界: Security Features

软件安全不是安全软件。此处我们关注的主题包括身份验证、Access Control、机密性、加密和权限管理。

AWS CloudFormation Misconfiguration: Weak SecretsManager Generated Password

JSON

Abstract

配置允许使用弱密码。

Explanation

身份验证是安全性的一个重要方面。身份验证过程的可靠性取决于登录凭据的安全性和强度。确保用户创建强密码的密码策略对于部署安全网站至关重要。密码强度可衡量密码在抵抗猜测和暴力攻击方面的有效性。有助于定义密码强度的部分参数包括密码特征，例如密码长度、复杂性和随机性。

References

[1] National Institute of Standards and Technology (NIST) NIST Special Publication 800-63B: Digital Identity Guidelines

[2] Open Web Application Security Project (OWASP) Authentication Cheat Sheet

[3] Standards Mapping - Common Weakness Enumeration CWE ID 521

[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287

[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287

[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287

[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287

[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287

[9] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287

[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000192, CCI-000193, CCI-000194, CCI-000205, CCI-000366, CCI-001619, CCI-002041

[11] Standards Mapping - FIPS200 IA

[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-6 Configuration Settings (P1), IA-5 Authenticator Management (P1)

[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-6 Configuration Settings, IA-5 Authenticator Management

[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.1.1 Password Security Requirements (L1 L2 L3), 2.1.2 Password Security Requirements (L1 L2 L3), 2.1.3 Password Security Requirements (L1 L2 L3), 2.1.4 Password Security Requirements (L1 L2 L3), 2.1.7 Password Security Requirements (L1 L2 L3), 2.1.8 Password Security Requirements (L1 L2 L3), 2.1.9 Password Security Requirements (L1 L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)

[16] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[17] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization

[18] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management

[19] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management

[20] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management

[21] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management

[22] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication

[23] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 8.5.10, Requirement 8.5.11

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 8.5.10, Requirement 8.5.11

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 8.5.10, Requirement 8.5.11

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 8.2.3

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 8.2.3

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 8.2.3

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 8.2.3

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 8.3.6

[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 8.3.6

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control

[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.1 - Web Software Access Controls, Control Objective C.2.1.2 - Web Software Access Controls

[36] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 307

[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3320.1 CAT II, APP3320.2 CAT II, APP3320.4 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3320.1 CAT II, APP3320.2 CAT II, APP3320.4 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3320.1 CAT II, APP3320.2 CAT II, APP3320.4 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3320.1 CAT II, APP3320.2 CAT II, APP3320.4 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3320.1 CAT II, APP3320.2 CAT II, APP3320.4 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3320.1 CAT II, APP3320.2 CAT II, APP3320.4 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3320.1 CAT II, APP3320.2 CAT II, APP3320.4 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II

[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II, APSC-DV-001760 CAT II, APSC-DV-001770 CAT II, APSC-DV-001780 CAT II, APSC-DV-001790 CAT II

[58] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001680 CAT I, APSC-DV-001690 CAT II, APSC-DV-001700 CAT II, APSC-DV-001710 CAT II, APSC-DV-001720 CAT II, APSC-DV-001760 CAT II, APSC-DV-001770 CAT II, APSC-DV-001780 CAT II, APSC-DV-001790 CAT II

[59] Standards Mapping - Web Application Security Consortium Version 2.00 Brute Force (WASC-11)

[60] Standards Mapping - Web Application Security Consortium 24 + 2 Brute Force

desc.structural.iac.misconfiguration_weak_password_policy.base