護されたアカウントが危険にさらされると、システムの所有者はセキュリティと可用性のいずれかを選択することになります。

例 1: 次のコードは、ハードコーディングされている暗号鍵を使用しています。


...
key := []byte("lakdsljkalkjlksd");
block, err := aes.NewCipher(key)
...


このコードにアクセスできる全員が、暗号鍵にアクセスすることができます。アプリケーションが頒布された後は、プログラムにパッチを適用しない限り、暗号鍵を変更することはできません。この情報へのアクセス権を持っている従業員が、権限を使用してシステムに侵入する可能性があります。さらに、攻撃者がアプリケーションの実行可能ファイルにアクセスできれば、暗号鍵の値を解読できます。
References
[1] MSC03-J. Never hard code sensitive information CERT
[2] Standards Mapping - Common Weakness Enumeration CWE ID 321
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [19] CWE ID 798
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [20] CWE ID 798
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [16] CWE ID 798
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287, [15] CWE ID 798
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287, [18] CWE ID 798
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287, [22] CWE ID 798
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[10] Standards Mapping - FIPS200 IA
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1), SC-13 Cryptographic Protection (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management, SC-13 Cryptographic Protection
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.9.1 Cryptographic Software and Devices Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.4 Service Authentication Requirements (L2 L3), 3.5.2 Token-based Session Management (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.4.1 Secret Management (L2 L3), 6.4.2 Secret Management (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 10.2.3 Malicious Code Search (L3)
[15] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[16] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-2
[18] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[19] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[21] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[23] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[36] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 259
[37] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 798
[38] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 798
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3350 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3350 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3350 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3350 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3350 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3350 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3350 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II
[61] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II
[62] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.structural.golang.key_management_hardcoded_encryption_key
Abstract
ハードコーディングされた暗号鍵はセキュリティを危険にさらす可能性があり、この問題への対策は簡単ではありません。
Explanation
暗号鍵をハードコーディングすることは推奨されません。これによりプロジェクトの開発者全員が暗号鍵を見ることができ、問題の修復が非常に困難になるためです。 コードが実運用に入ると、暗号鍵を変更するにはソフトウェアパッチが必要になります。この暗号鍵によって保護されたアカウントが危険にさらされると、システムの所有者はセキュリティと可用性の二者択一を強いられます。

例 1: 次のコードは、ハードコーディングされている暗号鍵を使用しています。


...
private static final String encryptionKey = "lakdsljkalkjlksdfkl";
byte[] keyBytes = encryptionKey.getBytes();
SecretKeySpec key = new SecretKeySpec(keyBytes, "AES");
Cipher encryptCipher = Cipher.getInstance("AES");
encryptCipher.init(Cipher.ENCRYPT_MODE, key);
...


このコードにアクセスできる全員が、暗号鍵にアクセスすることができます。アプリケーションが頒布された後は、プログラムにパッチを適用しない限り、暗号鍵を変更することはできません。この情報へのアクセス権を持っている従業員が、権限を使用してシステムに侵入できます。さらに、攻撃者がアプリケーションの実行可能ファイルにアクセスできれば、暗号鍵の値を解読できます。
References
[1] MSC03-J. Never hard code sensitive information CERT
[2] Standards Mapping - Common Weakness Enumeration CWE ID 321
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [19] CWE ID 798
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [20] CWE ID 798
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [16] CWE ID 798
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287, [15] CWE ID 798
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287, [18] CWE ID 798
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287, [22] CWE ID 798
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[10] Standards Mapping - FIPS200 IA
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1), SC-13 Cryptographic Protection (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management, SC-13 Cryptographic Protection
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.9.1 Cryptographic Software and Devices Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.4 Service Authentication Requirements (L2 L3), 3.5.2 Token-based Session Management (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.4.1 Secret Management (L2 L3), 6.4.2 Secret Management (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 10.2.3 Malicious Code Search (L3)
[15] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[16] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-2
[18] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[19] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[21] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[23] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[36] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 259
[37] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 798
[38] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 798
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3350 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3350 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3350 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3350 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3350 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3350 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3350 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II
[61] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II
[62] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.semantic.java.key_management_hardcoded_encryption_key
Abstract
ハードコーディングされた暗号鍵はセキュリティを危険にさらす可能性があり、この問題への対策は簡単ではありません。
Explanation
暗号鍵をハードコーディングすることは推奨されません。これによりプロジェクトの開発者全員が暗号鍵を見ることができ、問題の修復が非常に困難になるためです。 コードが実運用に入ると、暗号鍵を変更するにはソフトウェアパッチが必要になります。この暗号鍵によって保護されたアカウントが危険にさらされると、システムの所有者はセキュリティと可用性の二者択一を強いられます。

例 1: 次のコードは、ハードコーディングされている暗号鍵を使用しています。


...
var crypto = require('crypto');
var encryptionKey = "lakdsljkalkjlksdfkl";
var algorithm = 'aes-256-ctr';
var cipher = crypto.createCipher(algorithm, encryptionKey);
...


このコードにアクセスできる全員が、暗号鍵にアクセスすることができます。アプリケーションが頒布された後は、プログラムにパッチを適用しない限り、暗号鍵を変更することはできません。この情報へのアクセス権を持っている従業員が、権限を使用してシステムに侵入できます。さらに、攻撃者がアプリケーションの実行可能ファイルにアクセスできれば、暗号鍵の値を解読できます。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 321
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [19] CWE ID 798
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [20] CWE ID 798
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [16] CWE ID 798
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287, [15] CWE ID 798
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287, [18] CWE ID 798
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287, [22] CWE ID 798
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1), SC-13 Cryptographic Protection (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management, SC-13 Cryptographic Protection
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.9.1 Cryptographic Software and Devices Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.4 Service Authentication Requirements (L2 L3), 3.5.2 Token-based Session Management (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.4.1 Secret Management (L2 L3), 6.4.2 Secret Management (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 10.2.3 Malicious Code Search (L3)
[14] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[15] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-2
[17] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[18] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[35] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 259
[36] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 798
[37] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 798
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3350 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3350 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3350 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3350 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3350 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3350 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3350 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II
[61] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.structural.javascript.key_management_hardcoded_encryption_key
Abstract
Hardcoded Password はシステムのセキュリティを危険にさらす可能性があり、この問題への対策は困難です。
Explanation
パスワードは絶対にハードコーディングしないでください。開発者全員にパスワードが開示されるだけでなく、問題の修復も非常に困難になります。コードが実運用に入ると、おそらくパスワードを変更する唯一の方法は、プログラムのパッチです。パスワードで保護するアカウントが危険にさらされると、システムの所有者はセキュリティと可用性のいずれかを選択しなければなりません。
例 1: 次の JSON は、ハードコーディングされたパスワードを使用しています。


...
{
  "username":"scott"
  "password":"tiger"
}
...


この構成は有効である可能性がありますが、構成にアクセスできる人は誰でもパスワードにもアクセスできてしまいます。プログラムがリリースされた後、デフォルトのユーザー アカウント「scott」とパスワード「tiger」を変更することは困難です。この情報へのアクセス権を持っているユーザーは誰でも、権限を使用してシステムに侵入できます。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 321
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [19] CWE ID 798
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [20] CWE ID 798
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [16] CWE ID 798
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287, [15] CWE ID 798
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287, [18] CWE ID 798
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287, [22] CWE ID 798
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1), SC-13 Cryptographic Protection (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management, SC-13 Cryptographic Protection
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.9.1 Cryptographic Software and Devices Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.4 Service Authentication Requirements (L2 L3), 3.5.2 Token-based Session Management (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.4.1 Secret Management (L2 L3), 6.4.2 Secret Management (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 10.2.3 Malicious Code Search (L3)
[14] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[15] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-2
[17] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[18] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[35] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 259
[36] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 798
[37] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 798
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3350 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3350 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3350 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3350 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3350 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3350 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3350 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II
[61] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.structural.json.password_management_hardcoded_password
Abstract
ハードコーディングされた暗号鍵はセキュリティを危険にさらす可能性があり、この問題への対策は簡単ではありません。
Explanation
暗号鍵をハードコーディングすることは推奨されません。これによりプロジェクトの開発者全員が暗号鍵を見ることができ、問題の修復が非常に困難になるためです。 コードが実運用に入ると、暗号鍵を変更するにはソフトウェアパッチが必要になります。この暗号鍵によって保護されたアカウントが危険にさらされると、システムの所有者はセキュリティと可用性の二者択一を強いられます。

例 1: 次のコードは、ハードコーディングされている暗号鍵を使用しています。


...
NSString encryptionKey = "lakdsljkalkjlksdfkl";
...


このコードにアクセスできる全員が、暗号鍵にアクセスすることができます。アプリケーションが頒布された後は、プログラムにパッチを適用しない限り、暗号鍵を変更することはできません。この情報へのアクセス権を持っている従業員が、権限を使用してシステムに侵入できます。さらに、攻撃者がアプリケーションの実行可能ファイルにアクセスできれば、暗号鍵の値を解読できます。
References
[1] Encrypting Your App's Files Apple
[2] Standards Mapping - Common Weakness Enumeration CWE ID 321
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [19] CWE ID 798
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [20] CWE ID 798
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [16] CWE ID 798
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287, [15] CWE ID 798
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287, [18] CWE ID 798
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287, [22] CWE ID 798
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[10] Standards Mapping - FIPS200 IA
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1), SC-13 Cryptographic Protection (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management, SC-13 Cryptographic Protection
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.9.1 Cryptographic Software and Devices Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.4 Service Authentication Requirements (L2 L3), 3.5.2 Token-based Session Management (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.4.1 Secret Management (L2 L3), 6.4.2 Secret Management (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 10.2.3 Malicious Code Search (L3)
[15] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[16] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-2
[18] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[19] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[21] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[23] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[36] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 259
[37] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 798
[38] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 798
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3350 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3350 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3350 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3350 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3350 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3350 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3350 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II
[61] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II
[62] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.structural.objc.key_management_hardcoded_encryption_key
Abstract
ハードコーディングされた暗号鍵はシステムのセキュリティを危険にさらす可能性があり、この問題への対策は簡単ではありません。
Explanation
暗号鍵をハードコーディングするのはよくない発想です。暗号鍵をハードコーディングするとプロジェクトの開発者全員が暗号鍵を見ることができるだけでなく、問題の修復も非常に困難です。コードが実運用に入ると、ソフトウェアにパッチを当てない暗号鍵を変更できません。この暗号鍵によって保護されたアカウントが危険にさらされると、システムの所有者はセキュリティと可用性の二者択一を強いられます。
例 1: 次のコードは、ハードコーディングされている暗号鍵を使用して、情報を暗号化します。


...
$encryption_key = 'hardcoded_encryption_key';

//$filter = new Zend_Filter_Encrypt('hardcoded_encryption_key');
$filter = new Zend_Filter_Encrypt($encryption_key);

$filter->setVector('myIV');

$encrypted = $filter->filter('text_to_be_encrypted');
print $encrypted;
...


このコードは正常に実行されますが、このコードにアクセスしたユーザーは暗号化鍵にアクセスできます。プログラムが頒布された後は、プログラムにパッチを適用しない限り、ハードコーディングされた暗号化鍵 ('hardcoded_encryption_key') を変更することはできません。不心得な従業員がこの情報へのアクセス権を持っている場合、この暗号化鍵を使用してシステムによって暗号化されているデータを危険な状態におくことがあります。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 321
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [19] CWE ID 798
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [20] CWE ID 798
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [16] CWE ID 798
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287, [15] CWE ID 798
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287, [18] CWE ID 798
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287, [22] CWE ID 798
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1), SC-13 Cryptographic Protection (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management, SC-13 Cryptographic Protection
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.9.1 Cryptographic Software and Devices Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.4 Service Authentication Requirements (L2 L3), 3.5.2 Token-based Session Management (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.4.1 Secret Management (L2 L3), 6.4.2 Secret Management (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 10.2.3 Malicious Code Search (L3)
[14] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[15] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-2
[17] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[18] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[35] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 259
[36] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 798
[37] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 798
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3350 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3350 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3350 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3350 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3350 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3350 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3350 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II
[61] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.semantic.php.key_management_hardcoded_encryption_key
Abstract
ハードコーディングされた暗号鍵はセキュリティを危険にさらす可能性があり、この問題への対策は簡単ではありません。
Explanation
暗号鍵をハードコーディングすることは推奨されません。これによりプロジェクトの開発者全員が暗号鍵を見ることができ、問題の修復が非常に困難になるためです。 コードが実運用に入ると、暗号鍵を変更するにはソフトウェアパッチが必要になります。この暗号鍵によって保護されたアカウントが危険にさらされると、システムの所有者はセキュリティと可用性の二者択一を強いられます。



このコードにアクセスできる全員が、暗号鍵にアクセスすることができます。アプリケーションが頒布された後は、プログラムにパッチを適用しない限り、暗号鍵を変更することはできません。この情報へのアクセス権を持っている従業員が、権限を使用してシステムに侵入できます。さらに、攻撃者がアプリケーションの実行可能ファイルにアクセスできれば、暗号鍵の値を解読できます。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 321
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [19] CWE ID 798
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [20] CWE ID 798
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [16] CWE ID 798
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287, [15] CWE ID 798
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287, [18] CWE ID 798
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287, [22] CWE ID 798
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1), SC-13 Cryptographic Protection (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management, SC-13 Cryptographic Protection
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.9.1 Cryptographic Software and Devices Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.4 Service Authentication Requirements (L2 L3), 3.5.2 Token-based Session Management (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.4.1 Secret Management (L2 L3), 6.4.2 Secret Management (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 10.2.3 Malicious Code Search (L3)
[14] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[15] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-2
[17] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[18] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[35] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 259
[36] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 798
[37] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 798
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3350 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3350 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3350 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3350 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3350 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3350 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3350 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II
[61] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.structural.sql.key_management_hardcoded_encryption_key
Abstract
ハードコーディングされた暗号鍵はシステムのセキュリティを危険にさらす可能性があり、この問題への対策は簡単ではありません。
Explanation
暗号鍵をハードコーディングするのはよくない発想です。暗号鍵をハードコーディングするとプロジェクトの開発者全員が暗号鍵を見ることができるだけでなく、問題の修復も非常に困難です。コードが実運用に入ると、ソフトウェアにパッチを当てない暗号鍵を変更できません。この暗号鍵によって保護されたアカウントが危険にさらされると、システムの所有者はセキュリティと可用性の二者択一を強いられます。
例 1: 次のコードは、ハードコーディングされている暗号鍵を使用して、情報を暗号化します。

...
from Crypto.Ciphers import AES
encryption_key = b'_hardcoded__key_'
cipher = AES.new(encryption_key, AES.MODE_CFB, iv)
msg = iv + cipher.encrypt(b'Attack at dawn')
...


このコードは正常に実行されますが、このコードにアクセスしたユーザーは暗号化鍵にアクセスできます。プログラムが頒布された後は、プログラムにパッチを適用しない限り、基本的にハードコーディングされた暗号化鍵 _hardcoded__key_ を変更することはできません。不心得な従業員がこの情報へのアクセス権を持っている場合、この暗号化鍵を使用してシステムによって暗号化されているデータを危険な状態におくことがあります。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 321
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [19] CWE ID 798
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [20] CWE ID 798
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [16] CWE ID 798
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287, [15] CWE ID 798
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287, [18] CWE ID 798
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287, [22] CWE ID 798
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1), SC-13 Cryptographic Protection (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management, SC-13 Cryptographic Protection
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.9.1 Cryptographic Software and Devices Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.4 Service Authentication Requirements (L2 L3), 3.5.2 Token-based Session Management (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.4.1 Secret Management (L2 L3), 6.4.2 Secret Management (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 10.2.3 Malicious Code Search (L3)
[14] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[15] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-2
[17] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[18] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[35] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 259
[36] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 798
[37] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 798
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3350 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3350 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3350 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3350 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3350 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3350 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3350 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II
[61] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.structural.python.key_management_hardcoded_encryption_key
Abstract
ハードコーディングされた暗号鍵はシステムのセキュリティを危険にさらす可能性があり、この問題への対策は簡単ではありません。
Explanation
暗号鍵をハードコーディングするのはよくない発想です。暗号鍵をハードコーディングするとプロジェクトの開発者全員が暗号鍵を見ることができるだけでなく、問題の修復も非常に困難です。コードが実運用に入ると、ソフトウェアにパッチを当てない暗号鍵を変更できません。この暗号鍵によって保護されたアカウントが危険にさらされると、システムの所有者はセキュリティと可用性の二者択一を強いられます。
例 1: 次のコードは、ハードコーディングされている暗号鍵を使用しています。


require 'openssl'
...
encryption_key = 'hardcoded_encryption_key'
...
cipher = OpenSSL::Cipher::AES.new(256, 'GCM')
cipher.encrypt
...
cipher.key=encryption_key
...


このコードは正常に実行されますが、このコードにアクセスしたユーザーは暗号化鍵にアクセスできます。プログラムが頒布された後は、プログラムにパッチを適用しない限り、基本的にハードコーディングされた暗号化鍵 "hardcoded_encryption_key" を変更することはできません。不心得な従業員がこの情報へのアクセス権を持っている場合、この暗号化鍵を使用してシステムによって暗号化されているデータを危険な状態におくことがあります。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 321
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [19] CWE ID 798
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [20] CWE ID 798
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [16] CWE ID 798
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287, [15] CWE ID 798
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287, [18] CWE ID 798
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287, [22] CWE ID 798
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1), SC-13 Cryptographic Protection (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management, SC-13 Cryptographic Protection
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.9.1 Cryptographic Software and Devices Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.4 Service Authentication Requirements (L2 L3), 3.5.2 Token-based Session Management (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.4.1 Secret Management (L2 L3), 6.4.2 Secret Management (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 10.2.3 Malicious Code Search (L3)
[14] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[15] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-2
[17] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[18] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[35] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 259
[36] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 798
[37] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 798
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3350 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3350 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3350 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3350 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3350 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3350 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3350 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II
[61] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.structural.ruby.key_management_hardcoded_encryption_key
Abstract
ハードコーディングされた暗号鍵はセキュリティを危険にさらす可能性があり、この問題への対策は簡単ではありません。
Explanation
暗号鍵をハードコーディングするのはよくない発想です。暗号鍵をハードコーディングするとプロジェクトの開発者全員が暗号鍵を見ることができるだけでなく、問題の修復も非常に困難です。コードが実運用に入ると、ソフトウェアにパッチを当てない暗号鍵を変更できません。この暗号鍵によって保護されたアカウントが危険にさらされると、システムの所有者はセキュリティと可用性の二者択一を強いられます。

例 1: 次のコードは、ハードコーディングされている暗号鍵を使用しています。


...
let encryptionKey = "YELLOW_SUBMARINE"
...
例 2: 次のコードは、ハードコーディングされている暗号鍵を使用して AES 暗号化を行っています。


...
CCCrypt(UInt32(kCCEncrypt),
UInt32(kCCAlgorithmAES128),
UInt32(kCCOptionPKCS7Padding),
"YELLOW_SUBMARINE",
16,
iv,
plaintext,
plaintext.length,
ciphertext.mutableBytes,
ciphertext.length,
&numBytesEncrypted)
...


このコードにアクセスできる全員が、暗号鍵にアクセスすることができます。プログラムが頒布された後は、プログラムにパッチを適用しない限り、暗号鍵を変更することはできません。この情報へのアクセス権を持っている従業員が、権限を使用してシステムに侵入する可能性があります。さらに、攻撃者がアプリケーションの実行可能ファイルにアクセスできれば、暗号鍵の値を解読できます。
References
[1] Encrypting Your App's Files Apple
[2] Standards Mapping - Common Weakness Enumeration CWE ID 321
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [19] CWE ID 798
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [20] CWE ID 798
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [16] CWE ID 798
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287, [15] CWE ID 798
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287, [18] CWE ID 798
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287, [22] CWE ID 798
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[10] Standards Mapping - FIPS200 IA
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1), SC-13 Cryptographic Protection (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management, SC-13 Cryptographic Protection
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.9.1 Cryptographic Software and Devices Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.4 Service Authentication Requirements (L2 L3), 3.5.2 Token-based Session Management (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.4.1 Secret Management (L2 L3), 6.4.2 Secret Management (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 10.2.3 Malicious Code Search (L3)
[15] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[16] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-2
[18] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[19] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[21] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[23] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[36] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 259
[37] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 798
[38] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 798
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3350 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3350 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3350 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3350 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3350 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3350 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3350 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II
[61] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II
[62] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.structural.swift.key_management_hardcoded_encryption_key
Abstract
ハードコーディングされた暗号鍵はセキュリティを危険にさらす可能性があり、この問題への対策は簡単ではありません。
Explanation
暗号化キーはハードコーディングしないでください。これにより、暗号化キーがプロジェクトの開発者全員に見えてしまい、問題の修正が極めて困難になるためです。コードの運用後に暗号鍵を変更するには、ソフトウェア パッチが必要です。暗号鍵が保護するアカウントが危険にさらされると、組織はセキュリティとシステム可用性のいずれかを選択することを迫られます。

例 1: 次の例は、.pem ファイル内の暗号鍵を示しています。


...
-----BEGIN RSA PRIVATE KEY-----
MIICXwIBAAKBgQCtVacMo+w+TFOm0p8MlBWvwXtVRpF28V+o0RNPx5x/1TJTlKEl
...
DiJPJY2LNBQ7jS685mb6650JdvH8uQl6oeJ/aUmq63o2zOw=
-----END RSA PRIVATE KEY-----
...


このコードにアクセスできる全員が、暗号鍵を閲覧できます。アプリケーションが頒布された後は、プログラムにパッチを適用しない限り、暗号鍵を変更することはできません。この情報へのアクセス権を持っている従業員が、権限を使用してシステムに侵入する可能性があります。アプリケーションの実行可能ファイルにアクセスできる攻撃者は、暗号鍵の値を抽出できます。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 321
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [19] CWE ID 798
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [20] CWE ID 798
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [16] CWE ID 798
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287, [15] CWE ID 798
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287, [18] CWE ID 798
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287, [22] CWE ID 798
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1), SC-13 Cryptographic Protection (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management, SC-13 Cryptographic Protection
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.9.1 Cryptographic Software and Devices Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.4 Service Authentication Requirements (L2 L3), 3.5.2 Token-based Session Management (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.4.1 Secret Management (L2 L3), 6.4.2 Secret Management (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 10.2.3 Malicious Code Search (L3)
[14] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[15] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-2
[17] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[18] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[35] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 259
[36] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 798
[37] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 798
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3350 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3350 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3350 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3350 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3350 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3350 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3350 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II
[61] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.regex.universal.key_management_hardcoded_encryption_key
Abstract
ハードコーディングされた暗号鍵はセキュリティを危険にさらす可能性があり、この問題への対策は簡単ではありません。
Explanation
暗号鍵をハードコーディングすることは推奨されません。これによりプロジェクトの開発者全員が暗号鍵を見ることができ、問題の修復が非常に困難になるためです。 コードが実運用に入ると、暗号鍵を変更するにはソフトウェアパッチが必要になります。この暗号鍵によって保護されたアカウントが危険にさらされると、システムの所有者はセキュリティと可用性の二者択一を強いられます。

例 1: 次のコードは、ハードコーディングされている暗号鍵を使用しています。


...
Dim encryptionKey As String
Set encryptionKey = "lakdsljkalkjlksdfkl"
Dim AES As New System.Security.Cryptography.RijndaelManaged
On Error GoTo ErrorHandler
  AES.Key = System.Text.Encoding.ASCII.GetBytes(encryptionKey)
  ...
Exit Sub
...


このコードにアクセスできる全員が、暗号鍵にアクセスすることができます。アプリケーションが頒布された後は、プログラムにパッチを適用しない限り、暗号鍵を変更することはできません。この情報へのアクセス権を持っている従業員が、権限を使用してシステムに侵入できます。さらに、攻撃者がアプリケーションの実行可能ファイルにアクセスできれば、暗号鍵の値を解読できます。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 321
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [19] CWE ID 798
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [20] CWE ID 798
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [16] CWE ID 798
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287, [15] CWE ID 798
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287, [18] CWE ID 798
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287, [22] CWE ID 798
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1), SC-13 Cryptographic Protection (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management, SC-13 Cryptographic Protection
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.9.1 Cryptographic Software and Devices Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.4 Service Authentication Requirements (L2 L3), 3.5.2 Token-based Session Management (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.4.1 Secret Management (L2 L3), 6.4.2 Secret Management (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 10.2.3 Malicious Code Search (L3)
[14] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[15] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-2
[17] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[18] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[35] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 259
[36] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 798
[37] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 798
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3350 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3350 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3350 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3350 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3350 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3350 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3350 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II
[61] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.structural.vb.key_management_hardcoded_encryption_key
Abstract
ハードコーディングされた暗号鍵はセキュリティを危険にさらす可能性があり、この問題への対策は簡単ではありません。
Explanation
暗号化キーはハードコーディングしないでください。これにより、暗号化キーがプロジェクトの開発者全員に見えてしまい、問題の修正が極めて困難になるためです。コードの運用後に暗号鍵を変更するには、ソフトウェア パッチが必要です。暗号鍵が保護するアカウントが危険にさらされると、組織はセキュリティとシステム可用性のいずれかを選択することを迫られます。

例 1: 次の例は、Ruby on Rails 構成の secrets.yml ファイル内の暗号化キーを示しています。


...
production:
  secret_key_base: 0ab25e26286c4fb9f7335947994d83f19861354f19702b7bbb84e85310b287ba3cdc348f1f19c8cdc08a7c6c5ad2c20ad31ecda177d2c74aa2d48ec4a346c40e
...


このコードにアクセスできる全員が、暗号鍵を閲覧できます。アプリケーションが頒布された後は、プログラムにパッチを適用しない限り、暗号鍵を変更することはできません。この情報へのアクセス権を持っている従業員が、権限を使用してシステムに侵入する可能性があります。アプリケーションの実行可能ファイルにアクセスできる攻撃者は、暗号鍵の値を抽出できます。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 321
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [19] CWE ID 798
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [20] CWE ID 798
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [16] CWE ID 798
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287, [15] CWE ID 798
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287, [18] CWE ID 798
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287, [22] CWE ID 798
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1), SC-13 Cryptographic Protection (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management, SC-13 Cryptographic Protection
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.9.1 Cryptographic Software and Devices Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.4 Service Authentication Requirements (L2 L3), 3.5.2 Token-based Session Management (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.4.1 Secret Management (L2 L3), 6.4.2 Secret Management (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 10.2.3 Malicious Code Search (L3)
[14] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[15] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-2
[17] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[18] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[35] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 259
[36] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 798
[37] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 798
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3350 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3350 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3350 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3350 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3350 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3350 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3350 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II
[61] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.structural.yaml.key_management_hardcoded_encryption_key

OpenAPI Misconfiguration: Credential Leakage

Abstract
OpenAPI 仕様は、機密性の高いクライアント資格情報の交換中に暗号化された通信を強制しません。
Explanation
資格情報が暗号化されていないチャネルを通過できるようにする API 操作が検出されました。API 操作に対する OpenAPI の security の要件とターゲット servers の定義は、常にそれぞれのグローバル設定をオーバーライドします。

ただし、これらの設定が操作に対して定義されていない場合は、デフォルトでグローバルに指定された値になります。
References
[1] OpenAPI Initiative OpenAPI Specification v3.1.0 - 4.8.30 Security Requirement Object
[2] OpenAPI Initiative OpenAPI Specification v3.1.0 - 4.8.10 Operation Object
[3] CIO Council The HTTPS-Only Standard
[4] Josh Fruhlinger What is SSL, TLS? And how this encryption protocol works
[5] Standards Mapping - Common Weakness Enumeration CWE ID 319
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123
[7] Standards Mapping - FIPS200 SC
[8] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), MA-4 Nonlocal Maintenance (P2), SC-8 Transmission Confidentiality and Integrity (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, MA-4 Nonlocal Maintenance, SC-8 Transmission Confidentiality and Integrity
[11] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.9.1 Communications Architectural Requirements (L2 L3), 2.2.5 General Authenticator Requirements (L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 6.2.7 Algorithms (L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.1 Communications Security Requirements (L1 L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3), 9.2.1 Server Communications Security Requirements (L2 L3), 9.2.2 Server Communications Security Requirements (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 14.1.3 Build (L2 L3), 14.4.5 HTTP Security Headers Requirements (L1 L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications
[22] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[28] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.configuration.json.openapi_misconfiguration_credential_leakage.master
Abstract
OpenAPI 仕様は、機密性の高いクライアント資格情報の交換中に暗号化された通信を強制しません。
Explanation
資格情報が暗号化されていないチャネルを通過できるようにする API 操作が検出されました。API 操作に対する OpenAPI の security の要件とターゲット servers の定義は、常にそれぞれのグローバル設定をオーバーライドします。

ただし、これらの設定が操作に対して定義されていない場合は、デフォルトでグローバルに指定された値になります。
References
[1] OpenAPI Initiative OpenAPI Specification v3.1.0 - 4.8.30 Security Requirement Object
[2] OpenAPI Initiative OpenAPI Specification v3.1.0 - 4.8.10 Operation Object
[3] CIO Council The HTTPS-Only Standard
[4] Josh Fruhlinger What is SSL, TLS? And how this encryption protocol works
[5] Standards Mapping - Common Weakness Enumeration CWE ID 319
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123
[7] Standards Mapping - FIPS200 SC
[8] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), MA-4 Nonlocal Maintenance (P2), SC-8 Transmission Confidentiality and Integrity (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, MA-4 Nonlocal Maintenance, SC-8 Transmission Confidentiality and Integrity
[11] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.9.1 Communications Architectural Requirements (L2 L3), 2.2.5 General Authenticator Requirements (L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 6.2.7 Algorithms (L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.1 Communications Security Requirements (L1 L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3), 9.2.1 Server Communications Security Requirements (L2 L3), 9.2.2 Server Communications Security Requirements (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 14.1.3 Build (L2 L3), 14.4.5 HTTP Security Headers Requirements (L1 L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications
[22] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[28] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.configuration.yaml.openapi_misconfiguration_credential_leakage.master

OpenAPI Misconfiguration: Empty Global Security Requirement

Abstract
OpenAPI 仕様は、空のグローバル security を定義します。
Explanation
グローバル セキュリティ要件は、API と正常にやり取りするために必要な認証および承認パラメーターを API コンシューマーに通知します。

空のグローバル security 定義によって、攻撃者は機密性の高い API エンドポイントと対話し、特定の権限を持つ特定のユーザー アカウントに制限する必要がある操作を実行できるようになる可能性があります。

例 1: 次の OpenAPI 仕様は、空のグローバル security 定義を宣言します。この仕様を実装する API は、機密性の高い操作への許可されていない、または認証されていないアクセスに対して脆弱である可能性があります。

{
    "openapi" : "3.0.3",
    "info" : {
        "title" : "My API",
        "version" : "1.0.0"
    },
    "servers" : [ {
        "url" : "/"
    } ],
    "security" : [],
    ...
}
References
[1] OpenAPI Initiative OpenAPI Specification v3.1.0 - 4.8.30 Security Requirement Object
[2] Standards Mapping - Common Weakness Enumeration CWE ID 284, CWE ID 359
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[6] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002475
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[12] Standards Mapping - OWASP API 2023 API5 Broken Function Level Authorization
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.4.2 Access Control Architectural Requirements (L2 L3), 1.4.4 Access Control Architectural Requirements (L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 10.2.1 Malicious Code Search (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration, A7 Insecure Cryptographic Storage, A8 Failure to Restrict URL Access
[18] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 8.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.6, Requirement 8.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.3.1, Requirement 3.5.1, Requirement 4.2.2, Requirement 6.2.4, Requirement 8.3.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.1, Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 4.2.2, Requirement 6.2.4, Requirement 8.3.1
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection
[33] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 863
[34] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002340 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002340 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002340 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002340 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002340 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002340 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002340 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002340 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002340 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002340 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002340 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002340 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[59] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.configuration.json.openapi_misconfiguration_empty_global_security_requirement
Abstract
OpenAPI 仕様は、空のグローバル security を定義します。
Explanation
グローバル セキュリティ要件は、API と正常にやり取りするために必要な認証および承認パラメーターを API コンシューマーに通知します。

空のグローバル security 定義によって、攻撃者は機密性の高い API エンドポイントと対話し、特定の権限を持つ特定のユーザー アカウントに制限する必要がある操作を実行できるようになる可能性があります。

例 1: 次の OpenAPI 仕様は、空のグローバル security 定義を宣言します。この仕様を実装する API は、機密性の高い操作への許可されていない、または認証されていないアクセスに対して脆弱である可能性があります。

    openapi: 3.0.3
    info:
      title: My API
      version: 1.0.0
    security:
References
[1] OpenAPI Initiative OpenAPI Specification v3.1.0 - 4.8.30 Security Requirement Object
[2] Standards Mapping - Common Weakness Enumeration CWE ID 284, CWE ID 359
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[6] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002475
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[12] Standards Mapping - OWASP API 2023 API5 Broken Function Level Authorization
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.4.2 Access Control Architectural Requirements (L2 L3), 1.4.4 Access Control Architectural Requirements (L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 10.2.1 Malicious Code Search (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration, A7 Insecure Cryptographic Storage, A8 Failure to Restrict URL Access
[18] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 8.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.6, Requirement 8.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.3.1, Requirement 3.5.1, Requirement 4.2.2, Requirement 6.2.4, Requirement 8.3.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.1, Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 4.2.2, Requirement 6.2.4, Requirement 8.3.1
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection
[33] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 863
[34] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002340 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002340 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002340 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002340 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002340 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002340 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002340 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002340 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002340 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002340 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002340 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002340 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[59] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.configuration.yaml.openapi_misconfiguration_empty_global_security_requirement

OpenAPI Misconfiguration: Empty Operation Security Requirement

Abstract
OpenAPI 仕様は、API 操作に対して空の security 定義を含みます。
Explanation
API 操作では、API コンシューマーに、操作を正常に呼び出すために必要な認証および承認パラメーターを通知するためのセキュリティ要件を定義します。

空の security 定義を含む操作により、攻撃者は機密性の高い API エンドポイントと対話し、明示的な権限を持つ特定のユーザー アカウントに制限する必要があるアクションを実行できるようになる可能性があります。

例 1: 次の OpenAPI 仕様は、機密性の高い操作のために空の security 定義を設定します。これは、グローバルに定義されたセキュリティ要件をオーバーライドし、createUsers 操作を許可および認証されていないアクセスに対して脆弱にします。

{
    "openapi": "3.0.0",
    "info": {
     ...
    },    
    "paths": {
      "/users": {
        "post": {
          "security": [],
          "summary": "Create a user",
          "operationId": "createUsers",
         ...
        }
    ...
    }
}
References
[1] OpenAPI Initiative OpenAPI Specification v3.1.0 - 4.8.30 Security Requirement Object
[2] OpenAPI Initiative OpenAPI Specification v3.1.0 - 4.8.10 Operation Object
[3] Standards Mapping - Common Weakness Enumeration CWE ID 284, CWE ID 359
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002475
[9] Standards Mapping - FIPS200 CM
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[13] Standards Mapping - OWASP API 2023 API5 Broken Function Level Authorization
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.4.2 Access Control Architectural Requirements (L2 L3), 1.4.4 Access Control Architectural Requirements (L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 10.2.1 Malicious Code Search (L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[16] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[17] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[18] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration, A7 Insecure Cryptographic Storage, A8 Failure to Restrict URL Access
[19] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 8.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.6, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.3.1, Requirement 3.5.1, Requirement 4.2.2, Requirement 6.2.4, Requirement 8.3.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.1, Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 4.2.2, Requirement 6.2.4, Requirement 8.3.1
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection
[34] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 863
[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002340 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002340 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002340 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002340 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002340 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002340 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002340 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002340 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002340 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002340 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002340 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002340 CAT II
[59] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[60] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.configuration.json.openapi_misconfiguration_empty_operation_security_requirement
Abstract
OpenAPI 仕様は、API 操作に対して空の security 定義を含みます。
Explanation
API 操作では、API コンシューマーに、操作を正常に呼び出すために必要な認証および承認パラメーターを通知するためのセキュリティ要件を定義します。

空の security 定義を含む操作により、攻撃者は機密性の高い API エンドポイントと対話し、明示的な権限を持つ特定のユーザー アカウントに制限する必要があるアクションを実行できるようになる可能性があります。

例 1: 次の OpenAPI 仕様は、機密性の高い操作のために空の security 定義を設定します。これは、グローバルに定義されたセキュリティ要件をオーバーライドし、createUsers 操作を許可および認証されていないアクセスに対して脆弱にします。

openapi: 3.0.0
info:
...
paths:
  /users:
    post:
      operationId: createUsers
      security: []
      responses:
        '201':
          ...
References
[1] OpenAPI Initiative OpenAPI Specification v3.1.0 - 4.8.30 Security Requirement Object
[2] OpenAPI Initiative OpenAPI Specification v3.1.0 - 4.8.10 Operation Object
[3] Standards Mapping - Common Weakness Enumeration CWE ID 284, CWE ID 359
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002475
[9] Standards Mapping - FIPS200 CM
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[13] Standards Mapping - OWASP API 2023 API5 Broken Function Level Authorization
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.4.2 Access Control Architectural Requirements (L2 L3), 1.4.4 Access Control Architectural Requirements (L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 10.2.1 Malicious Code Search (L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[16] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[17] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[18] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration, A7 Insecure Cryptographic Storage, A8 Failure to Restrict URL Access
[19] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 8.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.6, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.3.1, Requirement 3.5.1, Requirement 4.2.2, Requirement 6.2.4, Requirement 8.3.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.1, Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 4.2.2, Requirement 6.2.4, Requirement 8.3.1
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection
[34] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 863
[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002340 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002340 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002340 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002340 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002340 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002340 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002340 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002340 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002340 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002340 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002340 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002340 CAT II
[59] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[60] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.configuration.yaml.openapi_misconfiguration_empty_operation_security_requirement