305 見つかった項目
脆弱性

.NET Bad Practices: BinaryFormatter Enabled

Abstract
アプリケーションは非推奨かつ安全でない BinaryFormatter クラスを有効にします。
Explanation
.NET では、BinaryFormatter クラスを使用して、オブジェクトを、オブジェクト自体と、デシリアライズ中にオブジェクトを再構築するために必要なメタデータの両方を含むバイナリ ストリームに変換することができます。

BinaryFormatter クラスを使用すると、攻撃者が任意のコードを実行したり、アプリケーション ロジックを悪用したり、Denial of Service 状態をトリガーしたりする可能性のある、安全でないデシリアライゼーション シナリオを引き起こす可能性があります。

BinaryFormatter 型の使用は危険であり、安全性が確立できないため、データ処理には推奨されません。

例 1: runtimeConfig.json ファイルで config プロパティ EnableUnsafeBinaryFormatterSerializationtrue に設定することによって、アプリケーションは安全でない BinaryFormatter クラスの使用を有効にします。

...
AppContext.SetSwitch("System.Runtime.Serialization.EnableUnsafeBinaryFormatterSerialization", true);
...
References
[1] Microsoft BinaryFormatter serialization methods are obsolete and prohibited in ASP.NET apps
[2] Microsoft Deserialization risks in use of BinaryFormatter and related types
[3] Standards Mapping - Common Weakness Enumeration CWE ID 470, CWE ID 494
[4] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001764, CCI-001774, CCI-002754
[6] Standards Mapping - FIPS200 SI
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[11] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-7 Least Functionality (P1), SI-10 Information Input Validation (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-7 Least Functionality, SI-10 Information Input Validation
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.2 Configuration Architectural Requirements (L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.3 File Execution Requirements (L1 L2 L3), 14.2.3 Dependency (L1 L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[16] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[18] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[19] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[20] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[21] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[22] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[23] Standards Mapping - OWASP Top 10 2021 A03 Injection
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.5 - Web Software Attack Mitigation
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[59] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.semantic.dotnet.dotnet_bad_practices_binaryformatter_enabled
Abstract
アプリケーションは非推奨かつ安全でない BinaryFormatter クラスを有効にします。
Explanation
.NET では、BinaryFormatter クラスを使用して、オブジェクトを、オブジェクト自体と、デシリアライズ中にオブジェクトを再構築するために必要なメタデータの両方を含むバイナリ ストリームに変換することができます。

BinaryFormatter クラスを使用すると、攻撃者が任意のコードを実行したり、アプリケーション ロジックを悪用したり、Denial of Service 状態をトリガーしたりする可能性のある、安全でないデシリアライゼーション シナリオを引き起こす可能性があります。

BinaryFormatter クラスの使用は危険であり、安全性を確保できないため、データ処理には推奨されません。

例 1: runtimeConfig.json ファイルで config プロパティ EnableUnsafeBinaryFormatterSerializationtrue に設定することによって、アプリケーションは安全でない BinaryFormatter クラスの使用を有効にします。

{
    "configProperties": {
        "System.Runtime.Serialization.EnableUnsafeBinaryFormatterSerialization": true
    }
}
References
[1] Microsoft BinaryFormatter serialization methods are obsolete and prohibited in ASP.NET apps
[2] Microsoft Deserialization risks in use of BinaryFormatter and related types
[3] Standards Mapping - Common Weakness Enumeration CWE ID 470, CWE ID 494
[4] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001764, CCI-001774, CCI-002754
[6] Standards Mapping - FIPS200 SI
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[11] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-7 Least Functionality (P1), SI-10 Information Input Validation (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-7 Least Functionality, SI-10 Information Input Validation
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.2 Configuration Architectural Requirements (L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.3 File Execution Requirements (L1 L2 L3), 14.2.3 Dependency (L1 L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[16] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[18] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[19] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[20] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[21] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[22] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[23] Standards Mapping - OWASP Top 10 2021 A03 Injection
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.5 - Web Software Attack Mitigation
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[59] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.structural.json.dotnet_bad_practices_binaryformatter_enabled

.NET Bad Practices: Leftover Debug Code

Abstract
デバッグ コードは、展開時に意図しない結果を引き起こす可能性があります。
Explanation
デバッグのみを目的とした API が使用されます。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 489
[2] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[3] Standards Mapping - OWASP Application Security Verification Standard 4.0 14.2.2 Dependency (L1 L2 L3), 14.3.2 Unintended Security Disclosure Requirements (L1 L2 L3)
[4] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[5] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[18] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
desc.structural.dotnet.dotnet_bad_practices_leftover_debug_code

Access Specifier Manipulation

Abstract
このメソッドコールによってアクセス指定子が変わります。
Explanation
AccessibleObject API によって、プログラマは Java アクセス指定子によって行われる Access Control チェックを回避できます。特に、これによってプログラマは、反映されたオブジェクトが Java Access Control を迂回することでプライベートフィールドの値を変更するかまたはプライベートメソッドを呼び出せるようにすることができます。通常これらは許可されない挙動です。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 284
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-001310, CCI-002165
[3] Standards Mapping - FIPS200 AC
[4] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), CM-5 Access Restrictions for Change (P1), SC-3 Security Function Isolation (P1), SI-10 Information Input Validation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, CM-5 Access Restrictions for Change, SC-3 Security Function Isolation, SI-10 Information Input Validation
[7] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.4.2 Access Control Architectural Requirements (L2 L3), 1.4.4 Access Control Architectural Requirements (L2 L3)
[9] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[10] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1, MASVS-CODE-4
[12] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[13] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[14] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[30] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 676
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001410 CAT II, APSC-DV-002360 CAT II, APSC-DV-002530 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001410 CAT II, APSC-DV-002360 CAT II, APSC-DV-002530 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001410 CAT II, APSC-DV-002360 CAT II, APSC-DV-002530 CAT II
[54] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[55] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.java.access_specifier_manipulation
Abstract
このメソッド コールによってアクセス指定子が変更されるか、回避されます。
Explanation
send 関数とそのバリアントを使用すると、プログラマは関数の Ruby アクセス指定子を回避できます。特に、プライベートの保護されたフィールドおよび関数にアクセスできるようになります。通常これらは許可されない動作です。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 284
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-001310, CCI-002165
[3] Standards Mapping - FIPS200 AC
[4] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), CM-5 Access Restrictions for Change (P1), SC-3 Security Function Isolation (P1), SI-10 Information Input Validation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, CM-5 Access Restrictions for Change, SC-3 Security Function Isolation, SI-10 Information Input Validation
[7] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.4.2 Access Control Architectural Requirements (L2 L3), 1.4.4 Access Control Architectural Requirements (L2 L3)
[9] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[10] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1, MASVS-CODE-4
[12] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[13] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[14] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[30] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 676
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001410 CAT II, APSC-DV-002360 CAT II, APSC-DV-002530 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001410 CAT II, APSC-DV-002360 CAT II, APSC-DV-002530 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001410 CAT II, APSC-DV-002360 CAT II, APSC-DV-002530 CAT II
[54] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[55] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.structural.ruby.access_specifier_manipulation

ADF Bad Practices: Default url-invoke-disallowed Setting

Abstract
暗黙のデフォルト url-invoke-disallowed 設定に依存すると、明確性に欠け、そのデフォルトが予期せず変更された場合、望ましくない動作が発生する可能性があります。
Explanation
デフォルトでは、Fusion アプリケーションのタスク フローは GET リクエストから直接アクセスできません。URL がタスク フローを呼び出そうとするたびに、HTTP 403 ステータス コードを受け取ります。しかし、暗黙的な設定に依存すると明確性に欠け、デフォルト設定が変更された場合、望ましくない動作が発生する可能性があります。

例 1: タスク フロー定義ファイルの次のスニペットは、暗黙のデフォルト url-invoke-disallowed 設定を使用して設定されたタスク フローの例を示します。


...
    <task-flow-definition id="password">
        <default-activity>PasswordPrompt</default-activity>
        <view id="PasswordPrompt">
            <page>/PasswordPrompt.jsff</page>
        </view>
        <use-page-fragments/>
    </task-flow-definition>
...
References
[1] Oracle(R) Fusion Middleware Fusion Developer's Guide for Oracle Application Development Framework, 15.6.4.How to Call a Bounded Task Flow Using a URL
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[3] Standards Mapping - FIPS200 CM
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), SC-3 Security Function Isolation (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, SC-3 Security Function Isolation
[6] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[7] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[8] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[9] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[10] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[11] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[12] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[28] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.config.java.adf_bad_practices_default_url_invoke_disallowed_setting

ADF Bad Practices: Missing URL Parameter Converter

Abstract
Oracle ADF Faces のブックマーク可能なビューに URL パラメーター コンバーターがありません。
Explanation
通常の JSF アプリケーションでは、UI コンポーネントで指定されたコンバーターとバリデーターを使用して、値が変換および検証されます。変換と検証自体は、ページが送信されたときに行われます。Fusion アプリケーションでブックマーク可能なビューを使用すると、ページが送信されないため、デフォルトでは同様の変換や検証は実行されません。

例 1: 次の設定ファイル スニペットは、paramName URL パラメーターの変換または検証を実行しないように設定された、ブックマーク可能なビューのサンプルを示しています。


...
    <bookmark>
        <method>#{paramHandler.handleParams}</method>
        <url-parameter>
            <name>paramName</name>
            <value>#{requestScope.paramName}</value>
        </url-parameter>
    </bookmark>
...
References
[1] Oracle(R) Fusion Middleware Fusion Developer's Guide for Oracle Application Development Framework, 15.2.3.Bookmarking View Activities
[2] Standards Mapping - Common Weakness Enumeration CWE ID 20
[3] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020
[4] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020
[5] Standards Mapping - Common Weakness Enumeration Top 25 2023 [6] CWE ID 020
[6] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[13] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[15] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 2.2.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 2.2.6
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.config.java.adf_bad_practices_missing_url_parameter_converter

Android Bad Practices: Encryption Secret Held in Static Field

Abstract
アプリケーションは暗号鍵を静的クラス フィールドに保持し、攻撃者はこれを簡単に発見してしまいます。
Explanation
静的クラス フィールドに暗号鍵を保持すると、プロセス メモリ (ルート化されたデバイスなど) やプロセス メモリ ダンプ (クラッシュ ダンプなど) にアクセスできるエンティティによって簡単に発見されてしまいます。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 226
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001090, CCI-001199
[6] Standards Mapping - FIPS200 IA
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), SC-4 Information in Shared Resources (P1), SC-28 Protection of Information at Rest (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, SC-4 Information in Shared System Resources, SC-28 Protection of Information at Rest
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.4 Sensitive Private Data (L1 L2 L3), 8.3.6 Sensitive Private Data (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[12] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-2
[14] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[15] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.4, Requirement 6.5.8, Requirement 8.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.4, Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.4, Requirement 6.5.3, Requirement 8.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.4, Requirement 6.5.3, Requirement 8.2.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.4, Requirement 6.5.3, Requirement 8.2.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.4, Requirement 6.5.3, Requirement 8.2.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.4, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.5.1, Requirement 6.2.4, Requirement 8.3.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4, Requirement 8.3.1
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3230.2 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3230.2 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3230.2 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3230.2 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3230.2 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3230.2 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3230.2 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.structural.java.android_bad_practices_encryption_secret_held_in_static_field

Android Bad Practices: Leftover Debug Code

Abstract
デバッグ コードは、パフォーマンスに影響したり、機密データを攻撃者に漏洩する場合があります。
Explanation
一般的な開発方法では、アプリケーションで配布または実装されることのないデバッグまたはテスト用の「裏口」コードを追加します。 この種のデバッグコードが誤ってアプリケーションに残された場合、アプリケーションは意図しない相互作用に対して開放されていることになります。 これらの裏口エントリポイントは、設計やテスト中に想定されるアプリケーションの操作状況で考慮されていないため、セキュリティリスクを発生させることになります。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 489
[2] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[3] Standards Mapping - OWASP Application Security Verification Standard 4.0 14.2.2 Dependency (L1 L2 L3), 14.3.2 Unintended Security Disclosure Requirements (L1 L2 L3)
[4] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-RESILIENCE-4
[5] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[6] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[19] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
desc.structural.java.android_bad_practices_leftover_debug_code

Android Class Loading Hijacking

Abstract
信頼できないソースから、または信頼できない環境下でクラスをロードすると、アプリケーションが攻撃者に利用されて悪意のあるコマンドを実行する原因になることがあります。
Explanation
Android Class Loading Hijacking の脆弱性には、次の 2 つの形態があります。

- プログラムがクラスをロードするために検索するディレクトリの名前を攻撃者が変更可能である。攻撃者は、プログラムに自分が制御するディレクトリへのパスを参照させることで、クラスが検索されるパスを明示的に制御することになります。

- クラスがロードされる環境を攻撃者が変更可能である。攻撃者はパス名の意味を暗黙的に制御することになります。

この場合は 1 つ目の状況が最も懸念されます。攻撃者は、ロードするクラスが検索されるディレクトリを制御できる可能性があります。このタイプの Android Class Loading Hijacking の脆弱性が発生するのは、次の場合です。

1.信頼できないソースからアプリケーションにデータが入り込んだ場合。



2.データが、ロードするクラスが検索されるライブラリ ディレクトリを表す文字列 (またはその一部) として使用された場合。



3.アプリケーションがライブラリ パスのコードを実行することにより、本来付与されないはずの権限や能力を攻撃者に与えられた場合。

例 1: 次のコードでは、ユーザーが変更可能な userClassPath を使用して、ロードするクラスが検索されるディレクトリを決定します。


...
  productCategory = this.getIntent().getExtras().getString("userClassPath");
  DexClassLoader dexClassLoader = new DexClassLoader(productCategory, optimizedDexOutputPath.getAbsolutePath(), null, getClassLoader());
  ...


このコードでは、攻撃者は、制御している別のパスを参照するように userClassPath の結果を変更できるため、ライブラリをロードしてアプリケーションの任意のコードを昇格された権限で実行できます。このプログラムは環境から読み取った値の検証を行わないので、攻撃者は、userClassPath の値を制御できれば、元のアプリケーションと同じ権限を使用し、アプリケーションを操作して制御するディレクトリを参照させることで、自分が定義したクラスをロードできます。

例 2: 次のコードでは、ユーザーが変更可能な userOutput を使用して、Optimized DEX ファイルを書き込むディレクトリを決定します。


...
  productCategory = this.getIntent().getExtras().getString("userOutput");
  DexClassLoader dexClassLoader = new DexClassLoader(sanitizedPath, productCategory, null, getClassLoader());
...



このコードでは、攻撃者が Optimized DEX (ODEX) ファイルの出力ディレクトリを指定できます。その結果、悪意のあるユーザーが userOutput の値を、外部ストレージなど、攻撃者が制御するディレクトリに変更できます。これが実行された後は、出力される ODEX ファイルを悪意のある ODEX ファイルに置き換えるだけで、元のアプリケーションと同じ権限でこれを実行できるようになります。
References
[1] Android Class Loading Hijacking Symantec
[2] Standards Mapping - Common Weakness Enumeration CWE ID 114
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [3] CWE ID 020
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [3] CWE ID 020
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [6] CWE ID 020
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3), 10.2.3 Malicious Code Search (L3)
[15] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[16] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[18] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[19] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[20] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[21] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[22] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[23] Standards Mapping - OWASP Top 10 2021 A03 Injection
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
desc.dataflow.java.android_class_loading_hijacking

Android Misconfiguration: Zip Entry Overwrite Protection Disabled

Abstract
Zip Entry Overwrite 保護が無効になっています。Zip Entry Overwrite 保護は、Zip ファイル エントリ名の検証を提供することで、Zip パス トラバーサル脆弱性から保護します。
Explanation
Zip パス トラバーサル脆弱性が発生するのは、悪意のある攻撃者が特定の Zip ファイル内の Zip ファイル エントリ名を指定できる場合です。Zip ファイル エントリ名が悪意を持って指定されると、攻撃者は対応する Zip ファイルが展開されたときに重要なシステム ファイルの内容を上書きできます。攻撃者は、..// などのパス トラバーサル イディオムを使用して、プログラム領域外にあるシステム ファイルにアクセスする可能性があります。Android 14 以降を対象とする Android アプリケーションは、Zip ファイルの抽出中に ..// などのイディオムが検出されると、デフォルトで例外を発生させることができます。このセキュリティ機能は、上書きしたり、完全に無効にしたりすることができます。

例 1: 次のコードは、Zip Entry Overwrite 保護を無効にします。


...
dalvik.system.ZipPathValidator.clearCallback();
...
References
[1] Zip Path Traversal
[2] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[16] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[18] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[19] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[20] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[21] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[22] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[23] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[36] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[37] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[38] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[61] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[62] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[63] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.semantic.java.android_misconfiguration_zip_entry_overwrite_protection_disabled

ASP.NET Bad Practices: Unvalidated Web API Model

Abstract
モデルを受け取る ASP.NET Web API アクション メソッドは、入力の未検証に起因する脆弱性を防ぐため、モデル検証の合否をチェックする必要があります。
Explanation
検証できない入力は、ASP.NET Web API サービスの主な脆弱性の 1 つです。Cross-Site Scripting、Process Control、Access Control や SQL Injection などのさまざまな脆弱性の原因は入力の未検証です。ASP.NET Web API サービスは通常、メモリ破壊攻撃には影響を受けませんが、ASP.NET Web API サービスが配列境界チェックを行わないネイティブ コードを呼び出す場合には、攻撃者が ASP.NET Web API サービスの入力脆弱性を利用して Buffer overflow 攻撃を仕掛ける可能性があります。

そのような攻撃を防止するためには、以下の手順を実行します。
1. ASP.NET Web API サービス アクションへのパラメーターまたはモデルバインド オブジェクト パラメーターのメンバーの検証チェックを、検証属性を使用してプログラム的にチェックする。
2. ModelState.IsValid を使用してモデル検証の合否をチェックする。
References
[1] Jon Galloway, Phil Haack, Brad Wilson, K. Scott Allen Professional ASP.NET MVC 4 Wrox Press
[2] Model Validation Microsoft ASP.NET Site
[3] Standards Mapping - Common Weakness Enumeration CWE ID 20
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [6] CWE ID 020
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[9] Standards Mapping - FIPS200 SI
[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[15] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[29] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 020
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[53] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.structural.dotnet.asp_dotnet_bad_practices_unvalidated_web_api_model

AWS Ansible Misconfiguration: Insecure EBS Storage

Abstract
このテンプレートは、暗号化なしの Amazon EBS ボリュームを定義します。
Explanation
デフォルトでは、EBS ボリュームは暗号化されません。
例 1: 次のテンプレートの例では、データが盗難や不正アクセスの危険にさらされます。


	Resources:
  	  EBSVOLExample:
    	Type: AWS::EC2::Volume
    	Properties:
      	  Encrypted: false
References
[1] Ansible project contributors amazon.aws.ec2_vol – Create and attach a volume, return volume id and device map
[2] Amazon Web Services Amazon EBS Encryption
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark Recommendation 2.2.1
[4] Standards Mapping - Common Weakness Enumeration CWE ID 311
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[6] Standards Mapping - FIPS200 MP
[7] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 6.1.1 Data Classification (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[12] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[13] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[14] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[17] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[28] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[29] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[53] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.structural.yaml.aws_cloudformation_misconfiguration_insecure_ebs_storage.base

AWS Ansible Misconfiguration: Insecure RDS Storage

Abstract
このテンプレートは、暗号化なしの Amazon RDS インスタンスを定義します。
Explanation
デフォルトでは、Amazon RDS インスタンスは暗号化されません。そのため、データが盗難や不正アクセスの危険にさらされます。
References
[1] Ansible project contributors community.aws.rds_instance – Manage RDS instances
[2] Amazon Web Services Encrypting Amazon RDS resources
[3] Amazon Web Services Security in Amazon RDS
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark Recommendation 2.3.1
[5] Standards Mapping - Common Weakness Enumeration CWE ID 311
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002475
[7] Standards Mapping - FIPS200 MP
[8] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[11] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[13] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[14] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[15] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design
[29] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[30] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002340 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002340 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002340 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002340 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002340 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002340 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002340 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002340 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002340 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002340 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002340 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002340 CAT II
[54] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.structural.yaml.aws_cloudformation_misconfiguration_insecure_rds_storage.base

AWS Ansible Misconfiguration: Insecure Redshift Storage

Abstract
このテンプレートは、暗号化なしの Amazon Redshift クラスターを定義します。
Explanation
デフォルトでは、Amazon Redshift クラスターは暗号化されません。そのため、データが不正アクセスや盗難の危険にさらされます。
References
[1] Ansible project contributors community.aws.redshift – create, delete, or modify an Amazon Redshift instance
[2] Amazon Web Services Amazon Redshift database encryption
[3] Standards Mapping - Common Weakness Enumeration CWE ID 311
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002475
[5] Standards Mapping - FIPS200 MP
[6] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[11] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[12] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[13] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[17] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design
[27] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[28] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002340 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002340 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002340 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002340 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002340 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002340 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002340 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002340 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002340 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002340 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002340 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002340 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.structural.yaml.aws_ansible_misconfiguration_insecure_redshift_storage.base

AWS Ansible Misconfiguration: Insecure S3 Bucket Storage

Abstract
Amazon S3 バケットは、保存時に暗号化を有効にせずに作成されます。
Explanation
Amazon S3 バケットは、サーバー側の暗号化なしで作成されます。暗号化は、適切な資格情報を持たない人がデータを読み取れないようにすることで、データ侵害を軽減します。保管時の暗号化は、GDPR、HIPAA、PCI など、一部の業界および政府のコンプライアンス要件を満たすのに役立ちます。
References
[1] GDPR Article 32 European Parliament and Council of the European Union
[2] Manage S3 buckets in AWS Ansible project contributors
[3] Amazon Simple Storage Service User Guide Amazon Web Services, Inc.
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark Recommendation 2.1.1
[5] Standards Mapping - Common Weakness Enumeration CWE ID 311
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[7] Standards Mapping - FIPS200 MP
[8] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[11] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[13] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[14] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[15] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[30] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[31] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13), Application Misconfiguration (WASC-15)
desc.structural.yaml.aws_cloudformation_misconfiguration_insecure_s3_bucket_storage.base

AWS CloudFormation Misconfiguration: Improper API Gateway Access Control

Abstract
このテンプレートは、パブリック アクセス可能な AWS API Gateway メソッドを定義します。
Explanation
パブリック アクセス可能な AWS API Gateway メソッドは、組織を攻撃にさらす可能性があります。

例 1: 次のテンプレートの例は、パブリック アクセス可能な AWS API Gateway メソッドを定義します。


{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Resources": {
        "MyMethod0": {
            "Type": "AWS::ApiGateway::Method",
            "Properties": {
                "RestApiId": "MyAPIID",
                "ResourceId": "MyResourceID",
                "HttpMethod": "GET",
                "AuthorizationType": "NONE"
            }
        },
        "MyMethod1": {
            "Type": "AWS::ApiGateway::Method",
            "Properties": {
                "RestApiId": "MyAPIID",
                "ResourceId": "MyResourceID",
                "HttpMethod": "POST",
                "AuthorizationType": "NONE",
                "ApiKeyRequired": false
            }
        }
    }
}
References
[1] Amazon Web Services Control access to an API with IAM permissions
[2] Amazon Web Services Security best practices in Amazon API Gateway
[3] Amazon Web Services AWS Documentation: AWS::ApiGateway::Method
[4] Standards Mapping - Common Weakness Enumeration CWE ID 749
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [18] CWE ID 522
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [16] CWE ID 862
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-6 Least Privilege (P1), SC-3 Security Function Isolation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-6 Least Privilege, SC-3 Security Function Isolation
[12] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)
[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[32] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[33] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 863
[34] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[59] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.structural.json.aws_cloudformation_misconfiguration_improper_api_gateway_access_control.base
Abstract
このテンプレートは、パブリック アクセス可能な AWS API Gateway メソッドを定義します。
Explanation
パブリック アクセス可能な AWS API Gateway メソッドは、組織を攻撃にさらす可能性があります。

例 1: 次のテンプレートの例は、パブリック アクセス可能な AWS API Gateway メソッドを定義します。


AWSTemplateFormatVersion: "2010-09-09"
Description: "Example"
Resources:
  TestMethod:
    Type: "AWS::ApiGateway::Method"
    Properties:
      RestApiId: !Ref restAPIRes
      ResourceId: !GetAtt
      - restAPIRes
      - RootResourceId
      HttpMethod: GET
      AuthorizationType: NONE
References
[1] Amazon Web Services Control access to an API with IAM permissions
[2] Amazon Web Services Security best practices in Amazon API Gateway
[3] Amazon Web Services AWS Documentation: AWS::ApiGateway::Method
[4] Standards Mapping - Common Weakness Enumeration CWE ID 749
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [18] CWE ID 522
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [16] CWE ID 862
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-6 Least Privilege (P1), SC-3 Security Function Isolation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-6 Least Privilege, SC-3 Security Function Isolation
[12] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)
[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[32] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[33] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 863
[34] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[59] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.structural.yaml.aws_cloudformation_misconfiguration_improper_api_gateway_access_control.base

AWS CloudFormation Misconfiguration: Improper Lambda Access Control Policy

Abstract
このテンプレートは、ワイルドカード Lambda プリンシパルを定義します。
Explanation
Lambda プリンシパルのワイルドカード設定は、最小特権の原則に違反し、攻撃者が任意のアカウントから Lambda を呼び出すことを可能にします。

例 1: 次のテンプレートの例では、ワイルドカード Lambda プリンシパルを定義しています。

{
    "Resources": {
        "LambdaPerm": {
            "Type": "AWS::Lambda::Permission",
            "Properties": {
            "SourceAccount": "AWS::AccountId",
            "SourceArn": "bucket.Arn",
            "FunctionName": "function.Arn",
            "Action": "lambda:InvokeFunction",
            "Principal": "*"
            }
        }
    },
    "AWSTemplateFormatVersion": "2010-09-09",
    "Description": "Lambda Permission"
}
References
[1] Amazon Web Services Security in AWS Lambda
[2] Amazon Web Services AWS Documentation: AWS::Lambda::Permission
[3] Standards Mapping - Common Weakness Enumeration CWE ID 749
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [18] CWE ID 522
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [16] CWE ID 862
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[8] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-6 Least Privilege (P1), SC-3 Security Function Isolation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-6 Least Privilege, SC-3 Security Function Isolation
[11] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)
[13] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[14] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[15] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[16] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[18] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[31] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[32] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 863
[33] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[58] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.structural.json.aws_cloudformation_misconfiguration_improper_lambda_access_control_policy.base
Abstract
このテンプレートは、ワイルドカード Lambda プリンシパルを定義します。
Explanation
Lambda プリンシパルのワイルドカード設定は、最小特権の原則に違反し、攻撃者が任意のアカウントから Lambda を呼び出すことを可能にします。

例 1: 次のテンプレートの例では、ワイルドカード Lambda プリンシパルを定義しています。


AWSTemplateFormatVersion: "2010-09-09"
Description: Lambda Permission
Resources:
  LambdaPerm:
  Type: AWS::Lambda::Permission
  Properties:
    FunctionName: !GetAtt function.Arn
    Action: lambda:InvokeFunction
    Principal: "*"
    SourceAccount: !Ref "AWS::AccountId"
    SourceArn: !GetAtt bucket.Arn
References
[1] Amazon Web Services Security in AWS Lambda
[2] Amazon Web Services AWS Documentation: AWS::Lambda::Permission
[3] Standards Mapping - Common Weakness Enumeration CWE ID 749
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [18] CWE ID 522
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [16] CWE ID 862
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[8] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-6 Least Privilege (P1), SC-3 Security Function Isolation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-6 Least Privilege, SC-3 Security Function Isolation
[11] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)
[13] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[14] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[15] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[16] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[18] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[31] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[32] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 863
[33] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[58] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.structural.yaml.aws_cloudformation_misconfiguration_improper_lambda_access_control_policy.base

AWS CloudFormation Misconfiguration: Insecure DocumentDB Storage

Abstract
このテンプレートは、暗号化なしの Amazon DocumentDB インスタンスを定義します。
Explanation
デフォルトでは、Amazon DocumentDB インスタンスは暗号化されません。そのため、データが不正アクセスや盗難の危険にさらされます。

例 1: 次の例は、暗号化が無効になっている Amazon DocumentDB を定義するテンプレートを示しています。

"Resources": {
    "DocDBDefault": {
        "Type": "AWS::DocDB::DBCluster",
        "Properties": {
            "MasterUsername": "name",
            "MasterUserPassword": "password"
        }
    }
References
[1] Amazon Web Servcies Encrypting Amazon DocumentDB Data at Rest
[2] Standards Mapping - Common Weakness Enumeration CWE ID 311
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002475
[4] Standards Mapping - FIPS200 MP
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[10] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[11] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[12] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[13] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design
[26] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[27] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002340 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002340 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002340 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002340 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002340 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002340 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002340 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002340 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002340 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002340 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002340 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002340 CAT II
[51] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.structural.json.aws_cloudformation_misconfiguration_insecure_documentdb_storage.base
Abstract
このテンプレートは、暗号化なしの Amazon DocumentDB インスタンスを定義します。
Explanation
デフォルトでは、Amazon DocumentDB インスタンスは暗号化されません。そのため、データが不正アクセスや盗難の危険にさらされます。

例 1: 次の例は、暗号化が無効になっている Amazon DocumentDB を定義するテンプレートを示しています。

Resources:
  DocDBDInst:
    Type: AWS::DocDB::DBCluster
    Properties:
      MasterUsername: myUser
      MasterUserPassword: password
References
[1] Amazon Web Servcies Encrypting Amazon DocumentDB Data at Rest
[2] Standards Mapping - Common Weakness Enumeration CWE ID 311
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002475
[4] Standards Mapping - FIPS200 MP
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[10] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[11] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[12] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[13] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design
[26] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[27] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002340 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002340 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002340 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002340 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002340 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002340 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002340 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002340 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002340 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002340 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002340 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002340 CAT II
[51] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.structural.yaml.aws_cloudformation_misconfiguration_insecure_documentdb_storage.base

AWS CloudFormation Misconfiguration: Insecure EBS Storage

Abstract
このテンプレートは、暗号化なしの Amazon EBS ボリュームを定義します。
Explanation
デフォルトでは、EBS ボリュームは暗号化されません。
例 1: 次のテンプレートの例では、データが盗難や不正アクセスの危険にさらされます。


"Resources": {
    "EBSVOLExample": {
        "Type": "AWS::EC2::Volume",
        "Properties": {
            "Encrypted": false,
        }
    }
}
References
[1] Amazon Web Services Amazon EBS Encryption
[2] Standards Mapping - CIS Amazon Web Services Foundations Benchmark Recommendation 2.2.1
[3] Standards Mapping - Common Weakness Enumeration CWE ID 311
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[5] Standards Mapping - FIPS200 MP
[6] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 6.1.1 Data Classification (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[11] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[12] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[13] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[17] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[27] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[28] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.structural.json.aws_cloudformation_misconfiguration_insecure_ebs_storage.base
Abstract
このテンプレートは、暗号化なしの Amazon EBS ボリュームを定義します。
Explanation
デフォルトでは、EBS ボリュームは暗号化されません。
例 1: 次のテンプレートの例では、データが盗難や不正アクセスの危険にさらされます。


	Resources:
  	  EBSVOLExample:
    	Type: AWS::EC2::Volume
    	Properties:
      	  Encrypted: false
References
[1] Ansible project contributors amazon.aws.ec2_vol – Create and attach a volume, return volume id and device map
[2] Amazon Web Services Amazon EBS Encryption
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark Recommendation 2.2.1
[4] Standards Mapping - Common Weakness Enumeration CWE ID 311
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[6] Standards Mapping - FIPS200 MP
[7] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 6.1.1 Data Classification (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[12] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[13] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[14] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[17] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[28] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[29] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[53] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.structural.yaml.aws_cloudformation_misconfiguration_insecure_ebs_storage.base

AWS CloudFormation Misconfiguration: Insecure ElastiCache Storage

Abstract
このテンプレートは、暗号化なしの Amazon ElastiCache レプリケーション グループを定義します。
Explanation
デフォルトでは、Amazon ElastiCache レプリケーション グループは暗号化されません。そのため、データが不正アクセスや盗難の危険にさらされます。

例 1: 次のテンプレートの例は、暗号化が無効になっている Amazon ElastiCache レプリケーション グループを定義しています。

{
    "Description": "ElastiCache redis",
    "Resources": {
        "MyReplicationGroup": {
            "Type": "AWS::ElastiCache::ReplicationGroup",
            "Properties": {
                "AutomaticFailoverEnabled": true,
                "CacheNodeType": {
                    "Ref": "CacheNodeType"
                },
                Cache  "ParameterGroupName": {
                    "Ref": "CacheParameterGroup"
                },
                "CacheSubnetGroupName": {
                    "Ref": "CacheSubnetGroupName"
                },
                "Engine": "redis",
                "EngineVersion": {
                    "Ref": "EngineVersion"
                },
                "NumNodeGroups": {
                    "Ref": "NumShards"
                },
                "ReplicasPerNodeGroup": {
                    "Ref": "NumReplicas"
                },
                "PreferredMaintenanceWindow": "sat:10:00-sat:08:00",
                "SecurityGroupIds": [
                    {
                        "Ref": "SecurityGroup"
                    }
                ],
                "SnapshotRetentionLimit": {
                    "Ref": "SnapshotRetentionLimit"
                },
                "SnapshotWindow": "00:00-03:00"
            },
            "UpdatePolicy": {
                "UseOnlineResharding": true
            }
        }
    }
}
References
[1] Amazon Web Servcies At-Rest Encryption in ElastiCache for Redis
[2] Standards Mapping - Common Weakness Enumeration CWE ID 311
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002475
[4] Standards Mapping - FIPS200 MP
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[10] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[11] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[12] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[13] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design
[26] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[27] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002340 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002340 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002340 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002340 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002340 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002340 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002340 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002340 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002340 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002340 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002340 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002340 CAT II
[51] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.structural.json.aws_cloudformation_misconfiguration_insecure_elasticache_storage.base
Abstract
このテンプレートは、暗号化なしの Amazon ElastiCache レプリケーション グループを定義します。
Explanation
デフォルトでは、Amazon ElastiCache レプリケーション グループは暗号化されません。そのため、データが不正アクセスや盗難の危険にさらされます。

例 1: 次のテンプレートの例は、暗号化が無効になっている Amazon ElastiCache レプリケーション グループを定義しています。

Description: 'ElastiCache redis'
Resources:
  MyReplicationGroup:
    Type: AWS::ElastiCache::ReplicationGroup
    Properties:
      AutomaticFailoverEnabled: true
      CacheNodeType: !Ref CacheNodeType
      CacheParameterGroupName: !Ref CacheParameterGroup
      CacheSubnetGroupName: !Ref CacheSubnetGroupName
      Engine: redis
      EngineVersion: !Ref EngineVersion
      NumNodeGroups: !Ref NumShards
      ReplicasPerNodeGroup: !Ref NumReplicas
      PreferredMaintenanceWindow: 'sat:10:00-sat:08:00'
      SecurityGroupIds:
        - !Ref SecurityGroup
      SnapshotRetentionLimit: !Ref SnapshotRetentionLimit
      SnapshotWindow: '00:00-03:00'
    UpdatePolicy:
      UseOnlineResharding: true
References
[1] Amazon Web Servcies At-Rest Encryption in ElastiCache for Redis
[2] Standards Mapping - Common Weakness Enumeration CWE ID 311
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002475
[4] Standards Mapping - FIPS200 MP
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[10] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[11] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[12] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[13] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design
[26] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[27] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002340 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002340 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002340 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002340 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002340 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002340 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002340 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002340 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002340 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002340 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002340 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002340 CAT II
[51] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.structural.yaml.aws_cloudformation_misconfiguration_insecure_elasticache_storage.base

AWS CloudFormation Misconfiguration: Insecure MemoryDB Transport

Abstract
サービスは、転送中に堅牢な暗号化を強制しません。
Explanation
データ通信チャネルの保護が不十分な場合、重要な組織データが盗難、改ざん、または開示の危険にさらされる可能性があります。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 319
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123
[3] Standards Mapping - FIPS200 SC
[4] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), MA-4 Nonlocal Maintenance (P2), SC-8 Transmission Confidentiality and Integrity (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, MA-4 Nonlocal Maintenance, SC-8 Transmission Confidentiality and Integrity
[7] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.9.1 Communications Architectural Requirements (L2 L3), 2.2.5 General Authenticator Requirements (L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.3.1 Sensitive Private Data (L1 L2 L3), 8.1.6 General Data Protection (L3), 9.1.1 Communications Security Requirements (L1 L2 L3), 9.2.2 Server Communications Security Requirements (L2 L3), 14.4.5 HTTP Security Headers Requirements (L1 L2 L3)
[9] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[10] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[11] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[12] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[13] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications
[28] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 319
[29] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[30] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260.1 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[54] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
[55] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.structural.iac.misconfiguration_insecure_transport.base