Skip to content

Commit

Permalink
Resolve #2130 by merging secret mgt reqs
Browse files Browse the repository at this point in the history
  • Loading branch information
tghosth authored and elarlang committed Oct 27, 2024
1 parent c602b01 commit 8cccc80
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 2 deletions.
2 changes: 1 addition & 1 deletion 5.0/en/0x11-V2-Authentication.md
Original file line number Diff line number Diff line change
Expand Up @@ -187,7 +187,7 @@ Secrets can be securely stored by using services offered by the framework, the o
| **2.10.1** | [MODIFIED, MERGED FROM 1.2.2] Verify that communications between back-end application components which don't support the application's standard user session mechanism, including APIs, middleware and data layers, are authenticated. Authentication should use individual service accounts, short-term tokens or certificate based authentication and not unchanging credentials such as passwords, API keys or shared accounts with privileged access. | ||| 287 | |
| **2.10.2** | [GRAMMAR] Verify that if a credential has to be used for service authentication, the credential being used by the consumer is not a default credential (e.g. root/root or admin/admin are default in some services during installation). | ||| 255 | |
| **2.10.3** | [DELETED, DUPLICATE OF 2.10.4] | | | | | |
| **2.10.4** | [GRAMMAR] Verify passwords, integrations with databases and third-party systems, seeds and internal secrets, and API keys are managed securely and not included in the source code or stored within source code repositories. Such storage should resist offline attacks. The use of a secure software key store (L1), hardware TPM, or an HSM (L3) is recommended for password storage. | | || 798 | |
| **2.10.4** | [DELETED, MERGED TO 6.4.1] | | | | | |

## Additional US Agency Requirements

Expand Down
2 changes: 1 addition & 1 deletion 5.0/en/0x14-V6-Cryptography.md
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ Although this section is not easily penetration tested, developers should consid

| # | Description | L1 | L2 | L3 | CWE |
| :---: | :--- | :---: | :---: | :---: | :---: |
| **6.4.1** | [MODIFIED] Verify that a secrets management solution such as a key vault is used to securely create, store, control access to and destroy back-end secrets such as service account or 3rd party application credentials. | ||| 798 |
| **6.4.1** | [MODIFIED, MERGED FROM 2.10.4] Verify that a secrets management solution such as a key vault is used to securely create, store, control access to, and destroy back-end secrets, such as passwords, integrations with databases and third-party systems, seeds and internal secrets, and API keys. Secrets must not be included in source code or be received as CI/CD variables. For a L3 application, this should involved a hardware-backed solution such as an HSM. | ||| 798 |
| **6.4.2** | [MODIFIED] Verify that key material is not exposed to the application (neither the front-end nor the back-end) but instead uses an isolated security module like a vault for cryptographic operations. | ||| 320 |

## References
Expand Down

0 comments on commit 8cccc80

Please sign in to comment.