DS01: Weak credential storage - condition too broad #27
Labels
Comments
colesmj
added
bug
|
Looks like this issue is not valid anymore. DS01 probably has been repurposed into a different threat (we should not be doing this). Also #127 would solve this. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
"DS01": { "description": "Weak Credential Storage", "source": (Process, Element), "target": Datastore, "condition": "(target.storesPII is True or target.storesSensitiveData is True) and (target.isEncrypted is False or target.providesConfidentiality is False or target.providesIntegrity is False)", },Condition includes storesPII, which would not include credentials (at least not for the target or source); it also includes storesSensitiveData (same comment applies). A better test would be source.hasAccessControl or source.authenticatedWith - these conditions suggest the datastore holds credentials, and the target checks then make sense.
The text was updated successfully, but these errors were encountered: