From 8cccc8069f2cc32c4abcba4792500f65ff4da20f Mon Sep 17 00:00:00 2001 From: Josh Grossman Date: Sun, 27 Oct 2024 18:34:29 +0200 Subject: [PATCH] Resolve #2130 by merging secret mgt reqs --- 5.0/en/0x11-V2-Authentication.md | 2 +- 5.0/en/0x14-V6-Cryptography.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/5.0/en/0x11-V2-Authentication.md b/5.0/en/0x11-V2-Authentication.md index 23d034fb3b..fc08f61ee7 100644 --- a/5.0/en/0x11-V2-Authentication.md +++ b/5.0/en/0x11-V2-Authentication.md @@ -187,7 +187,7 @@ Secrets can be securely stored by using services offered by the framework, the o | **2.10.1** | [MODIFIED, MERGED FROM 1.2.2] Verify that communications between back-end application components which don't support the application's standard user session mechanism, including APIs, middleware and data layers, are authenticated. Authentication should use individual service accounts, short-term tokens or certificate based authentication and not unchanging credentials such as passwords, API keys or shared accounts with privileged access. | | ✓ | ✓ | 287 | | | **2.10.2** | [GRAMMAR] Verify that if a credential has to be used for service authentication, the credential being used by the consumer is not a default credential (e.g. root/root or admin/admin are default in some services during installation). | | ✓ | ✓ | 255 | | | **2.10.3** | [DELETED, DUPLICATE OF 2.10.4] | | | | | | -| **2.10.4** | [GRAMMAR] Verify passwords, integrations with databases and third-party systems, seeds and internal secrets, and API keys are managed securely and not included in the source code or stored within source code repositories. Such storage should resist offline attacks. The use of a secure software key store (L1), hardware TPM, or an HSM (L3) is recommended for password storage. | | ✓ | ✓ | 798 | | +| **2.10.4** | [DELETED, MERGED TO 6.4.1] | | | | | | ## Additional US Agency Requirements diff --git a/5.0/en/0x14-V6-Cryptography.md b/5.0/en/0x14-V6-Cryptography.md index 24d9d791a9..aed7a69d89 100644 --- a/5.0/en/0x14-V6-Cryptography.md +++ b/5.0/en/0x14-V6-Cryptography.md @@ -51,7 +51,7 @@ Although this section is not easily penetration tested, developers should consid | # | Description | L1 | L2 | L3 | CWE | | :---: | :--- | :---: | :---: | :---: | :---: | -| **6.4.1** | [MODIFIED] Verify that a secrets management solution such as a key vault is used to securely create, store, control access to and destroy back-end secrets such as service account or 3rd party application credentials. | | ✓ | ✓ | 798 | +| **6.4.1** | [MODIFIED, MERGED FROM 2.10.4] Verify that a secrets management solution such as a key vault is used to securely create, store, control access to, and destroy back-end secrets, such as passwords, integrations with databases and third-party systems, seeds and internal secrets, and API keys. Secrets must not be included in source code or be received as CI/CD variables. For a L3 application, this should involved a hardware-backed solution such as an HSM. | | ✓ | ✓ | 798 | | **6.4.2** | [MODIFIED] Verify that key material is not exposed to the application (neither the front-end nor the back-end) but instead uses an isolated security module like a vault for cryptographic operations. | | ✓ | ✓ | 320 | ## References