-
Notifications
You must be signed in to change notification settings - Fork 1.5k
/
benchmark_requirement
1 lines (1 loc) · 87.7 KB
/
benchmark_requirement
1
[{"model": "dojo.benchmark_requirement", "pk": 1, "fields": {"category": 1, "objective_number": "7.2", "objective": "Verify that all cryptographic modules fail securely, and errors are handled in a way that does not enable Padding Oracle.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-03T20:15:18.704Z", "updated": "2018-04-03T20:15:18.704Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 2, "fields": {"category": 1, "objective_number": "7.6", "objective": "Verify that all random numbers, random file names, random GUIDs, and random strings are generated using the cryptographic module\\u2019s approved random number generator when these random values are intended to be not guessable by an attacker.\",", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-04T16:18:25.062Z", "updated": "2018-04-04T16:18:25.062Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 3, "fields": {"category": 1, "objective_number": "7.7", "objective": "Verify that cryptographic algorithms used by the application have been validated against FIPS 140-2 or an equivalent standard.", "references": "", "level_1": true, "level_2": false, "level_3": false, "enabled": true, "created": "2018-04-04T20:33:28.144Z", "updated": "2018-04-04T20:33:28.144Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 4, "fields": {"category": 2, "objective_number": "2.1", "objective": "Verify all pages and resources are protected by server-side authentication, except those specifically intended to be public.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-09T20:45:11.236Z", "updated": "2018-04-09T20:45:11.236Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 5, "fields": {"category": 3, "objective_number": "1.1", "objective": "All app components are identified and known to be needed.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T17:28:55.814Z", "updated": "2018-04-10T17:28:55.814Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 6, "fields": {"category": 3, "objective_number": "1.2", "objective": "Security controls are never enforced only on the client side, but on the respective remote endpoints.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T17:30:00.194Z", "updated": "2018-04-10T17:30:00.194Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 7, "fields": {"category": 3, "objective_number": "1.3", "objective": "A high-level architecture for the application and all connected remote services has been defined and security has been addressed in that architecture.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T17:30:17.885Z", "updated": "2018-04-10T17:30:17.885Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 8, "fields": {"category": 3, "objective_number": "1.4", "objective": "Data considered sensitive in the context of the application is clearly identified.", "references": "", "level_1": false, "level_2": false, "level_3": true, "enabled": true, "created": "2018-04-10T17:30:49.731Z", "updated": "2018-04-10T17:30:49.731Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 9, "fields": {"category": 3, "objective_number": "1.5", "objective": "All app components are defined in terms of the business functions and/or security functions they provide.", "references": "", "level_1": false, "level_2": false, "level_3": true, "enabled": true, "created": "2018-04-10T17:31:32.897Z", "updated": "2018-04-10T17:31:32.897Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 11, "fields": {"category": 3, "objective_number": "1.6", "objective": "A threat model for the application and the associated remote services has been produced that identifies potential threats and countermeasures.", "references": "", "level_1": false, "level_2": false, "level_3": true, "enabled": true, "created": "2018-04-10T17:32:20.155Z", "updated": "2018-04-10T17:32:20.155Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 12, "fields": {"category": 3, "objective_number": "1.7", "objective": "All security controls have a centralized implementation.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T17:32:36.102Z", "updated": "2018-04-10T17:32:36.102Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 13, "fields": {"category": 3, "objective_number": "1.8", "objective": "Components are segregated from each other via a defined security control, such as network segmentation, firewall rules, or cloud based security group", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T17:33:12.108Z", "updated": "2018-04-10T17:33:12.108Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 14, "fields": {"category": 3, "objective_number": "1.9", "objective": "A mechanism for enforcing updates of the application exists.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T17:33:27.254Z", "updated": "2018-04-10T17:33:27.254Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 15, "fields": {"category": 3, "objective_number": "1.10", "objective": "Security is addressed within all parts of the software development lifecycle.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T17:34:04.115Z", "updated": "2018-04-10T17:34:04.115Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 16, "fields": {"category": 3, "objective_number": "1.11", "objective": "All application components, libraries, modules, frameworks, platform, and operating systems are free from known vulnerabilities", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T17:34:34.079Z", "updated": "2018-04-10T17:34:34.079Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 17, "fields": {"category": 3, "objective_number": "1.12", "objective": "There is an explicit policy for how cryptographic keys (if any) are managed, and the lifecycle of cryptographic keys is enforced. Ideally, follow a key management standard such as NIST SP 800-57.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T17:35:02.776Z", "updated": "2018-04-10T17:35:02.776Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 18, "fields": {"category": 2, "objective_number": "2.2", "objective": "Verify that the application does not automatically fill in credentials \u2013 either as hidden fields, URL arguments, Ajax requests, or in forms, as this implies plain text, reversible or de-cryptable password storage. Random time limited nonces are acceptable as stand ins, such as to protect change password forms or forgot password forms.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:25:49.774Z", "updated": "2018-04-10T18:25:49.774Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 19, "fields": {"category": 2, "objective_number": "2.6", "objective": "Verify all authentication controls fail securely to ensure attackers cannot log in.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:26:06.655Z", "updated": "2018-04-10T18:26:06.655Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 20, "fields": {"category": 2, "objective_number": "2.7", "objective": "Verify password entry fields allow, or encourage, the use of passphrases, and do not prevent long passphrases or highly complex passwords being entered.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:26:27.024Z", "updated": "2018-04-10T18:26:27.024Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 21, "fields": {"category": 2, "objective_number": "2.8", "objective": "Verify all identity functions (e.g. forgot password, change password, change email, manage 2FA token, etc.) have the security controls, as the primary authentication mechanism (e.g. login form).", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:26:54.741Z", "updated": "2018-04-10T18:26:54.741Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 22, "fields": {"category": 2, "objective_number": "2.9", "objective": "Verify that the changing password functionality includes the old password, the new password, and a password confirmation.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:27:12.001Z", "updated": "2018-04-10T18:27:12.001Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 23, "fields": {"category": 2, "objective_number": "2.12", "objective": "Verify that all authentication decisions can be logged, without storing sensitive session identifiers or passwords. This should include requests with relevant metadata needed for security investigations.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:27:39.646Z", "updated": "2018-04-10T18:27:39.646Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 24, "fields": {"category": 2, "objective_number": "2.13", "objective": "Verify that account passwords are one way hashed with a salt, and there is sufficient work factor to defeat brute force and password hash recovery attacks.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:27:58.290Z", "updated": "2018-04-10T18:27:58.290Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 25, "fields": {"category": 2, "objective_number": "2.16", "objective": "Verify that all application data is transmitted over an encrypted channel (e.g. TLS).", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:28:25.068Z", "updated": "2018-04-10T18:28:25.068Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 26, "fields": {"category": 2, "objective_number": "2.17", "objective": "Verify that the forgotten password function and other recovery paths do not reveal the current password and that the new password is not sent in clear text to the user. A one time password reset link should be used instead.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:28:43.876Z", "updated": "2018-04-10T18:28:43.876Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 27, "fields": {"category": 2, "objective_number": "2.18", "objective": "Verify that information enumeration is not possible via login, password reset, or forgot account functionality.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:29:00.197Z", "updated": "2018-04-10T18:29:00.197Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 28, "fields": {"category": 2, "objective_number": "2.19", "objective": "Verify there are no default passwords in use for the application framework or any components used by the application (such as \u201cadmin/password\u201d).", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:29:18.605Z", "updated": "2018-04-10T18:29:18.605Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 29, "fields": {"category": 2, "objective_number": "2.20", "objective": "Verify that anti-automation is in place to prevent breached credential testing, brute forcing, and account lockout attacks.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:29:38.078Z", "updated": "2018-04-10T18:29:38.078Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 30, "fields": {"category": 2, "objective_number": "2.21", "objective": "Verify that all authentication credentials for accessing services external to the application are encrypted and stored in a protected location.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:32:22.961Z", "updated": "2018-04-10T18:32:22.961Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 31, "fields": {"category": 2, "objective_number": "2.22", "objective": "Verify that forgotten password and other recovery paths use a TOTP or other soft token, mobile push, or other offline recovery mechanism. The use of SMS has been deprecated by NIST and should not be used.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:32:40.617Z", "updated": "2018-04-10T18:32:40.617Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 32, "fields": {"category": 2, "objective_number": "2.23", "objective": "Verify that account lockout is divided into soft and hard lock status, and these are not mutually exclusive. If an account is temporarily soft locked out due to a brute force attack, this should not reset the hard lock status.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:32:58.589Z", "updated": "2018-04-10T18:32:58.589Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 33, "fields": {"category": 2, "objective_number": "2.24", "objective": "Verify that if secret questions are required, the questions do not violate privacy laws and are sufficiently strong to protect accounts from malicious recovery.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:33:18.505Z", "updated": "2018-04-10T18:33:18.505Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 34, "fields": {"category": 2, "objective_number": "2.25", "objective": "Verify that high value applications can be configured to disallow the use of a configurable number of previous passwords.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:33:39.421Z", "updated": "2018-04-10T18:33:39.421Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 35, "fields": {"category": 2, "objective_number": "2.26", "objective": "Verify that sensitive operations (e.g. change password, change email address, add new biller, etc.) require re-authentication (e.g. password or 2FA token). This is in addition to CSRF measures, not instead.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:33:54.755Z", "updated": "2018-04-10T18:33:54.755Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 36, "fields": {"category": 2, "objective_number": "2.27", "objective": "Verify that measures are in place to block the use of commonly chosen passwords and weak pass-phrases.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:34:13.132Z", "updated": "2018-04-10T18:34:13.132Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 37, "fields": {"category": 2, "objective_number": "2.28", "objective": "Verify that all authentication challenges, whether successful or failed, should respond in the same average response time.", "references": "", "level_1": false, "level_2": false, "level_3": true, "enabled": true, "created": "2018-04-10T18:34:34.548Z", "updated": "2018-04-10T18:34:34.548Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 38, "fields": {"category": 2, "objective_number": "2.29", "objective": "Verify that secrets, API keys, and passwords are not included in the source code, or online source code repositories.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:34:51.315Z", "updated": "2018-04-10T18:34:51.315Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 39, "fields": {"category": 2, "objective_number": "2.31", "objective": "Verify that users can enrol and use TOTP verification, two-factor, biometric (Touch ID or similar), or equivalent multi-factor authentication mechanism that provides protection against single factor credential disclosure.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:35:10.531Z", "updated": "2018-04-10T18:35:10.531Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 40, "fields": {"category": 2, "objective_number": "2.32", "objective": "Verify that access to administrative interfaces are strictly controlled and not accessible to untrusted parties.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:35:27.514Z", "updated": "2018-04-10T18:35:27.514Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 41, "fields": {"category": 2, "objective_number": "3.1", "objective": "Verify that the application is compatible with browser based and third party password managers, unless prohibited by risk based policy.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:35:45.088Z", "updated": "2018-04-10T18:35:45.088Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 42, "fields": {"category": 4, "objective_number": "3.2", "objective": "Verify that sessions are invalidated when the user logs out.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:41:15.085Z", "updated": "2018-04-10T18:41:15.085Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 43, "fields": {"category": 4, "objective_number": "3.3", "objective": "Verify that sessions timeout after a specified period of inactivity.", "references": "", "level_1": false, "level_2": false, "level_3": true, "enabled": true, "created": "2018-04-10T18:41:32.640Z", "updated": "2018-04-10T18:41:32.640Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 44, "fields": {"category": 4, "objective_number": "3.4", "objective": "Verify that sessions timeout after an administratively-configurable maximum time period regardless of activity (an absolute timeout).", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:41:55.478Z", "updated": "2018-04-10T18:41:55.478Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 45, "fields": {"category": 4, "objective_number": "3.5", "objective": "Verify that all pages that require authentication have easy and visible access to logout functionality.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:42:16.654Z", "updated": "2018-04-10T18:42:16.654Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 46, "fields": {"category": 4, "objective_number": "3.6", "objective": "Test that the session ID is never disclosed in URLs, error messages, or logs. This includes verifying that the application does not support URL rewriting of session cookies.", "references": "", "level_1": false, "level_2": false, "level_3": true, "enabled": true, "created": "2018-04-10T18:42:36.712Z", "updated": "2018-04-10T18:42:36.712Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 47, "fields": {"category": 4, "objective_number": "3.7", "objective": "Verify that all successful authentication and re-authentication generates a new session and session id.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:42:57.702Z", "updated": "2018-04-10T18:42:57.702Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 48, "fields": {"category": 4, "objective_number": "3.10", "objective": "Verify that only session ids generated by the application framework are recognised as active by the application.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:43:19.341Z", "updated": "2018-04-10T18:43:19.341Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 49, "fields": {"category": 4, "objective_number": "3.11", "objective": "Test session IDs against criteria such as their randomness, uniqueness, resistance to statistical and cryptographic analysis and information leakage.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:43:34.658Z", "updated": "2018-04-10T18:43:34.658Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 50, "fields": {"category": 4, "objective_number": "3.12", "objective": "Verify that session IDs stored in cookies are scoped using the 'path' attribute; and have the 'HttpOnly' and 'Secure' cookie flags enabled.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:43:54.012Z", "updated": "2018-04-10T18:43:54.012Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 51, "fields": {"category": 4, "objective_number": "3.17", "objective": "Verify that the application tracks all active sessions. And allows users to terminate sessions selectively or globally from their account.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:44:17.203Z", "updated": "2018-04-10T18:44:17.203Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 52, "fields": {"category": 4, "objective_number": "3.18", "objective": "Verify for high value applications that the user is prompted with the option to terminate all other active sessions after a successful change password process.", "references": "", "level_1": false, "level_2": false, "level_3": true, "enabled": true, "created": "2018-04-10T18:44:43.442Z", "updated": "2018-04-10T18:44:43.442Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 53, "fields": {"category": 5, "objective_number": "4.1", "objective": "Verify that the principle of least privilege exists - users should only be able to access functions, data files, URLs, controllers, services, and other resources, for which they possess specific authorization. This implies protection against spoofing and elevation of privilege.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:47:21.960Z", "updated": "2018-04-10T18:47:21.960Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 54, "fields": {"category": 5, "objective_number": "4.4", "objective": "Verify that access to sensitive records is protected, such that only authorized objects or data is accessible to each user (for example, protect against users tampering with a parameter to see or alter another user's account).", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:47:38.680Z", "updated": "2018-04-10T18:47:38.680Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 55, "fields": {"category": 5, "objective_number": "4.5", "objective": "Verify that directory browsing is disabled unless deliberately desired. Additionally, applications should not allow discovery or disclosure of file or directory metadata, such as Thumbs.db, .DS_Store, .git or .svn folders.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:47:55.745Z", "updated": "2018-04-10T18:47:55.745Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 56, "fields": {"category": 5, "objective_number": "4.8", "objective": "Verify that access controls fail securely.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:48:13.764Z", "updated": "2018-04-10T18:48:13.764Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 57, "fields": {"category": 5, "objective_number": "4.9", "objective": "Verify that the same access control rules implied by the presentation layer are enforced on the server side.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:48:35.093Z", "updated": "2018-04-10T18:48:35.093Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 58, "fields": {"category": 5, "objective_number": "4.10", "objective": "Verify that all user and data attributes and policy information used by access controls cannot be manipulated by end users unless specifically authorized.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:48:59.652Z", "updated": "2018-04-10T18:48:59.652Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 59, "fields": {"category": 5, "objective_number": "4.11", "objective": "Verify that there is a centralized mechanism (including libraries that call external authorization services) for protecting access to each type of protected resource.", "references": "", "level_1": false, "level_2": false, "level_3": true, "enabled": true, "created": "2018-04-10T18:49:17.626Z", "updated": "2018-04-10T18:49:17.626Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 60, "fields": {"category": 5, "objective_number": "4.12", "objective": "Verify that all access control decisions can be logged and all failed decisions are logged.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:49:32.763Z", "updated": "2018-04-10T18:49:32.763Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 61, "fields": {"category": 5, "objective_number": "4.13", "objective": "Verify that the application or framework uses strong random anti-CSRF tokens or has another transaction protection mechanism.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:50:06.400Z", "updated": "2018-04-10T18:50:06.400Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 62, "fields": {"category": 5, "objective_number": "4.4", "objective": "Verify the system can protect against aggregate or continuous access of secured functions, resources, or data. For example, consider the use of a resource governor to limit the number of edits per hour or to prevent the entire database from being scraped by an individual user.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:50:21.788Z", "updated": "2018-04-10T18:50:21.788Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 63, "fields": {"category": 5, "objective_number": "4.15", "objective": "Verify the application has additional authorization (such as step up or adaptive authentication) for lower value systems, and / or segregation of duties for high value applications to enforce anti-fraud controls as per the risk of application and past fraud.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:50:45.601Z", "updated": "2018-04-10T18:50:45.601Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 64, "fields": {"category": 5, "objective_number": "4.16", "objective": "Verify that the application correctly enforces context-sensitive authorisation so as to not allow unauthorised manipulation by means of parameter tampering.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:51:03.440Z", "updated": "2018-04-10T18:51:03.440Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 65, "fields": {"category": 6, "objective_number": "5.3", "objective": "Verify that server side input validation failures result in request rejection and are logged.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:57:40.844Z", "updated": "2018-04-10T18:57:40.844Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 66, "fields": {"category": 6, "objective_number": "5.5", "objective": "Verify that input validation routines are enforced on the server side.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:58:04.519Z", "updated": "2018-04-10T18:58:04.519Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 67, "fields": {"category": 6, "objective_number": "5.6", "objective": "Verify that a centralized input validation control mechanism is used by the application.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:58:25.176Z", "updated": "2018-04-10T18:58:25.176Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 68, "fields": {"category": 6, "objective_number": "5.10", "objective": "Verify that all database queries are protected by the use of parameterized queries or proper ORM usage to avoid SQL injection.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:58:40.885Z", "updated": "2018-04-10T18:58:40.885Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 69, "fields": {"category": 6, "objective_number": "5.11", "objective": "Verify that the application is not susceptible to LDAP Injection, or that security controls prevent LDAP Injection.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:58:57.395Z", "updated": "2018-04-10T18:58:57.395Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 70, "fields": {"category": 6, "objective_number": "5.12", "objective": "Verify that the application is not susceptible to OS Command Injection, or that security controls prevent OS Command Injection.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:59:13.557Z", "updated": "2018-04-10T18:59:13.557Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 71, "fields": {"category": 6, "objective_number": "5.13", "objective": "Verify that the application is not susceptible to Remote File Inclusion (RFI) or Local File Inclusion (LFI) when content is used that is a path to a file.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:59:30.868Z", "updated": "2018-04-10T18:59:30.868Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 72, "fields": {"category": 6, "objective_number": "5.14", "objective": "Verify that the application is not susceptible XPath injection or XML injection attacks.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T18:59:46.106Z", "updated": "2018-04-10T18:59:46.106Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 73, "fields": {"category": 6, "objective_number": "5.15", "objective": "Verify that all string variables placed into HTML or other web client code are either properly contextually encoded manually, or utilize templates that automatically contextually encode to ensure the application is not susceptible to reflected, stored or DOM Cross-Site Scripting (XSS) attacks.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T19:00:01.972Z", "updated": "2018-04-10T19:00:01.972Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 74, "fields": {"category": 6, "objective_number": "5.16", "objective": "Verify that the application does not contain mass parameter assignment (AKA automatic variable binding) vulnerabilities.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T19:00:21.221Z", "updated": "2018-04-10T19:00:21.221Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 75, "fields": {"category": 6, "objective_number": "5.17", "objective": "Verify that the application has defenses against HTTP parameter pollution attacks, particularly if the application framework makes no distinction about the source of request parameters (GET, POST, cookies, headers, environment, etc.)", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T19:00:40.335Z", "updated": "2018-04-10T19:00:40.335Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 76, "fields": {"category": 6, "objective_number": "5.19", "objective": "Verify that all input data is validated, not only HTML form fields but all sources of input such as REST calls, query parameters, HTTP headers, cookies, batch files, RSS feeds, etc; using positive validation (whitelisting), then lesser forms of validation such as grey listing (eliminating known bad strings), or rejecting bad inputs (blacklisting).", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T19:00:58.444Z", "updated": "2018-04-10T19:00:58.444Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 77, "fields": {"category": 6, "objective_number": "5.20", "objective": "Verify that structured data is strongly typed and validated against a defined schema including allowed characters, length and pattern (e.g. credit card numbers or telephone, or validating that two related fields are reasonable, such as validating suburbs and zip or post codes match).", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T19:03:55.078Z", "updated": "2018-04-10T19:03:55.078Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 78, "fields": {"category": 6, "objective_number": "5.21", "objective": "Verify that unstructured data is sanitized to enforce generic safety measures such as allowed characters and length, and characters potentially harmful in given context should be escaped (e.g. natural names with Unicode or apostrophes, such as O'Hara)", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T19:04:35.073Z", "updated": "2018-04-10T19:04:35.073Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 79, "fields": {"category": 6, "objective_number": "5.22", "objective": "Verify that all untrusted HTML input from WYSIWYG editors or similar is properly sanitized with an HTML sanitizer library or framework feature.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T19:05:00.216Z", "updated": "2018-04-10T19:05:00.216Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 80, "fields": {"category": 6, "objective_number": "5.24", "objective": "Verify that where data is transferred from one DOM context to another, the transfer uses safe JavaScript methods, such as using innerText or .val to ensure the application is not susceptible to DOM Cross-Site Scripting (XSS) attacks.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T19:05:18.980Z", "updated": "2018-04-10T19:05:18.980Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 81, "fields": {"category": 6, "objective_number": "5.25", "objective": "Verify when parsing JSON in browsers or JavaScript based backends, that JSON.parse is used to parse the JSON document. Do not use eval() to parse JSON.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T19:05:35.060Z", "updated": "2018-04-10T19:05:35.060Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 82, "fields": {"category": 6, "objective_number": "5.27", "objective": "Verify the application for Server Side Request Forgery vulnerabilities.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T19:06:00.580Z", "updated": "2018-04-10T19:06:00.580Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 83, "fields": {"category": 6, "objective_number": "5.28", "objective": "Verify that the application correctly restricts XML parsers to only use the most restrictive configuration possible and to ensure that dangerous features such as resolving external entities are disabled.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T19:06:21.358Z", "updated": "2018-04-10T19:06:21.358Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 84, "fields": {"category": 6, "objective_number": "5.29", "objective": "Verify that deserialization of untrusted data is avoided or is extensively protected when deserialization cannot be avoided.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T19:06:39.454Z", "updated": "2018-04-10T19:06:39.454Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 85, "fields": {"category": 1, "objective_number": "7.8", "objective": "Verify that cryptographic modules operate in their approved mode according to their published security policies.", "references": "", "level_1": false, "level_2": false, "level_3": true, "enabled": true, "created": "2018-04-10T19:08:31.176Z", "updated": "2018-04-10T19:08:31.176Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 86, "fields": {"category": 1, "objective_number": "7.9", "objective": "Verify that there is an explicit policy for how cryptographic keys are managed (e.g., generated, distributed, revoked, and expired). Verify that this key lifecycle is properly enforced.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T19:09:24.942Z", "updated": "2018-04-10T19:09:24.942Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 87, "fields": {"category": 1, "objective_number": "7.11", "objective": "Verify that all consumers of cryptographic services do not have direct access to key material. Isolate cryptographic processes, including master secrets and consider the use of a virtualized or physical hardware key vault (HSM).", "references": "", "level_1": false, "level_2": false, "level_3": true, "enabled": true, "created": "2018-04-10T19:09:46.054Z", "updated": "2018-04-10T19:09:46.054Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 88, "fields": {"category": 1, "objective_number": "7.12", "objective": "Verify that Personally Identifiable Information (PII) and other sensitive data is stored encrypted while at rest.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T19:10:03.771Z", "updated": "2018-04-10T19:10:03.771Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 89, "fields": {"category": 1, "objective_number": "7.13", "objective": "Verify that sensitive passwords or key material maintained in memory is overwritten with zeros as soon as it is no longer required, to mitigate memory dumping attacks.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T19:10:34.846Z", "updated": "2018-04-10T19:10:34.846Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 90, "fields": {"category": 1, "objective_number": "7.14", "objective": "Verify that all keys and passwords are replaceable, and are generated or replaced at installation time.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T19:11:48.314Z", "updated": "2018-04-10T19:11:48.314Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 91, "fields": {"category": 1, "objective_number": "7.15", "objective": "Verify that random numbers are created with proper entropy even when the application is under heavy load, or that the application degrades gracefully in such circumstances.", "references": "", "level_1": false, "level_2": false, "level_3": true, "enabled": true, "created": "2018-04-10T19:12:08.197Z", "updated": "2018-04-10T19:12:08.197Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 92, "fields": {"category": 7, "objective_number": "8.1", "objective": "Verify that the application does not output error messages or stack traces containing sensitive data that could assist an attacker, including session id, software/framework versions and personal information.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T19:14:27.314Z", "updated": "2018-04-10T19:14:27.314Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 93, "fields": {"category": 7, "objective_number": "8.2", "objective": "Verify that error handling logic in security controls denies access by default.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T19:14:48.444Z", "updated": "2018-04-10T19:14:48.444Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 94, "fields": {"category": 7, "objective_number": "8.3", "objective": "Verify security logging controls provide the ability to log success and particularly failure events that are identified as security-relevant.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T19:22:17.918Z", "updated": "2018-04-10T19:22:17.918Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 95, "fields": {"category": 7, "objective_number": "8.4", "objective": "Verify that each log event includes necessary information that would allow for a detailed investigation of the timeline when an event happens.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T19:22:36.882Z", "updated": "2018-04-10T19:22:36.882Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 96, "fields": {"category": 7, "objective_number": "8.5", "objective": "Verify that all events that include untrusted data will not execute as code in the intended log viewing software.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T19:22:52.630Z", "updated": "2018-04-10T19:22:52.630Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 97, "fields": {"category": 7, "objective_number": "8.6", "objective": "Verify that security logs are protected from unauthorized access and modification.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T19:23:13.084Z", "updated": "2018-04-10T19:23:13.084Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 98, "fields": {"category": 7, "objective_number": "8.7", "objective": "Verify that the application does not log sensitive data as defined under local privacy laws or regulations, organizational sensitive data as defined by a risk assessment, or sensitive authentication data that could assist an attacker, including user\u2019s session identifiers, passwords, hashes, or API tokens.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T19:23:39.729Z", "updated": "2018-04-10T19:23:39.729Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 99, "fields": {"category": 7, "objective_number": "8.8", "objective": "Verify that all non-printable symbols and field separators are properly encoded in log entries, to prevent log injection.", "references": "", "level_1": false, "level_2": false, "level_3": true, "enabled": true, "created": "2018-04-10T19:23:54.556Z", "updated": "2018-04-10T19:23:54.556Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 100, "fields": {"category": 7, "objective_number": "8.9", "objective": "Verify that log fields from trusted and untrusted sources are distinguishable in log entries.", "references": "", "level_1": false, "level_2": false, "level_3": true, "enabled": true, "created": "2018-04-10T19:24:17.081Z", "updated": "2018-04-10T19:24:17.081Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 101, "fields": {"category": 7, "objective_number": "8.10", "objective": "Verify that an audit log or similar allows for non-repudiation of key transactions.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T19:24:36.013Z", "updated": "2018-04-10T19:24:36.013Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 102, "fields": {"category": 7, "objective_number": "8.11", "objective": "Verify that security logs have some form of integrity checking or controls to prevent unauthorized modification.", "references": "", "level_1": false, "level_2": false, "level_3": true, "enabled": true, "created": "2018-04-10T19:24:52.621Z", "updated": "2018-04-10T19:24:52.621Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 103, "fields": {"category": 7, "objective_number": "8.12", "objective": "Verify that security logs have some form of integrity checking or controls to prevent unauthorized modification.", "references": "", "level_1": false, "level_2": false, "level_3": true, "enabled": true, "created": "2018-04-10T19:25:36.714Z", "updated": "2018-04-10T19:25:36.714Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 104, "fields": {"category": 7, "objective_number": "8.13", "objective": "Verify that time sources are synchronized to the correct time and time zone.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T19:25:56.051Z", "updated": "2018-04-10T19:25:56.051Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 105, "fields": {"category": 8, "objective_number": "9.1", "objective": "Verify that all forms containing sensitive information have disabled client side caching, including autocomplete features.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T20:03:10.119Z", "updated": "2018-04-10T20:03:10.119Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 106, "fields": {"category": 8, "objective_number": "9.2", "objective": "Verify that the list of sensitive data processed by the application is identified, and that there is an explicit policy for how access to this data must be controlled, encrypted and enforced under relevant data protection directives.", "references": "", "level_1": false, "level_2": false, "level_3": true, "enabled": true, "created": "2018-04-10T20:03:30.746Z", "updated": "2018-04-10T20:03:30.746Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 107, "fields": {"category": 8, "objective_number": "9.3", "objective": "Verify that all sensitive data is sent to the server in the HTTP message body or headers (i.e., URL parameters are never used to send sensitive data).", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T20:03:47.350Z", "updated": "2018-04-10T20:03:47.350Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 108, "fields": {"category": 8, "objective_number": "9.4", "objective": "Verify that the application sets sufficient anti-caching headers such that any sensitive and personal information displayed by the application or entered by the user should not be cached on disk by mainstream modern browsers (e.g. visit about:cache to review disk cache).", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T20:04:04.636Z", "updated": "2018-04-10T20:04:04.636Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 109, "fields": {"category": 8, "objective_number": "9.5", "objective": "Verify that on the server, all cached or temporary copies of sensitive data stored are protected from unauthorized access or purged/invalidated after the authorized user accesses the sensitive data.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T20:04:20.860Z", "updated": "2018-04-10T20:04:20.860Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 110, "fields": {"category": 8, "objective_number": "9.6", "objective": "Verify that there is a method to remove each type of sensitive data from the application at the end of the required retention policy.", "references": "", "level_1": false, "level_2": false, "level_3": true, "enabled": true, "created": "2018-04-10T20:04:35.940Z", "updated": "2018-04-10T20:04:35.940Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 111, "fields": {"category": 8, "objective_number": "9.7", "objective": "Verify the application minimizes the number of parameters in a request, such as hidden fields, Ajax variables, cookies and header values.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T20:04:55.217Z", "updated": "2018-04-10T20:04:55.217Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 112, "fields": {"category": 8, "objective_number": "9.8", "objective": "Verify the application has the ability to detect and alert on abnormal numbers of requests for data harvesting for an example screen scraping.", "references": "", "level_1": false, "level_2": false, "level_3": true, "enabled": true, "created": "2018-04-10T20:05:10.438Z", "updated": "2018-04-10T20:05:10.438Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 113, "fields": {"category": 8, "objective_number": "9.9", "objective": "Verify that data stored in client side storage (such as HTML5 local storage, session storage, IndexedDB, regular cookies or Flash cookies) does not contain sensitive data or PII.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T20:05:27.568Z", "updated": "2018-04-10T20:05:27.568Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 114, "fields": {"category": 8, "objective_number": "9.10", "objective": "Verify accessing sensitive data is logged, if the data is collected under relevant data protection directives or where logging of accesses is required.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T20:05:52.280Z", "updated": "2018-04-10T20:05:52.280Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 115, "fields": {"category": 8, "objective_number": "9.11", "objective": "Verify that sensitive information maintained in memory is overwritten with zeros as soon as it is no longer required, to mitigate memory dumping attacks.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T20:06:09.895Z", "updated": "2018-04-10T20:06:09.895Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 116, "fields": {"category": 8, "objective_number": "9.14", "objective": "Verify that authenticated data is cleared from client storage, such as the browser DOM, after the client or session is terminated.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-10T20:06:26.799Z", "updated": "2018-04-10T20:06:26.799Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 117, "fields": {"category": 9, "objective_number": "10.1", "objective": "Verify that a path can be built from a trusted CA to each Transport Layer Security (TLS) server certificate, and that each server certificate is valid.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T01:35:42.155Z", "updated": "2018-04-11T01:35:42.155Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 118, "fields": {"category": 9, "objective_number": "10.2", "objective": "Verify that TLS is used for all connections (including both external and backend connections) that are authenticated or that involve sensitive data or functions, and does not fall back to insecure or unencrypted protocols. Ensure the strongest alternative is the preferred algorithm.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T01:35:59.132Z", "updated": "2018-04-11T01:35:59.132Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 119, "fields": {"category": 9, "objective_number": "10.3", "objective": "Verify that backend TLS connection failures are logged.", "references": "", "level_1": false, "level_2": false, "level_3": true, "enabled": true, "created": "2018-04-11T01:36:33.439Z", "updated": "2018-04-11T01:36:33.439Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 120, "fields": {"category": 9, "objective_number": "10.4", "objective": "Verify that certificate paths are built and verified for all client certificates using configured trust anchors and revocation information.", "references": "", "level_1": false, "level_2": false, "level_3": true, "enabled": true, "created": "2018-04-11T01:36:51.266Z", "updated": "2018-04-11T01:36:51.266Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 121, "fields": {"category": 9, "objective_number": "10.5", "objective": "Verify that all connections to external systems that involve sensitive information or functions are authenticated.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T01:37:07.994Z", "updated": "2018-04-11T01:37:07.994Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 122, "fields": {"category": 9, "objective_number": "10.6", "objective": "Verify that there is a single standard TLS implementation that is used by the application that is configured to operate in an approved mode of operation.", "references": "", "level_1": false, "level_2": false, "level_3": true, "enabled": true, "created": "2018-04-11T01:37:24.291Z", "updated": "2018-04-11T01:37:24.291Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 123, "fields": {"category": 9, "objective_number": "10.7", "objective": "Verify that TLS certificate public key pinning (HPKP) is implemented with production and backup public keys. For more information, please see the references below.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T01:37:47.739Z", "updated": "2018-04-11T01:37:47.739Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 124, "fields": {"category": 9, "objective_number": "10.8", "objective": "Verify that HTTP Strict Transport Security headers are included on all requests and for all subdomains, such as Strict-Transport-Security: max-age=15724800; includeSubdomains", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T01:38:13.649Z", "updated": "2018-04-11T01:38:13.649Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 125, "fields": {"category": 9, "objective_number": "10.9", "objective": "Verify that production website URL has been submitted to preloaded list of Strict Transport Security domains maintained by web browser vendors. Please see the references below.", "references": "", "level_1": false, "level_2": false, "level_3": true, "enabled": true, "created": "2018-04-11T01:38:36.954Z", "updated": "2018-04-11T01:38:36.954Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 126, "fields": {"category": 9, "objective_number": "10.11", "objective": "Verify that perfect forward secrecy is configured to mitigate passive attackers recording traffic.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T01:39:02.098Z", "updated": "2018-04-11T01:39:02.098Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 127, "fields": {"category": 9, "objective_number": "10.11", "objective": "Verify that proper certification revocation, such as Online Certificate Status Protocol (OCSP) Stapling, is enabled and configured.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T01:39:21.912Z", "updated": "2018-04-11T01:39:21.912Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 128, "fields": {"category": 9, "objective_number": "10.13", "objective": "Verify that only strong algorithms, ciphers, and protocols are used, through all the certificate hierarchy, including root and intermediary certificates of your selected certifying authority.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T01:39:36.467Z", "updated": "2018-04-11T01:39:36.467Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 129, "fields": {"category": 9, "objective_number": "10.14", "objective": "Verify that the TLS settings are in line with current leading practice, particularly as common configurations, ciphers, and algorithms become insecure.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T01:39:56.601Z", "updated": "2018-04-11T01:39:56.601Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 130, "fields": {"category": 10, "objective_number": "13.1", "objective": "Verify all malicious activity is adequately sandboxed, containerized or isolated to delay and deter attackers from attacking other applications.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T01:49:41.661Z", "updated": "2018-04-11T01:49:41.661Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 131, "fields": {"category": 10, "objective_number": "13.2", "objective": "Verify that the application source code, and as many third party libraries as possible, does not contain back doors, Easter eggs, and logic flaws in authentication, access control, input validation, and the business logic of high value transactions.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T01:49:58.364Z", "updated": "2018-04-11T01:49:58.364Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 132, "fields": {"category": 11, "objective_number": "15.1", "objective": "Verify the application will only process business logic flows in sequential step order, with all steps being processed in realistic human time, and not process out of order, skipped steps, process steps from another user, or too quickly submitted transactions.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T01:52:09.853Z", "updated": "2018-04-11T01:52:09.853Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 133, "fields": {"category": 11, "objective_number": "15.2", "objective": "Verify the application has business limits and correctly enforces on a per user basis, with configurable alerting and automated reactions to automated or unusual attack.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T01:52:27.128Z", "updated": "2018-04-11T01:52:27.128Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 134, "fields": {"category": 12, "objective_number": "16.1", "objective": "Verify that URL redirects and forwards only allow whitelisted destinations, or show a warning when redirecting to potentially untrusted content.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T02:04:17.964Z", "updated": "2018-04-11T02:04:17.964Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 135, "fields": {"category": 12, "objective_number": "16.2", "objective": "Verify that untrusted file data submitted to the application is not used directly with file I/O commands, particularly to protect against path traversal, local file include, file mime type, reflective file download, and OS command injection vulnerabilities.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T02:04:34.163Z", "updated": "2018-04-11T02:04:34.163Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 136, "fields": {"category": 12, "objective_number": "16.3", "objective": "Verify that files obtained from untrusted sources are validated to be of expected type and scanned by antivirus scanners to prevent upload of known malicious content.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T02:04:59.568Z", "updated": "2018-04-11T02:04:59.568Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 137, "fields": {"category": 12, "objective_number": "16.4", "objective": "Verify that untrusted data is not used within inclusion, class loader, or reflection capabilities to prevent remote/local code execution vulnerabilities.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T02:07:18.554Z", "updated": "2018-04-11T02:07:18.554Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 138, "fields": {"category": 12, "objective_number": "16.5", "objective": "Verify that untrusted data is not used within cross-domain resource sharing (CORS) to protect against arbitrary remote content.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T02:07:38.656Z", "updated": "2018-04-11T02:07:38.656Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 139, "fields": {"category": 12, "objective_number": "16.6", "objective": "Verify that files obtained from untrusted sources are stored outside the webroot, with limited permissions, preferably with strong validation.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T02:07:55.938Z", "updated": "2018-04-11T02:07:55.938Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 140, "fields": {"category": 12, "objective_number": "16.7", "objective": "Verify that the web or application server is configured by default to deny access to remote resources or systems outside the web or application server.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T02:08:14.968Z", "updated": "2018-04-11T02:08:14.968Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 141, "fields": {"category": 12, "objective_number": "16.8", "objective": "Verify the application code does not execute uploaded data obtained from untrusted sources.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T02:08:32.429Z", "updated": "2018-04-11T02:08:32.429Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 142, "fields": {"category": 12, "objective_number": "16.9", "objective": "Verify that unsupported, insecure or deprecated client-side technologies are not used, such as NSAPI plugins, Flash, Shockwave, Active-X, Silverlight, NACL, or client-side Java applets.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T02:08:48.347Z", "updated": "2018-04-11T02:08:48.347Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 143, "fields": {"category": 12, "objective_number": "16.10", "objective": "Verify that the cross-domain resource sharing (CORS) Access-Control-Allow-Origin header does not simply reflect the request's origin header or support the \"null\" origin.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T02:09:04.768Z", "updated": "2018-04-11T02:09:04.768Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 144, "fields": {"category": 15, "objective_number": "20.1", "objective": "Verify that application layer debugging interfaces such USB or serial are disabled.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T11:07:50.720Z", "updated": "2018-04-11T11:07:50.720Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 145, "fields": {"category": 15, "objective_number": "20.2", "objective": "Verify that cryptographic keys are unique to each individual device.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T11:08:10.405Z", "updated": "2018-04-11T11:08:10.405Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 146, "fields": {"category": 15, "objective_number": "20.3", "objective": "Verify that memory protection controls such as ASLR and DEP are enabled by the embedded/IoT operating system, if applicable.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T11:08:25.227Z", "updated": "2018-04-11T11:08:25.227Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 147, "fields": {"category": 15, "objective_number": "20.4", "objective": "Verify that on-chip debugging interfaces such as JTAG or SWD are disabled or that available protection mechanism is enabled and configured appropriately.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T11:08:45.697Z", "updated": "2018-04-11T11:08:45.697Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 148, "fields": {"category": 15, "objective_number": "20.5", "objective": "Verify that physical debug headers are not present on the device.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T11:09:32.824Z", "updated": "2018-04-11T11:09:32.824Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 149, "fields": {"category": 15, "objective_number": "20.6", "objective": "Verify that sensitive data is not stored unencrypted on the device.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T11:09:51.965Z", "updated": "2018-04-11T11:09:51.965Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 150, "fields": {"category": 15, "objective_number": "20.7", "objective": "Verify that the device prevents leaking of sensitive information.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T11:10:12.639Z", "updated": "2018-04-11T11:10:12.639Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 151, "fields": {"category": 15, "objective_number": "20.8", "objective": "Verify that the firmware apps protect data-in-transit using transport security.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T11:10:46.813Z", "updated": "2018-04-11T11:10:46.813Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 152, "fields": {"category": 15, "objective_number": "20.9", "objective": "Verify that the firmware apps validate the digital signature of server connections.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T11:11:09.379Z", "updated": "2018-04-11T11:11:09.379Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 153, "fields": {"category": 15, "objective_number": "20.10", "objective": "Verify that wireless communications are mutually authenticated.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T11:11:30.500Z", "updated": "2018-04-11T11:11:30.500Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 154, "fields": {"category": 15, "objective_number": "20.11", "objective": "Verify that wireless communications are sent over an encrypted channel.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T11:11:50.655Z", "updated": "2018-04-11T11:11:50.655Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 155, "fields": {"category": 15, "objective_number": "20.12", "objective": "Verify that the firmware apps pin the digital signature to a trusted server(s).", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T11:12:07.233Z", "updated": "2018-04-11T11:12:07.233Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 156, "fields": {"category": 15, "objective_number": "20.13", "objective": "Verify the presence of physical tamper resistance and/or tamper detection features, including epoxy.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T11:12:26.824Z", "updated": "2018-04-11T11:12:26.824Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 157, "fields": {"category": 15, "objective_number": "20.14", "objective": "Verify that identifying markings on chips have been removed.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T11:12:58.929Z", "updated": "2018-04-11T11:12:58.929Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 158, "fields": {"category": 15, "objective_number": "20.15", "objective": "Verify that any available Intellectual Property protection technologies provided by the chip manufacturer are enabled.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T11:13:14.702Z", "updated": "2018-04-11T11:13:14.702Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 159, "fields": {"category": 15, "objective_number": "20.16", "objective": "Verify security controls are in place to hinder firmware reverse engineering (e.g., removal of verbose debugging strings).", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T11:13:35.583Z", "updated": "2018-04-11T11:13:35.583Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 160, "fields": {"category": 15, "objective_number": "20.17", "objective": "Verify the device validates the boot image signature before loading.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T11:13:53.410Z", "updated": "2018-04-11T11:13:53.410Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 161, "fields": {"category": 15, "objective_number": "20.18", "objective": "Verify that the firmware update process is not vulnerable to time-of-check vs time-of-use attacks.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T11:14:09.524Z", "updated": "2018-04-11T11:14:09.524Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 162, "fields": {"category": 15, "objective_number": "20.19", "objective": "Verify the device uses code signing and validates firmware upgrade files before installing.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T11:14:25.357Z", "updated": "2018-04-11T11:14:25.357Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 163, "fields": {"category": 15, "objective_number": "20.20", "objective": "Verify that the device cannot be downgraded to old versions of valid firmware.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T11:14:43.403Z", "updated": "2018-04-11T11:14:43.403Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 164, "fields": {"category": 15, "objective_number": "20.21", "objective": "Verify usage of cryptographically secure pseudo-random number generator on embedded device (e.g., using chip-provided random number generators).", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T11:14:59.985Z", "updated": "2018-04-11T11:14:59.985Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 165, "fields": {"category": 15, "objective_number": "20.22", "objective": "Verify that the device wipes firmware and sensitive data upon detection of tampering or receipt of invalid message.", "references": "", "level_1": false, "level_2": false, "level_3": true, "enabled": true, "created": "2018-04-11T11:15:22.134Z", "updated": "2018-04-11T11:15:22.134Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 166, "fields": {"category": 15, "objective_number": "20.23", "objective": "Verify that only microcontrollers that support disabling debugging interfaces (e.g. JTAG, SWD) are used.", "references": "", "level_1": false, "level_2": false, "level_3": true, "enabled": true, "created": "2018-04-11T11:15:33.559Z", "updated": "2018-04-11T11:15:33.559Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 167, "fields": {"category": 15, "objective_number": "20.24", "objective": "Verify that only microcontrollers that provide substantial protection from de-capping and side channel attacks are used.", "references": "", "level_1": false, "level_2": false, "level_3": true, "enabled": true, "created": "2018-04-11T11:15:47.863Z", "updated": "2018-04-11T11:15:47.863Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 168, "fields": {"category": 15, "objective_number": "20.25", "objective": "Verify that sensitive traces are not exposed to outer layers of the printed circuit board.", "references": "", "level_1": false, "level_2": false, "level_3": true, "enabled": true, "created": "2018-04-11T11:16:00.608Z", "updated": "2018-04-11T11:16:00.608Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 169, "fields": {"category": 15, "objective_number": "20.26", "objective": "Verify that inter-chip communication is encrypted.", "references": "", "level_1": false, "level_2": false, "level_3": true, "enabled": true, "created": "2018-04-11T11:16:13.105Z", "updated": "2018-04-11T11:16:13.105Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 170, "fields": {"category": 15, "objective_number": "20.27", "objective": "Verify the device uses code signing and validates code before execution.", "references": "", "level_1": false, "level_2": false, "level_3": true, "enabled": true, "created": "2018-04-11T11:16:25.973Z", "updated": "2018-04-11T11:16:25.973Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 171, "fields": {"category": 15, "objective_number": "20.27", "objective": "Verify that sensitive information maintained in memory is overwritten with zeros as soon as it is no longer required.", "references": "", "level_1": false, "level_2": false, "level_3": true, "enabled": true, "created": "2018-04-11T11:16:43.811Z", "updated": "2018-04-11T11:16:43.811Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 172, "fields": {"category": 15, "objective_number": "20.29", "objective": "Verify that the firmware apps utilize kernel containers for isolation between apps.", "references": "", "level_1": false, "level_2": false, "level_3": true, "enabled": true, "created": "2018-04-11T11:17:01.716Z", "updated": "2018-04-11T11:17:01.716Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 173, "fields": {"category": 14, "objective_number": "19.1", "objective": "Verify that all components are up to date with proper security configuration(s) and version(s). This should include removal of unneeded configurations and folders such as sample applications, platform documentation, and default or example users.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T11:24:21.828Z", "updated": "2018-04-11T11:24:21.828Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 174, "fields": {"category": 14, "objective_number": "19.2", "objective": "Verify that communications between components, such as between the application server and the database server, are encrypted, particularly when the components are in different containers or on different systems.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T11:24:39.890Z", "updated": "2018-04-11T11:24:39.890Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 175, "fields": {"category": 14, "objective_number": "19.3", "objective": "Verify that communications between components, such as between the application server and the database server, is authenticated using an account with the least necessary privileges.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T11:24:56.630Z", "updated": "2018-04-11T11:24:56.630Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 176, "fields": {"category": 14, "objective_number": "19.4", "objective": "Verify application deployments are adequately sandboxed, containerized or isolated to delay and deter attackers from attacking other applications.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T11:25:18.922Z", "updated": "2018-04-11T11:25:18.922Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 177, "fields": {"category": 14, "objective_number": "19.5", "objective": "Verify that the application build and deployment processes are performed in a secure and repeatable method, such as CI / CD automation and automated configuration management.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T11:27:01.661Z", "updated": "2018-04-11T11:27:01.661Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 178, "fields": {"category": 14, "objective_number": "19.6", "objective": "Verify that authorised administrators have the capability to verify the integrity of all security-relevant configurations to detect tampering.", "references": "", "level_1": false, "level_2": false, "level_3": true, "enabled": true, "created": "2018-04-11T11:27:21.360Z", "updated": "2018-04-11T11:27:21.360Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 179, "fields": {"category": 14, "objective_number": "19.7", "objective": "Verify that all application components are signed.", "references": "", "level_1": false, "level_2": false, "level_3": true, "enabled": true, "created": "2018-04-11T11:27:38.293Z", "updated": "2018-04-11T11:27:38.294Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 180, "fields": {"category": 14, "objective_number": "19.8", "objective": "Verify that third party components come from trusted repositories.", "references": "", "level_1": false, "level_2": false, "level_3": true, "enabled": true, "created": "2018-04-11T11:27:56.079Z", "updated": "2018-04-11T11:27:56.079Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 181, "fields": {"category": 14, "objective_number": "19.9", "objective": "Verify that build processes for system level languages have all security flags enabled, such as ASLR, DEP, and security checks.", "references": "", "level_1": false, "level_2": false, "level_3": true, "enabled": true, "created": "2018-04-11T11:28:15.183Z", "updated": "2018-04-11T11:28:15.183Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 182, "fields": {"category": 14, "objective_number": "19.10", "objective": "Verify that all application assets are hosted by the application, such as JavaScript libraries, CSS stylesheets and web fonts are hosted by the application rather than rely on a CDN or external provider.", "references": "", "level_1": false, "level_2": false, "level_3": true, "enabled": true, "created": "2018-04-11T11:28:31.535Z", "updated": "2018-04-11T11:28:31.535Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 183, "fields": {"category": 14, "objective_number": "19.11", "objective": "Verify that all application components, services, and servers each use their own low privilege service account, that is not shared between applications nor used by administrators.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T11:28:48.369Z", "updated": "2018-04-11T11:28:48.369Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 184, "fields": {"category": 13, "objective_number": "18.1", "objective": "Verify that the same encoding style is used between the client and the server.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T11:29:30.653Z", "updated": "2018-04-11T11:29:30.653Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 185, "fields": {"category": 13, "objective_number": "18.2", "objective": "Verify that access to administration and management functions within the Web Service Application is limited to web service administrators.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T11:29:47.034Z", "updated": "2018-04-11T11:29:47.034Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 186, "fields": {"category": 13, "objective_number": "18.3", "objective": "Verify that XML or JSON schema is in place and verified before accepting input.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T11:30:10.128Z", "updated": "2018-04-11T11:30:10.128Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 187, "fields": {"category": 13, "objective_number": "18.4", "objective": "Verify that all input is limited to an appropriate size limit.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T11:30:27.140Z", "updated": "2018-04-11T11:30:27.141Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 188, "fields": {"category": 13, "objective_number": "18.5", "objective": "Verify that SOAP based web services are compliant with Web Services-Interoperability (WS-I) Basic Profile at minimum. This essentially means TLS encryption.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T11:30:45.544Z", "updated": "2018-04-11T11:30:45.544Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 189, "fields": {"category": 13, "objective_number": "18.7", "objective": "Verify that the REST service is protected from Cross-Site Request Forgery via the use of at least one or more of the following: double submit cookie pattern, CSRF nonces, ORIGIN request header checks, and referrer request header checks.", "references": "", "level_1": true, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T11:31:06.094Z", "updated": "2018-04-11T11:31:06.094Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 190, "fields": {"category": 13, "objective_number": "18.8", "objective": "Verify the REST service explicitly check the incoming Content-Type to be the expected one, such as application/xml or application/json.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T11:31:24.980Z", "updated": "2018-04-11T11:31:24.980Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 191, "fields": {"category": 13, "objective_number": "18.9", "objective": "Verify that the message payload is signed to ensure reliable transport between client and service, using JSON Web Signing or WS-Security for SOAP requests.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T11:31:45.167Z", "updated": "2018-04-11T11:31:45.167Z", "cwe_mapping": [], "testing_guide": []}}, {"model": "dojo.benchmark_requirement", "pk": 192, "fields": {"category": 13, "objective_number": "18.10", "objective": "Verify that alternative and less secure access paths do not exist.", "references": "", "level_1": false, "level_2": true, "level_3": true, "enabled": true, "created": "2018-04-11T11:32:13.509Z", "updated": "2018-04-11T11:32:13.509Z", "cwe_mapping": [], "testing_guide": []}}]