Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Replaced AC22 with AC23 and AC24 #243

Merged
merged 2 commits into from
May 28, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions pytm/pytm.py
Original file line number Diff line number Diff line change
Expand Up @@ -818,9 +818,9 @@ def _add_threats(self):
raise UIError(
e, f"while trying to open the the threat file ({self.threatsFile})."
)

for i in threats_json:
TM._threats.append(Threat(**i))
active_threats = (threat for threat in threats_json if "DEPRECATED" not in threat)
for threat in active_threats:
TM._threats.append(Threat(**threat))

def resolve(self):
finding_count = 0
Expand Down
31 changes: 31 additions & 0 deletions pytm/threatlib/threats.json
Original file line number Diff line number Diff line change
Expand Up @@ -1560,6 +1560,7 @@
},
{
"SID": "AC22",
"DEPRECATED": "AC22 was replaced by AC23 and AC24. Forcing short lived credentials by rotating the credentials regularly is no longer recommended. It better to go for long living strong credentials, which can be easily replaced, when a disclosure has happend.",
"target": [
"Dataflow"
],
Expand All @@ -1572,5 +1573,35 @@
"mitigations": "All passwords and other credentials should have a relatively short expiration date with a possibility to be revoked immediately under special circumstances.",
"example": "",
"references": "https://cwe.mitre.org/data/definitions/262.html, https://cwe.mitre.org/data/definitions/263.html, https://cwe.mitre.org/data/definitions/798.html"
},
{
"SID": "AC23",
"target": [
"Dataflow"
],
"description": "Credentials Disclosure",
"details": "If credentials (passwords or certificates) have a long lifetime their disclosure can have severe consequences, if the credentials cannot quickly be revoked and/or rotated.",
"Likelihood Of Attack": "Medium",
"severity": "High",
"prerequisites": "",
"condition": "any(d.isCredentials for d in target.data) and target.sink.inScope and any(d.credentialsLife in (Lifetime.UNKNOWN, Lifetime.LONG, Lifetime.MANUAL) for d in target.data)",
"mitigations": "Long living credentials need to have high entropy and length to be future proof, especially if it is unknwon how long these credentials will be used. Further should there be a mechanism to revoke the credentials immediately if a disclosure is suspected. To detect disclosure of the credentials their use should be monitored for suspicions activity.",
"example": "",
"references": "https://pages.nist.gov/800-63-3/sp800-63b.html#sec6"
},
{
"SID": "AC24",
"target": [
"Dataflow"
],
"description": "Use of hardcoded credentials",
"details": "Hardcoded credentials (password or certificates) cannot be changed and if these credentials are dislcosed they can be used by attackers to bypass the authentication mechanism.",
"Likelihood Of Attack": "High",
"severity": "Very High",
"prerequisites": "",
"condition": "any(d.isCredentials for d in target.data) and target.sink.inScope and any(d.credentialsLife == Lifetime.HARDCODED for d in target.data)",
"mitigations": "Avoid hardcoded credentials. If you have to use hardcoded credentials make is possible to change the credentials or to deactivate them. A typical design is to use a \"first login\"-mode which forces the user to create new credentials, on the first login. If the credentials cannot be changed the sole actions in prodcution for the defender is to deactivate/remove the effected product.",
"example": "",
"references": "https://cwe.mitre.org/data/definitions/798.html, https://cwe.mitre.org/data/definitions/259.html, https://cwe.mitre.org/data/definitions/321.html"
}
]
16 changes: 14 additions & 2 deletions tests/test_pytmfunc.py
Original file line number Diff line number Diff line change
Expand Up @@ -1462,7 +1462,19 @@ def test_AC21(self):
threat = threats["AC21"]
self.assertTrue(threat.apply(process1))

def test_AC22(self):
def test_AC23(self):
user = Actor("User")
web = Server("Web Server")
user_to_web = Dataflow(user, web, "User enters comments (*)")
user_to_web.data = Data(
"password", isCredentials=True, credentialsLife=Lifetime.LONG
)
user_to_web.protocol = "HTTPS"
user_to_web.controls.isEncrypted = True
threat = threats["AC23"]
self.assertTrue(threat.apply(user_to_web))

def test_AC24(self):
user = Actor("User")
web = Server("Web Server")
user_to_web = Dataflow(user, web, "User enters comments (*)")
Expand All @@ -1471,7 +1483,7 @@ def test_AC22(self):
)
user_to_web.protocol = "HTTPS"
user_to_web.controls.isEncrypted = True
threat = threats["AC22"]
threat = threats["AC24"]
self.assertTrue(threat.apply(user_to_web))

def test_DR01(self):
Expand Down
Loading