@zerothreatai/vulnerability-registry 4.0.0 → 6.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/categories/authentication.js +17 -17
- package/dist/categories/configuration.js +80 -80
- package/dist/categories/injection.js +34 -34
- package/dist/categories/sensitive-paths.js +84 -84
- package/dist/categories/ssrf.js +11 -11
- package/dist/categories/xss.js +15 -15
- package/dist/compliance-codes.d.ts +207 -0
- package/dist/compliance-codes.js +213 -0
- package/dist/compliances/gdpr.d.ts +2 -0
- package/dist/compliances/gdpr.js +252 -0
- package/dist/compliances/helpers.d.ts +6 -0
- package/dist/compliances/helpers.js +11 -0
- package/dist/compliances/hipaa.d.ts +2 -0
- package/dist/compliances/hipaa.js +187 -0
- package/dist/compliances/index.d.ts +5 -0
- package/dist/compliances/index.js +5 -0
- package/dist/compliances/owasp.d.ts +2 -0
- package/dist/compliances/owasp.js +127 -0
- package/dist/compliances/pci-dss.d.ts +2 -0
- package/dist/compliances/pci-dss.js +260 -0
- package/dist/compliances/sans-top-25.d.ts +2 -0
- package/dist/compliances/sans-top-25.js +242 -0
- package/dist/index.d.ts +7 -1
- package/dist/index.js +7 -1
- package/dist/types.d.ts +33 -0
- package/dist/types.js +11 -1
- package/dist-cjs/categories/authentication.js +17 -17
- package/dist-cjs/categories/configuration.js +80 -80
- package/dist-cjs/categories/injection.js +34 -34
- package/dist-cjs/categories/sensitive-paths.js +84 -84
- package/dist-cjs/categories/ssrf.js +11 -11
- package/dist-cjs/categories/xss.js +15 -15
- package/dist-cjs/compliance-codes.js +216 -0
- package/dist-cjs/compliances/gdpr.js +255 -0
- package/dist-cjs/compliances/helpers.js +19 -0
- package/dist-cjs/compliances/hipaa.js +190 -0
- package/dist-cjs/compliances/index.js +13 -0
- package/dist-cjs/compliances/owasp.js +130 -0
- package/dist-cjs/compliances/pci-dss.js +263 -0
- package/dist-cjs/compliances/sans-top-25.js +245 -0
- package/dist-cjs/index.js +12 -1
- package/dist-cjs/types.js +12 -0
- package/package.json +40 -32
- package/scripts/assign-ids.ts +105 -0
- package/scripts/check-duplicate-ids.ts +45 -0
- package/src/categories/authentication.ts +17 -17
- package/src/categories/configuration.ts +80 -80
- package/src/categories/injection.ts +34 -34
- package/src/categories/sensitive-paths.ts +84 -84
- package/src/categories/ssrf.ts +11 -11
- package/src/categories/xss.ts +15 -15
- package/src/compliance-codes.ts +216 -0
- package/src/compliances/README.md +82 -0
- package/src/compliances/gdpr.ts +258 -0
- package/src/compliances/helpers.ts +29 -0
- package/src/compliances/hipaa.ts +193 -0
- package/src/compliances/index.ts +5 -0
- package/src/compliances/owasp.ts +133 -0
- package/src/compliances/pci-dss.ts +266 -0
- package/src/compliances/sans-top-25.ts +246 -0
- package/src/id-registry.json +1235 -0
- package/src/index.ts +12 -1
- package/src/types.ts +40 -4
- package/src/categories/authentication.d.ts +0 -8
- package/src/categories/authentication.d.ts.map +0 -1
- package/src/categories/authentication.js +0 -392
- package/src/categories/authentication.js.map +0 -1
- package/src/categories/configuration.d.ts +0 -8
- package/src/categories/configuration.d.ts.map +0 -1
- package/src/categories/configuration.js +0 -1782
- package/src/categories/configuration.js.map +0 -1
- package/src/categories/injection.d.ts +0 -8
- package/src/categories/injection.d.ts.map +0 -1
- package/src/categories/injection.js +0 -781
- package/src/categories/injection.js.map +0 -1
- package/src/categories/sensitive-paths.d.ts +0 -9
- package/src/categories/sensitive-paths.d.ts.map +0 -1
- package/src/categories/sensitive-paths.js +0 -1872
- package/src/categories/sensitive-paths.js.map +0 -1
- package/src/categories/ssrf.d.ts +0 -8
- package/src/categories/ssrf.d.ts.map +0 -1
- package/src/categories/ssrf.js +0 -258
- package/src/categories/ssrf.js.map +0 -1
- package/src/categories/xss.d.ts +0 -7
- package/src/categories/xss.d.ts.map +0 -1
- package/src/categories/xss.js +0 -340
- package/src/categories/xss.js.map +0 -1
- package/src/error-codes.d.ts +0 -280
- package/src/error-codes.d.ts.map +0 -1
- package/src/error-codes.js +0 -350
- package/src/error-codes.js.map +0 -1
- package/src/index.d.ts +0 -60
- package/src/index.d.ts.map +0 -1
- package/src/index.js +0 -92
- package/src/index.js.map +0 -1
- package/src/types.d.ts +0 -88
- package/src/types.d.ts.map +0 -1
- package/src/types.js +0 -6
- package/src/types.js.map +0 -1
|
@@ -0,0 +1,187 @@
|
|
|
1
|
+
import { ComplianceCode } from '../compliance-codes';
|
|
2
|
+
import { ComplianceCategory } from '../types';
|
|
3
|
+
import { idsByCategory, idsByCodes, idsByCodePrefix, mergeIds } from './helpers.js';
|
|
4
|
+
const authIds = idsByCategory('authentication');
|
|
5
|
+
const injectionIds = idsByCategory('injection');
|
|
6
|
+
const xssIds = idsByCategory('xss');
|
|
7
|
+
const ssrfIds = idsByCategory('ssrf');
|
|
8
|
+
const configIds = idsByCategory('configuration');
|
|
9
|
+
const disclosureIds = idsByCategory('information_disclosure');
|
|
10
|
+
const cookieIds = idsByCodePrefix(['COOKIE_']);
|
|
11
|
+
const dirbrowseIds = idsByCodePrefix(['DIRBROWSE_']);
|
|
12
|
+
const jwtIds = idsByCodePrefix(['JWT_']);
|
|
13
|
+
const hstsIds = idsByCodes([
|
|
14
|
+
'HEADER_MISSING_HSTS',
|
|
15
|
+
'HEADER_HSTS_BAD_MAX_AGE',
|
|
16
|
+
'HEADER_HSTS_SHORT_MAX_AGE',
|
|
17
|
+
'HEADER_HSTS_NO_INCLUDESUBDOMAINS',
|
|
18
|
+
'HEADER_HSTS_PRELOAD_LOW_MAX_AGE',
|
|
19
|
+
'HEADER_DRIFT_HSTS',
|
|
20
|
+
]);
|
|
21
|
+
const cookieSecureIds = idsByCodes([
|
|
22
|
+
'COOKIE_SAMESITE_NONE_WITHOUT_SECURE',
|
|
23
|
+
'COOKIE_SESSION_MISSING_SECURE',
|
|
24
|
+
'COOKIE_MISSING_SECURE',
|
|
25
|
+
'COOKIE_HOST_PREFIX_INVALID',
|
|
26
|
+
'COOKIE_SECURE_PREFIX_INVALID',
|
|
27
|
+
]);
|
|
28
|
+
const allAppSecIds = mergeIds(authIds, injectionIds, xssIds, ssrfIds, configIds, disclosureIds);
|
|
29
|
+
const accessControlIds = mergeIds(authIds, cookieIds, dirbrowseIds, disclosureIds);
|
|
30
|
+
const authAndCookieIds = mergeIds(authIds, cookieIds);
|
|
31
|
+
const cryptoIds = mergeIds(jwtIds, hstsIds, cookieSecureIds);
|
|
32
|
+
const integrityIds = mergeIds(injectionIds, xssIds);
|
|
33
|
+
export const HIPAA_COMPLIANCE = {
|
|
34
|
+
[ComplianceCode.HIPAA_164_105_PROTECT_PRIVATE_HEALTH_INFO]: {
|
|
35
|
+
id: 164,
|
|
36
|
+
code: ComplianceCode.HIPAA_164_105_PROTECT_PRIVATE_HEALTH_INFO,
|
|
37
|
+
title: 'S.Rule - Part 164, Subpart A, 164.105 Protect Private Health Info',
|
|
38
|
+
description: 'Make sure private electronic health information is kept safe and secure from anyone who shouldn’t see it.',
|
|
39
|
+
complianceStandard: ComplianceCategory.HIPAA,
|
|
40
|
+
relatedVulnerabilityIds: allAppSecIds,
|
|
41
|
+
isNotApplicable: false,
|
|
42
|
+
},
|
|
43
|
+
[ComplianceCode.HIPAA_164_306_A_1_KEEP_INFO_SAFE]: {
|
|
44
|
+
id: 165,
|
|
45
|
+
code: ComplianceCode.HIPAA_164_306_A_1_KEEP_INFO_SAFE,
|
|
46
|
+
title: 'S.Rule - Part 164, Subpart C, 164.306(a)(1) Keep Info Safe and Available',
|
|
47
|
+
description: 'Make sure health info stays private, accurate, and ready to use when needed.',
|
|
48
|
+
complianceStandard: ComplianceCategory.HIPAA,
|
|
49
|
+
relatedVulnerabilityIds: allAppSecIds,
|
|
50
|
+
isNotApplicable: false,
|
|
51
|
+
},
|
|
52
|
+
[ComplianceCode.HIPAA_164_306_A_2_PROTECT_AGAINST_THREATS]: {
|
|
53
|
+
id: 166,
|
|
54
|
+
code: ComplianceCode.HIPAA_164_306_A_2_PROTECT_AGAINST_THREATS,
|
|
55
|
+
title: 'S.Rule - Part 164, Subpart C, 164.306(a)(2) Protect Against Threats',
|
|
56
|
+
description: 'Put systems in place to stop hackers or anything else that might harm the health info.',
|
|
57
|
+
complianceStandard: ComplianceCategory.HIPAA,
|
|
58
|
+
relatedVulnerabilityIds: allAppSecIds,
|
|
59
|
+
isNotApplicable: false,
|
|
60
|
+
},
|
|
61
|
+
[ComplianceCode.HIPAA_164_306_A_3_STOP_UNAUTHORIZED_ACCESS]: {
|
|
62
|
+
id: 167,
|
|
63
|
+
code: ComplianceCode.HIPAA_164_306_A_3_STOP_UNAUTHORIZED_ACCESS,
|
|
64
|
+
title: 'S.Rule - Part 164, Subpart C, 164.306(a)(3) Stop Unauthorized Access',
|
|
65
|
+
description: 'Make sure no one can use or see health info without permission.',
|
|
66
|
+
complianceStandard: ComplianceCategory.HIPAA,
|
|
67
|
+
relatedVulnerabilityIds: accessControlIds,
|
|
68
|
+
isNotApplicable: false,
|
|
69
|
+
},
|
|
70
|
+
[ComplianceCode.HIPAA_164_308_A_1_I_PREVENT_FIX_PROBLEMS]: {
|
|
71
|
+
id: 168,
|
|
72
|
+
code: ComplianceCode.HIPAA_164_308_A_1_I_PREVENT_FIX_PROBLEMS,
|
|
73
|
+
title: 'S.Rule - Part 164, Subpart C, 164.308(a)(1) (i) Prevent and Fix Problems',
|
|
74
|
+
description: 'Create rules to spot and fix security problems before they cause damage.',
|
|
75
|
+
complianceStandard: ComplianceCategory.HIPAA,
|
|
76
|
+
relatedVulnerabilityIds: allAppSecIds,
|
|
77
|
+
isNotApplicable: false,
|
|
78
|
+
},
|
|
79
|
+
[ComplianceCode.HIPAA_164_308_A_1_II_B_LOWER_SECURITY_RISKS]: {
|
|
80
|
+
id: 169,
|
|
81
|
+
code: ComplianceCode.HIPAA_164_308_A_1_II_B_LOWER_SECURITY_RISKS,
|
|
82
|
+
title: 'S.Rule - Part 164, Subpart C, 164.308(a)(1)(ii)(B) Lower Security Risks',
|
|
83
|
+
description: 'Take steps to make sure the risk of problems, like data leaks, is as low as possible.',
|
|
84
|
+
complianceStandard: ComplianceCategory.HIPAA,
|
|
85
|
+
relatedVulnerabilityIds: allAppSecIds,
|
|
86
|
+
isNotApplicable: false,
|
|
87
|
+
},
|
|
88
|
+
[ComplianceCode.HIPAA_164_308_A_5_II_B_BLOCK_MALWARE]: {
|
|
89
|
+
id: 170,
|
|
90
|
+
code: ComplianceCode.HIPAA_164_308_A_5_II_B_BLOCK_MALWARE,
|
|
91
|
+
title: 'S.Rule - Part 164, Subpart C, 164.308(a)(5)(ii)(B) Block Viruses and Malware',
|
|
92
|
+
description: 'Set up tools to block harmful software like viruses and ransomware.',
|
|
93
|
+
complianceStandard: ComplianceCategory.HIPAA,
|
|
94
|
+
relatedVulnerabilityIds: [],
|
|
95
|
+
isNotApplicable: true,
|
|
96
|
+
},
|
|
97
|
+
[ComplianceCode.HIPAA_164_308_A_5_II_C_WATCH_LOGINS]: {
|
|
98
|
+
id: 171,
|
|
99
|
+
code: ComplianceCode.HIPAA_164_308_A_5_II_C_WATCH_LOGINS,
|
|
100
|
+
title: 'S.Rule - Part 164, Subpart C, 164.308(a)(5)(ii)(C) Watch Logins',
|
|
101
|
+
description: 'Keep track of who’s logging in and report anything that seems suspicious.',
|
|
102
|
+
complianceStandard: ComplianceCategory.HIPAA,
|
|
103
|
+
relatedVulnerabilityIds: [],
|
|
104
|
+
isNotApplicable: true,
|
|
105
|
+
},
|
|
106
|
+
[ComplianceCode.HIPAA_164_308_A_5_II_D_PROTECT_PASSWORDS]: {
|
|
107
|
+
id: 172,
|
|
108
|
+
code: ComplianceCode.HIPAA_164_308_A_5_II_D_PROTECT_PASSWORDS,
|
|
109
|
+
title: 'S.Rule - Part 164, Subpart C, 164.308(a)(5)(ii)(D) Protect Passwords',
|
|
110
|
+
description: 'Make sure passwords are strong, secure, and regularly updated.',
|
|
111
|
+
complianceStandard: ComplianceCategory.HIPAA,
|
|
112
|
+
relatedVulnerabilityIds: authAndCookieIds,
|
|
113
|
+
isNotApplicable: true,
|
|
114
|
+
},
|
|
115
|
+
[ComplianceCode.HIPAA_164_308_A_7_I_PLAN_EMERGENCIES]: {
|
|
116
|
+
id: 173,
|
|
117
|
+
code: ComplianceCode.HIPAA_164_308_A_7_I_PLAN_EMERGENCIES,
|
|
118
|
+
title: 'S.Rule - Part 164, Subpart C, 164.308(a)(7)(i) Plan for Emergencies',
|
|
119
|
+
description: 'Have a backup plan ready if something happens, like a power outage or system crash, so health info stays safe.',
|
|
120
|
+
complianceStandard: ComplianceCategory.HIPAA,
|
|
121
|
+
relatedVulnerabilityIds: [],
|
|
122
|
+
isNotApplicable: true,
|
|
123
|
+
},
|
|
124
|
+
[ComplianceCode.HIPAA_164_312_A_1_CONTROL_ACCESS]: {
|
|
125
|
+
id: 174,
|
|
126
|
+
code: ComplianceCode.HIPAA_164_312_A_1_CONTROL_ACCESS,
|
|
127
|
+
title: 'S.Rule - Part 164, Subpart C, 164.312(a)(1) Control Who Can See Info',
|
|
128
|
+
description: 'Limit access to health info to only those who really need it.',
|
|
129
|
+
complianceStandard: ComplianceCategory.HIPAA,
|
|
130
|
+
relatedVulnerabilityIds: accessControlIds,
|
|
131
|
+
isNotApplicable: true,
|
|
132
|
+
},
|
|
133
|
+
[ComplianceCode.HIPAA_164_312_C_1_PREVENT_CHANGES]: {
|
|
134
|
+
id: 175,
|
|
135
|
+
code: ComplianceCode.HIPAA_164_312_C_1_PREVENT_CHANGES,
|
|
136
|
+
title: 'S.Rule - Part 164, Subpart C, 164.312(c)(1) Prevent Changes or Deletion',
|
|
137
|
+
description: 'Make sure no one can change or delete health info without permission.',
|
|
138
|
+
complianceStandard: ComplianceCategory.HIPAA,
|
|
139
|
+
relatedVulnerabilityIds: [],
|
|
140
|
+
isNotApplicable: true,
|
|
141
|
+
},
|
|
142
|
+
[ComplianceCode.HIPAA_164_312_D_VERIFY_IDENTITY]: {
|
|
143
|
+
id: 176,
|
|
144
|
+
code: ComplianceCode.HIPAA_164_312_D_VERIFY_IDENTITY,
|
|
145
|
+
title: 'S.Rule - Part 164, Subpart C, 164.312(d) Double-Check Who’s Asking for Access',
|
|
146
|
+
description: 'Confirm that anyone asking to see health info is who they say they are.',
|
|
147
|
+
complianceStandard: ComplianceCategory.HIPAA,
|
|
148
|
+
relatedVulnerabilityIds: authAndCookieIds,
|
|
149
|
+
isNotApplicable: true,
|
|
150
|
+
},
|
|
151
|
+
[ComplianceCode.HIPAA_164_312_E_1_PROTECT_ONLINE_INFO]: {
|
|
152
|
+
id: 177,
|
|
153
|
+
code: ComplianceCode.HIPAA_164_312_E_1_PROTECT_ONLINE_INFO,
|
|
154
|
+
title: 'S.Rule - Part 164, Subpart C, 164.312(e)(1) Protect Info Sent Online',
|
|
155
|
+
description: 'Make sure health info is safe when sent over the internet.',
|
|
156
|
+
complianceStandard: ComplianceCategory.HIPAA,
|
|
157
|
+
relatedVulnerabilityIds: cryptoIds,
|
|
158
|
+
isNotApplicable: false,
|
|
159
|
+
},
|
|
160
|
+
[ComplianceCode.HIPAA_164_312_E_2_I_PREVENT_UNAUTHORIZED_CHANGES]: {
|
|
161
|
+
id: 178,
|
|
162
|
+
code: ComplianceCode.HIPAA_164_312_E_2_I_PREVENT_UNAUTHORIZED_CHANGES,
|
|
163
|
+
title: 'S.Rule - Part 164, Subpart C, 164.312(e)(2)(i) Prevent Unauthorized Changes',
|
|
164
|
+
description: 'Ensure health info sent electronically isn’t changed without anyone knowing.',
|
|
165
|
+
complianceStandard: ComplianceCategory.HIPAA,
|
|
166
|
+
relatedVulnerabilityIds: integrityIds,
|
|
167
|
+
isNotApplicable: false,
|
|
168
|
+
},
|
|
169
|
+
[ComplianceCode.HIPAA_164_312_E_2_II_USE_ENCRYPTION]: {
|
|
170
|
+
id: 179,
|
|
171
|
+
code: ComplianceCode.HIPAA_164_312_E_2_II_USE_ENCRYPTION,
|
|
172
|
+
title: 'S.Rule - Part 164, Subpart C, 164.312(e)(2)(ii) Use Encryption to Keep Info Safe',
|
|
173
|
+
description: 'Encrypt health info when it’s sent online to keep it private.',
|
|
174
|
+
complianceStandard: ComplianceCategory.HIPAA,
|
|
175
|
+
relatedVulnerabilityIds: cryptoIds,
|
|
176
|
+
isNotApplicable: true,
|
|
177
|
+
},
|
|
178
|
+
[ComplianceCode.HIPAA_164_530_C_2_I_KEEP_INFO_SHARED]: {
|
|
179
|
+
id: 180,
|
|
180
|
+
code: ComplianceCode.HIPAA_164_530_C_2_I_KEEP_INFO_SHARED,
|
|
181
|
+
title: 'P.Rule - Part 164, Subpart E, 164.530(c)(2)(i) Keep Info From Being Shared',
|
|
182
|
+
description: 'Take care to stop health info from being shared accidentally or on purpose with the wrong people.',
|
|
183
|
+
complianceStandard: ComplianceCategory.HIPAA,
|
|
184
|
+
relatedVulnerabilityIds: mergeIds(disclosureIds, accessControlIds),
|
|
185
|
+
isNotApplicable: true,
|
|
186
|
+
},
|
|
187
|
+
};
|
|
@@ -0,0 +1,127 @@
|
|
|
1
|
+
import { ComplianceCode } from '../compliance-codes';
|
|
2
|
+
import { ComplianceCategory } from '../types';
|
|
3
|
+
import { idsByCategory, idsByCodes, idsByCodePrefix, mergeIds } from './helpers.js';
|
|
4
|
+
const authIds = idsByCategory('authentication');
|
|
5
|
+
const injectionIds = idsByCategory('injection');
|
|
6
|
+
const xssIds = idsByCategory('xss');
|
|
7
|
+
const ssrfIds = idsByCategory('ssrf');
|
|
8
|
+
const configIds = idsByCategory('configuration');
|
|
9
|
+
const disclosureIds = idsByCategory('information_disclosure');
|
|
10
|
+
const accessControlIds = idsByCodePrefix(['BAC_', 'MASSASSIGN_']);
|
|
11
|
+
const dirbrowseIds = idsByCodePrefix(['DIRBROWSE_']);
|
|
12
|
+
const jwtIds = idsByCodePrefix(['JWT_']);
|
|
13
|
+
const cookieIds = idsByCodePrefix(['COOKIE_']);
|
|
14
|
+
const deserializationIds = idsByCodePrefix(['DESER_']);
|
|
15
|
+
const hstsIds = idsByCodes([
|
|
16
|
+
'HEADER_MISSING_HSTS',
|
|
17
|
+
'HEADER_HSTS_BAD_MAX_AGE',
|
|
18
|
+
'HEADER_HSTS_SHORT_MAX_AGE',
|
|
19
|
+
'HEADER_HSTS_NO_INCLUDESUBDOMAINS',
|
|
20
|
+
'HEADER_HSTS_PRELOAD_LOW_MAX_AGE',
|
|
21
|
+
'HEADER_DRIFT_HSTS',
|
|
22
|
+
]);
|
|
23
|
+
const cookieSecureIds = idsByCodes([
|
|
24
|
+
'COOKIE_SAMESITE_NONE_WITHOUT_SECURE',
|
|
25
|
+
'COOKIE_SESSION_MISSING_SECURE',
|
|
26
|
+
'COOKIE_MISSING_SECURE',
|
|
27
|
+
'COOKIE_HOST_PREFIX_INVALID',
|
|
28
|
+
'COOKIE_SECURE_PREFIX_INVALID',
|
|
29
|
+
]);
|
|
30
|
+
const owaspA1Ids = mergeIds(accessControlIds, dirbrowseIds);
|
|
31
|
+
const owaspA2Ids = mergeIds(jwtIds, hstsIds, cookieSecureIds);
|
|
32
|
+
const owaspA3Ids = mergeIds(injectionIds, xssIds);
|
|
33
|
+
const owaspA5Ids = mergeIds(configIds, disclosureIds);
|
|
34
|
+
const owaspA7Ids = mergeIds(authIds, cookieIds);
|
|
35
|
+
const owaspA8Ids = deserializationIds;
|
|
36
|
+
export const OWASP_COMPLIANCE = {
|
|
37
|
+
[ComplianceCode.OWASP_A1_BROKEN_ACCESS_CONTROL]: {
|
|
38
|
+
id: 154,
|
|
39
|
+
code: ComplianceCode.OWASP_A1_BROKEN_ACCESS_CONTROL,
|
|
40
|
+
title: 'A1 Broken Access Control',
|
|
41
|
+
description: 'Many web applications fail to properly enforce rules on what authenticated users are allowed to access or do. This creates vulnerabilities where attackers can exploit the flaws to gain unauthorized access. For example, they might be able to log into someone else’s account, view sensitive files they shouldn’t have access to, modify other users\' data, or change their own access rights to gain additional privileges. To prevent these kinds of attacks, web applications must ensure that every user’s actions are carefully restricted based on their role and permission level, ensuring they can only interact with the parts of the system they are authorized to access.',
|
|
42
|
+
complianceStandard: ComplianceCategory.OWASP,
|
|
43
|
+
relatedVulnerabilityIds: owaspA1Ids,
|
|
44
|
+
isNotApplicable: false,
|
|
45
|
+
},
|
|
46
|
+
[ComplianceCode.OWASP_A2_CRYPTOGRAPHIC_FAILURES]: {
|
|
47
|
+
id: 155,
|
|
48
|
+
code: ComplianceCode.OWASP_A2_CRYPTOGRAPHIC_FAILURES,
|
|
49
|
+
title: 'A2 Cryptographic Failures',
|
|
50
|
+
description: 'Many web applications and APIs fail to properly protect sensitive information, like financial details, health records, or personal identification data. When this data isn’t secured correctly, attackers can steal or alter it, leading to crimes like credit card fraud or identity theft. Sensitive data should always be encrypted, whether it’s being stored (encryption at rest) or transferred over the internet (encryption in transit). Extra care must also be taken when this data is exchanged between the user and the browser to prevent it from being compromised.',
|
|
51
|
+
complianceStandard: ComplianceCategory.OWASP,
|
|
52
|
+
relatedVulnerabilityIds: owaspA2Ids,
|
|
53
|
+
isNotApplicable: false,
|
|
54
|
+
},
|
|
55
|
+
[ComplianceCode.OWASP_A3_INJECTION_FLAWS]: {
|
|
56
|
+
id: 156,
|
|
57
|
+
code: ComplianceCode.OWASP_A3_INJECTION_FLAWS,
|
|
58
|
+
title: 'A3 Injection Flaws',
|
|
59
|
+
description: 'Injection flaws happen when untrusted or harmful data is sent to a system as part of a command or query. This can occur with different types of data, like SQL (used for databases), NoSQL, OS (operating system commands), or LDAP (used for directory services). Attackers can exploit these flaws by sending malicious data that tricks the system into executing commands it wasn’t supposed to, or accessing data without permission. This can allow attackers to gain unauthorized control or information from the system.',
|
|
60
|
+
complianceStandard: ComplianceCategory.OWASP,
|
|
61
|
+
relatedVulnerabilityIds: owaspA3Ids,
|
|
62
|
+
isNotApplicable: false,
|
|
63
|
+
},
|
|
64
|
+
[ComplianceCode.OWASP_A4_INSECURE_DESIGN]: {
|
|
65
|
+
id: 157,
|
|
66
|
+
code: ComplianceCode.OWASP_A4_INSECURE_DESIGN,
|
|
67
|
+
title: 'A4 Insecure Design',
|
|
68
|
+
description: 'Insecure design refers to weaknesses in the overall design of a system or software, where essential security controls are missing or not effective. This is different from implementation flaws, which are mistakes made while building the system. A system with insecure design has security gaps from the start, which can’t be fully fixed later, no matter how well the system is built. For example, if the system wasn’t designed with proper security in mind, even a perfect implementation won’t fix it. A key factor in insecure design is not properly assessing the risks the software or system might face, which leads to a failure in designing the necessary security protections.',
|
|
69
|
+
complianceStandard: ComplianceCategory.OWASP,
|
|
70
|
+
relatedVulnerabilityIds: [],
|
|
71
|
+
isNotApplicable: true,
|
|
72
|
+
},
|
|
73
|
+
[ComplianceCode.OWASP_A5_SECURITY_MISCONFIGURATION]: {
|
|
74
|
+
id: 158,
|
|
75
|
+
code: ComplianceCode.OWASP_A5_SECURITY_MISCONFIGURATION,
|
|
76
|
+
title: 'A5 Security Misconfiguration',
|
|
77
|
+
description: 'Security misconfiguration is one of the most common issues found in web applications and systems. It happens when systems are not set up securely or configured properly. This can include things like using insecure default settings, incomplete configurations, or leaving cloud storage open to the public. Other examples include misconfigured security settings like HTTP headers and error messages that reveal sensitive information about the system. To protect against these risks, all components—such as operating systems, frameworks, libraries, and applications—must be securely configured from the beginning. Additionally, they need to be regularly updated and patched to fix any vulnerabilities and ensure they remain secure over time.',
|
|
78
|
+
complianceStandard: ComplianceCategory.OWASP,
|
|
79
|
+
relatedVulnerabilityIds: owaspA5Ids,
|
|
80
|
+
isNotApplicable: false,
|
|
81
|
+
},
|
|
82
|
+
[ComplianceCode.OWASP_A6_VULNERABLE_OUTDATED_COMPONENTS]: {
|
|
83
|
+
id: 159,
|
|
84
|
+
code: ComplianceCode.OWASP_A6_VULNERABLE_OUTDATED_COMPONENTS,
|
|
85
|
+
title: 'A6 Vulnerable and Outdated Components',
|
|
86
|
+
description: 'Many web applications rely on components like libraries, frameworks, or other software modules to run. These components operate with the same permissions as the rest of the application. If any of these components have known security weaknesses, attackers can exploit them to cause serious issues, such as data loss or taking control of the server. Using outdated components with known vulnerabilities can undermine the security of the entire application, making it easier for attackers to launch attacks or cause other damage. To avoid this, it’s important to regularly update and patch these components to keep the application secure.',
|
|
87
|
+
complianceStandard: ComplianceCategory.OWASP,
|
|
88
|
+
relatedVulnerabilityIds: [],
|
|
89
|
+
isNotApplicable: true,
|
|
90
|
+
},
|
|
91
|
+
[ComplianceCode.OWASP_A7_IDENTIFICATION_AUTH_FAILURE]: {
|
|
92
|
+
id: 160,
|
|
93
|
+
code: ComplianceCode.OWASP_A7_IDENTIFICATION_AUTH_FAILURE,
|
|
94
|
+
title: 'A7 Identification and Authentication Failure',
|
|
95
|
+
description: 'Many applications have weaknesses in how they handle user login and session management. These flaws can allow attackers to steal or guess passwords, keys, or session tokens, and use them to impersonate other users. In some cases, attackers might be able to take over someone’s account temporarily or permanently. Properly securing authentication processes and session management is crucial to prevent unauthorized access and protect user identities.',
|
|
96
|
+
complianceStandard: ComplianceCategory.OWASP,
|
|
97
|
+
relatedVulnerabilityIds: owaspA7Ids,
|
|
98
|
+
isNotApplicable: false,
|
|
99
|
+
},
|
|
100
|
+
[ComplianceCode.OWASP_A8_SOFTWARE_DATA_INTEGRITY_FAILURE]: {
|
|
101
|
+
id: 161,
|
|
102
|
+
code: ComplianceCode.OWASP_A8_SOFTWARE_DATA_INTEGRITY_FAILURE,
|
|
103
|
+
title: 'A8 Software and Data Integrity Failure',
|
|
104
|
+
description: 'Software and data integrity failures occur when code or systems aren’t protected from changes that could compromise their security. For example, if an application uses plugins, libraries, or modules from untrusted sources or repositories, attackers could introduce malicious code. Insecure continuous integration/continuous deployment (CI/CD) pipelines also pose a risk, as they could allow unauthorized access or introduce harmful code. Many apps also have auto-update features, but if the updates aren’t properly verified, attackers could upload malicious updates that get applied to all users’ installations. Another risk is when data is encoded or serialized in a way that attackers can manipulate, which could lead to vulnerabilities like insecure deserialization.',
|
|
105
|
+
complianceStandard: ComplianceCategory.OWASP,
|
|
106
|
+
relatedVulnerabilityIds: owaspA8Ids,
|
|
107
|
+
isNotApplicable: false,
|
|
108
|
+
},
|
|
109
|
+
[ComplianceCode.OWASP_A9_LOGGING_MONITORING_FAILURES]: {
|
|
110
|
+
id: 162,
|
|
111
|
+
code: ComplianceCode.OWASP_A9_LOGGING_MONITORING_FAILURES,
|
|
112
|
+
title: 'A9 Security Logging and Monitoring Failures',
|
|
113
|
+
description: 'When an application or system doesn’t properly log or monitor activity, it becomes easier for attackers to continue their attacks unnoticed. Without effective monitoring, attackers can maintain access, move through different systems, and tamper with or steal data. Studies of security breaches show that it often takes over 200 days to detect a breach, and many breaches are first discovered by external parties, not by the system’s internal monitoring. Proper logging and real-time monitoring are crucial for detecting and responding to attacks before they cause significant damage.',
|
|
114
|
+
complianceStandard: ComplianceCategory.OWASP,
|
|
115
|
+
relatedVulnerabilityIds: [],
|
|
116
|
+
isNotApplicable: true,
|
|
117
|
+
},
|
|
118
|
+
[ComplianceCode.OWASP_A10_SSRF]: {
|
|
119
|
+
id: 163,
|
|
120
|
+
code: ComplianceCode.OWASP_A10_SSRF,
|
|
121
|
+
title: 'A10 Server-Side Request Forgery (SSRF)',
|
|
122
|
+
description: 'SSRF flaws happen when a web application accepts a user-supplied URL to fetch a remote resource but doesn’t properly validate it. This allows attackers to trick the application into sending a request to an unexpected destination, even if there are security measures like firewalls, VPNs, or network access controls in place. As a result, attackers can target internal systems or services that would normally be protected from external access.',
|
|
123
|
+
complianceStandard: ComplianceCategory.OWASP,
|
|
124
|
+
relatedVulnerabilityIds: ssrfIds,
|
|
125
|
+
isNotApplicable: false,
|
|
126
|
+
},
|
|
127
|
+
};
|
|
@@ -0,0 +1,260 @@
|
|
|
1
|
+
import { ComplianceCode } from '../compliance-codes';
|
|
2
|
+
import { ComplianceCategory } from '../types';
|
|
3
|
+
import { idsByCategory, idsByCodes, idsByCodePrefix, mergeIds } from './helpers.js';
|
|
4
|
+
const authIds = idsByCategory('authentication');
|
|
5
|
+
const injectionIds = idsByCategory('injection');
|
|
6
|
+
const xssIds = idsByCategory('xss');
|
|
7
|
+
const ssrfIds = idsByCategory('ssrf');
|
|
8
|
+
const configIds = idsByCategory('configuration');
|
|
9
|
+
const disclosureIds = idsByCategory('information_disclosure');
|
|
10
|
+
const cookieIds = idsByCodePrefix(['COOKIE_']);
|
|
11
|
+
const dirbrowseIds = idsByCodePrefix(['DIRBROWSE_']);
|
|
12
|
+
const jwtIds = idsByCodePrefix(['JWT_']);
|
|
13
|
+
const hstsIds = idsByCodes([
|
|
14
|
+
'HEADER_MISSING_HSTS',
|
|
15
|
+
'HEADER_HSTS_BAD_MAX_AGE',
|
|
16
|
+
'HEADER_HSTS_SHORT_MAX_AGE',
|
|
17
|
+
'HEADER_HSTS_NO_INCLUDESUBDOMAINS',
|
|
18
|
+
'HEADER_HSTS_PRELOAD_LOW_MAX_AGE',
|
|
19
|
+
'HEADER_DRIFT_HSTS',
|
|
20
|
+
]);
|
|
21
|
+
const cookieSecureIds = idsByCodes([
|
|
22
|
+
'COOKIE_SAMESITE_NONE_WITHOUT_SECURE',
|
|
23
|
+
'COOKIE_SESSION_MISSING_SECURE',
|
|
24
|
+
'COOKIE_MISSING_SECURE',
|
|
25
|
+
'COOKIE_HOST_PREFIX_INVALID',
|
|
26
|
+
'COOKIE_SECURE_PREFIX_INVALID',
|
|
27
|
+
]);
|
|
28
|
+
const allAppSecIds = mergeIds(authIds, injectionIds, xssIds, ssrfIds, configIds, disclosureIds);
|
|
29
|
+
const misconfigIds = mergeIds(configIds, disclosureIds);
|
|
30
|
+
const accessControlIds = mergeIds(authIds, cookieIds, dirbrowseIds, disclosureIds);
|
|
31
|
+
const cryptoIds = mergeIds(jwtIds, hstsIds, cookieSecureIds);
|
|
32
|
+
const injectionAndXssIds = mergeIds(injectionIds, xssIds);
|
|
33
|
+
const authAndCookieIds = mergeIds(authIds, cookieIds);
|
|
34
|
+
export const PCI_DSS_COMPLIANCE = {
|
|
35
|
+
[ComplianceCode.PCI_REQ_1_INSTALL_FIREWALL]: {
|
|
36
|
+
id: 74,
|
|
37
|
+
code: ComplianceCode.PCI_REQ_1_INSTALL_FIREWALL,
|
|
38
|
+
title: 'Requirement 1 Install and Maintain a Firewall Configuration',
|
|
39
|
+
description: 'Set up and maintain a firewall to create a secure barrier between cardholder data and any external threats. This protects sensitive information from unauthorized access by controlling the incoming and outgoing network traffic.',
|
|
40
|
+
complianceStandard: ComplianceCategory.PCIDSS,
|
|
41
|
+
relatedVulnerabilityIds: [],
|
|
42
|
+
isNotApplicable: true,
|
|
43
|
+
},
|
|
44
|
+
[ComplianceCode.PCI_REQ_2_1_CHANGE_DEFAULT_PASSWORDS]: {
|
|
45
|
+
id: 75,
|
|
46
|
+
code: ComplianceCode.PCI_REQ_2_1_CHANGE_DEFAULT_PASSWORDS,
|
|
47
|
+
title: 'Requirement 2.1 Change Vendor-Supplied Default Passwords',
|
|
48
|
+
description: 'Always replace default passwords and remove or disable default accounts provided by vendors before setting up a system. This applies to all types of default passwords, such as those for operating systems, security software, point-of-sale terminals, and other system services, to prevent unauthorized access.',
|
|
49
|
+
complianceStandard: ComplianceCategory.PCIDSS,
|
|
50
|
+
relatedVulnerabilityIds: authAndCookieIds,
|
|
51
|
+
isNotApplicable: true,
|
|
52
|
+
},
|
|
53
|
+
[ComplianceCode.PCI_REQ_2_2_1_ONE_PRIMARY_FUNCTION]: {
|
|
54
|
+
id: 76,
|
|
55
|
+
code: ComplianceCode.PCI_REQ_2_2_1_ONE_PRIMARY_FUNCTION,
|
|
56
|
+
title: 'Requirement 2.2.1 One Primary Function Per Server',
|
|
57
|
+
description: 'Implement only one primary function per server (e.g., web server, database server, DNS) to avoid coexisting functions with different security levels. If using virtualization, ensure each virtual system component performs a single function.',
|
|
58
|
+
complianceStandard: ComplianceCategory.PCIDSS,
|
|
59
|
+
relatedVulnerabilityIds: [],
|
|
60
|
+
isNotApplicable: true,
|
|
61
|
+
},
|
|
62
|
+
[ComplianceCode.PCI_REQ_2_2_2_ENABLE_NECESSARY_SERVICES]: {
|
|
63
|
+
id: 77,
|
|
64
|
+
code: ComplianceCode.PCI_REQ_2_2_2_ENABLE_NECESSARY_SERVICES,
|
|
65
|
+
title: 'Requirement 2.2.2 Enable Only Necessary Services and Protocols',
|
|
66
|
+
description: 'Activate only the essential services, protocols, and daemons needed for the system to function. This minimizes potential vulnerabilities by reducing the number of unnecessary services that could be exploited by attackers.',
|
|
67
|
+
complianceStandard: ComplianceCategory.PCIDSS,
|
|
68
|
+
relatedVulnerabilityIds: misconfigIds,
|
|
69
|
+
isNotApplicable: false,
|
|
70
|
+
},
|
|
71
|
+
[ComplianceCode.PCI_REQ_2_2_3_SECURE_INSECURE_SERVICES]: {
|
|
72
|
+
id: 78,
|
|
73
|
+
code: ComplianceCode.PCI_REQ_2_2_3_SECURE_INSECURE_SERVICES,
|
|
74
|
+
title: 'Requirement 2.2.3 Implement Additional Security Features for Insecure Services',
|
|
75
|
+
description: 'Apply extra security measures to secure any necessary services, protocols, or daemons identified as insecure. For environments using SSL/early TLS, adhere to the requirements specified in Appendix A2 to mitigate vulnerabilities.',
|
|
76
|
+
complianceStandard: ComplianceCategory.PCIDSS,
|
|
77
|
+
relatedVulnerabilityIds: cryptoIds,
|
|
78
|
+
isNotApplicable: false,
|
|
79
|
+
},
|
|
80
|
+
[ComplianceCode.PCI_REQ_2_2_4_CONFIGURE_SYSTEM_PARAMETERS]: {
|
|
81
|
+
id: 79,
|
|
82
|
+
code: ComplianceCode.PCI_REQ_2_2_4_CONFIGURE_SYSTEM_PARAMETERS,
|
|
83
|
+
title: 'Requirement 2.2.4 Configure System Security Parameters',
|
|
84
|
+
description: 'Configure system security parameters to prevent misuse, ensuring systems are protected from unauthorized actions.',
|
|
85
|
+
complianceStandard: ComplianceCategory.PCIDSS,
|
|
86
|
+
relatedVulnerabilityIds: misconfigIds,
|
|
87
|
+
isNotApplicable: false,
|
|
88
|
+
},
|
|
89
|
+
[ComplianceCode.PCI_REQ_2_2_5_STRENGTHEN_INSECURE_SERVICES]: {
|
|
90
|
+
id: 80,
|
|
91
|
+
code: ComplianceCode.PCI_REQ_2_2_5_STRENGTHEN_INSECURE_SERVICES,
|
|
92
|
+
title: 'Requirement 2.2.5 Strengthen Security for Insecure Services',
|
|
93
|
+
description: 'For services, protocols, or daemons that are deemed insecure, extra security features should be added to protect them. This is particularly important when using SSL or early TLS; specific guidelines from Appendix A2 must be followed to ensure proper security.',
|
|
94
|
+
complianceStandard: ComplianceCategory.PCIDSS,
|
|
95
|
+
relatedVulnerabilityIds: cryptoIds,
|
|
96
|
+
isNotApplicable: false,
|
|
97
|
+
},
|
|
98
|
+
[ComplianceCode.PCI_REQ_2_3_ENCRYPT_NON_CONSOLE_ADMIN]: {
|
|
99
|
+
id: 81,
|
|
100
|
+
code: ComplianceCode.PCI_REQ_2_3_ENCRYPT_NON_CONSOLE_ADMIN,
|
|
101
|
+
title: 'Requirement 2.3 Encrypt Non-Console Administrative Access',
|
|
102
|
+
description: 'Use strong encryption to secure all administrative access, especially when accessing systems remotely. If SSL or early TLS is used, follow the additional requirements in Appendix A2 to ensure secure communication.',
|
|
103
|
+
complianceStandard: ComplianceCategory.PCIDSS,
|
|
104
|
+
relatedVulnerabilityIds: cryptoIds,
|
|
105
|
+
isNotApplicable: false,
|
|
106
|
+
},
|
|
107
|
+
[ComplianceCode.PCI_REQ_3_1_MINIMIZE_DATA_STORAGE]: {
|
|
108
|
+
id: 86,
|
|
109
|
+
code: ComplianceCode.PCI_REQ_3_1_MINIMIZE_DATA_STORAGE,
|
|
110
|
+
title: 'Requirement 3.1 Minimize Cardholder Data Storage',
|
|
111
|
+
description: 'Implement policies and procedures to store only the necessary cardholder data and securely dispose of it when no longer needed, to reduce risk and ensure compliance with data retention standards.',
|
|
112
|
+
complianceStandard: ComplianceCategory.PCIDSS,
|
|
113
|
+
relatedVulnerabilityIds: disclosureIds,
|
|
114
|
+
isNotApplicable: true,
|
|
115
|
+
},
|
|
116
|
+
[ComplianceCode.PCI_REQ_4_1_STRONG_CRYPTO_TRANSMISSION]: {
|
|
117
|
+
id: 95,
|
|
118
|
+
code: ComplianceCode.PCI_REQ_4_1_STRONG_CRYPTO_TRANSMISSION,
|
|
119
|
+
title: 'Requirement 4.1 Use Strong Cryptography for Cardholder Data Transmission',
|
|
120
|
+
description: 'Ensure the use of strong cryptography and secure protocols to protect cardholder data during transmission over open, public networks. Only trusted keys and certificates should be used, and the protocol must support secure configurations with appropriate encryption strength.',
|
|
121
|
+
complianceStandard: ComplianceCategory.PCIDSS,
|
|
122
|
+
relatedVulnerabilityIds: cryptoIds,
|
|
123
|
+
isNotApplicable: false,
|
|
124
|
+
},
|
|
125
|
+
[ComplianceCode.PCI_REQ_6_1_IDENTIFY_RANK_VULNERABILITIES]: {
|
|
126
|
+
id: 99,
|
|
127
|
+
code: ComplianceCode.PCI_REQ_6_1_IDENTIFY_RANK_VULNERABILITIES,
|
|
128
|
+
title: 'Requirement 6.1 Identify and Rank Security Vulnerabilities',
|
|
129
|
+
description: 'Establish a process to regularly identify security vulnerabilities in systems and applications, using trusted external sources for vulnerability information. Once identified, assign a risk ranking (e.g., high, medium, or low) to each vulnerability to prioritize remediation efforts based on potential impact. This helps ensure that the most critical security flaws are addressed first.',
|
|
130
|
+
complianceStandard: ComplianceCategory.PCIDSS,
|
|
131
|
+
relatedVulnerabilityIds: allAppSecIds,
|
|
132
|
+
isNotApplicable: true,
|
|
133
|
+
},
|
|
134
|
+
[ComplianceCode.PCI_REQ_6_2_INSTALL_SECURITY_PATCHES]: {
|
|
135
|
+
id: 100,
|
|
136
|
+
code: ComplianceCode.PCI_REQ_6_2_INSTALL_SECURITY_PATCHES,
|
|
137
|
+
title: 'Requirement 6.2 Install Vendor-Supplied Security Patches',
|
|
138
|
+
description: 'Protect all system components and software from known vulnerabilities by installing security patches provided by the vendor. Ensure that critical security patches are installed within one month of their release to minimize the risk of exploitation from known threats. This helps keep systems secure and up to date with the latest protections.',
|
|
139
|
+
complianceStandard: ComplianceCategory.PCIDSS,
|
|
140
|
+
relatedVulnerabilityIds: allAppSecIds,
|
|
141
|
+
isNotApplicable: false,
|
|
142
|
+
},
|
|
143
|
+
[ComplianceCode.PCI_REQ_6_3_1_SECURE_SOFTWARE_DEVELOPMENT]: {
|
|
144
|
+
id: 101,
|
|
145
|
+
code: ComplianceCode.PCI_REQ_6_3_1_SECURE_SOFTWARE_DEVELOPMENT,
|
|
146
|
+
title: 'Requirement 6.3.1 Secure Software Development Practices',
|
|
147
|
+
description: 'Develop and maintain secure software applications by following best practices for security throughout the development lifecycle. This applies to all software, whether created internally or custom-built by third parties, including securing web-based access and protecting against potential vulnerabilities.',
|
|
148
|
+
complianceStandard: ComplianceCategory.PCIDSS,
|
|
149
|
+
relatedVulnerabilityIds: injectionAndXssIds,
|
|
150
|
+
isNotApplicable: true,
|
|
151
|
+
},
|
|
152
|
+
[ComplianceCode.PCI_REQ_6_5_1_PREVENT_INJECTION]: {
|
|
153
|
+
id: 107,
|
|
154
|
+
code: ComplianceCode.PCI_REQ_6_5_1_PREVENT_INJECTION,
|
|
155
|
+
title: 'Requirement 6.5.1 Prevent Injection Flaws in Applications',
|
|
156
|
+
description: 'Ensure that applications are protected from injection attacks, such as SQL injection and other types like OS Command, LDAP, and XPath injection, by implementing proper input validation, escaping user inputs, and using parameterized queries to prevent malicious code from being executed.',
|
|
157
|
+
complianceStandard: ComplianceCategory.PCIDSS,
|
|
158
|
+
relatedVulnerabilityIds: injectionAndXssIds,
|
|
159
|
+
isNotApplicable: false,
|
|
160
|
+
},
|
|
161
|
+
[ComplianceCode.PCI_REQ_6_5_2_PREVENT_BUFFER_OVERFLOW]: {
|
|
162
|
+
id: 108,
|
|
163
|
+
code: ComplianceCode.PCI_REQ_6_5_2_PREVENT_BUFFER_OVERFLOW,
|
|
164
|
+
title: 'Requirement 6.5.2 Protect Against Buffer Overflow Vulnerabilities',
|
|
165
|
+
description: 'Safeguard applications from buffer overflow attacks by ensuring proper bounds checking and input validation, preventing attackers from writing data outside allocated memory spaces and exploiting vulnerabilities in software.',
|
|
166
|
+
complianceStandard: ComplianceCategory.PCIDSS,
|
|
167
|
+
relatedVulnerabilityIds: [],
|
|
168
|
+
isNotApplicable: true,
|
|
169
|
+
},
|
|
170
|
+
[ComplianceCode.PCI_REQ_6_5_3_SECURE_CRYPTOGRAPHIC_STORAGE]: {
|
|
171
|
+
id: 109,
|
|
172
|
+
code: ComplianceCode.PCI_REQ_6_5_3_SECURE_CRYPTOGRAPHIC_STORAGE,
|
|
173
|
+
title: 'Requirement 6.5.3 Secure Cryptographic Storage',
|
|
174
|
+
description: 'Ensure sensitive data is securely stored using strong encryption techniques to protect it from unauthorized access or disclosure, minimizing the risk of data breaches or misuse.',
|
|
175
|
+
complianceStandard: ComplianceCategory.PCIDSS,
|
|
176
|
+
relatedVulnerabilityIds: cryptoIds,
|
|
177
|
+
isNotApplicable: false,
|
|
178
|
+
},
|
|
179
|
+
[ComplianceCode.PCI_REQ_6_5_4_SECURE_COMM_CHANNELS]: {
|
|
180
|
+
id: 110,
|
|
181
|
+
code: ComplianceCode.PCI_REQ_6_5_4_SECURE_COMM_CHANNELS,
|
|
182
|
+
title: 'Requirement 6.5.4 Secure Communication Channels',
|
|
183
|
+
description: 'Use strong encryption protocols to protect sensitive data during transmission over networks, ensuring it cannot be intercepted or tampered with during communication.',
|
|
184
|
+
complianceStandard: ComplianceCategory.PCIDSS,
|
|
185
|
+
relatedVulnerabilityIds: cryptoIds,
|
|
186
|
+
isNotApplicable: false,
|
|
187
|
+
},
|
|
188
|
+
[ComplianceCode.PCI_REQ_6_5_5_PROPER_ERROR_HANDLING]: {
|
|
189
|
+
id: 111,
|
|
190
|
+
code: ComplianceCode.PCI_REQ_6_5_5_PROPER_ERROR_HANDLING,
|
|
191
|
+
title: 'Requirement 6.5.5 Proper Error Handling Practices',
|
|
192
|
+
description: 'Ensure that error messages do not reveal sensitive information that could be exploited by attackers. Implement secure error handling to log issues without exposing system details or data to unauthorized users.',
|
|
193
|
+
complianceStandard: ComplianceCategory.PCIDSS,
|
|
194
|
+
relatedVulnerabilityIds: injectionAndXssIds,
|
|
195
|
+
isNotApplicable: false,
|
|
196
|
+
},
|
|
197
|
+
[ComplianceCode.PCI_REQ_6_5_6_ADDRESS_HIGH_RISK_VULNS]: {
|
|
198
|
+
id: 112,
|
|
199
|
+
code: ComplianceCode.PCI_REQ_6_5_6_ADDRESS_HIGH_RISK_VULNS,
|
|
200
|
+
title: 'Requirement 6.5.6 Address High-Risk Vulnerabilities Promptly',
|
|
201
|
+
description: 'Identify and address all "high risk" vulnerabilities as part of the security vulnerability process to prevent potential breaches and protect sensitive data.',
|
|
202
|
+
complianceStandard: ComplianceCategory.PCIDSS,
|
|
203
|
+
relatedVulnerabilityIds: allAppSecIds,
|
|
204
|
+
isNotApplicable: true,
|
|
205
|
+
},
|
|
206
|
+
[ComplianceCode.PCI_REQ_6_5_7_PREVENT_XSS]: {
|
|
207
|
+
id: 113,
|
|
208
|
+
code: ComplianceCode.PCI_REQ_6_5_7_PREVENT_XSS,
|
|
209
|
+
title: 'Requirement 6.5.7 Prevent Cross-Site Scripting (XSS) Vulnerabilities',
|
|
210
|
+
description: 'Ensure that web applications are secure against XSS attacks, where attackers inject malicious scripts into web pages. Implement input validation and output encoding to prevent scripts from being executed in a user\'s browser.',
|
|
211
|
+
complianceStandard: ComplianceCategory.PCIDSS,
|
|
212
|
+
relatedVulnerabilityIds: xssIds,
|
|
213
|
+
isNotApplicable: false,
|
|
214
|
+
},
|
|
215
|
+
[ComplianceCode.PCI_REQ_6_5_8_PREVENT_ACCESS_CONTROL_VULNS]: {
|
|
216
|
+
id: 114,
|
|
217
|
+
code: ComplianceCode.PCI_REQ_6_5_8_PREVENT_ACCESS_CONTROL_VULNS,
|
|
218
|
+
title: 'Requirement 6.5.8 Prevent Improper Access Control Vulnerabilities',
|
|
219
|
+
description: 'Ensure that web applications properly control access to sensitive resources. Implement strong access control mechanisms to prevent unauthorized users from accessing or modifying data they shouldn t, and avoid vulnerabilities like insecure direct object references, directory traversal, or unrestricted URL access.',
|
|
220
|
+
complianceStandard: ComplianceCategory.PCIDSS,
|
|
221
|
+
relatedVulnerabilityIds: accessControlIds,
|
|
222
|
+
isNotApplicable: false,
|
|
223
|
+
},
|
|
224
|
+
[ComplianceCode.PCI_REQ_6_5_9_PREVENT_CSRF]: {
|
|
225
|
+
id: 115,
|
|
226
|
+
code: ComplianceCode.PCI_REQ_6_5_9_PREVENT_CSRF,
|
|
227
|
+
title: 'Requirement 6.5.9 Prevent Cross-Site Request Forgery (CSRF)',
|
|
228
|
+
description: 'Implement security measures to prevent CSRF attacks, where an attacker tricks a user into making unwanted requests to a website on which the user is authenticated. Use anti-CSRF tokens and ensure that user actions are properly validated and protected from being exploited through malicious requests.',
|
|
229
|
+
complianceStandard: ComplianceCategory.PCIDSS,
|
|
230
|
+
relatedVulnerabilityIds: [],
|
|
231
|
+
isNotApplicable: false,
|
|
232
|
+
},
|
|
233
|
+
[ComplianceCode.PCI_REQ_6_5_10_PREVENT_BROKEN_AUTH]: {
|
|
234
|
+
id: 116,
|
|
235
|
+
code: ComplianceCode.PCI_REQ_6_5_10_PREVENT_BROKEN_AUTH,
|
|
236
|
+
title: 'Requirement 6.5.10 Prevent Broken Authentication and Session Management',
|
|
237
|
+
description: 'Secure user authentication and session management processes to prevent unauthorized access. This includes using strong, multi-factor authentication methods, enforcing session timeouts, and ensuring that session identifiers are securely generated, stored, and invalidated after use.',
|
|
238
|
+
complianceStandard: ComplianceCategory.PCIDSS,
|
|
239
|
+
relatedVulnerabilityIds: authAndCookieIds,
|
|
240
|
+
isNotApplicable: false,
|
|
241
|
+
},
|
|
242
|
+
[ComplianceCode.PCI_REQ_7_RESTRICT_ACCESS_NEED_TO_KNOW]: {
|
|
243
|
+
id: 119,
|
|
244
|
+
code: ComplianceCode.PCI_REQ_7_RESTRICT_ACCESS_NEED_TO_KNOW,
|
|
245
|
+
title: 'Requirement 7 Restrict Access to System Components and Cardholder Data by Business Need-to-Know',
|
|
246
|
+
description: 'Access to sensitive system components and cardholder data should be limited only to those individuals whose job responsibilities require it. Permissions should be granted based on business needs, following the principle of least privilege to minimize security risks.',
|
|
247
|
+
complianceStandard: ComplianceCategory.PCIDSS,
|
|
248
|
+
relatedVulnerabilityIds: accessControlIds,
|
|
249
|
+
isNotApplicable: true,
|
|
250
|
+
},
|
|
251
|
+
[ComplianceCode.PCI_REQ_8_1_1_ASSIGN_UNIQUE_IDS]: {
|
|
252
|
+
id: 126,
|
|
253
|
+
code: ComplianceCode.PCI_REQ_8_1_1_ASSIGN_UNIQUE_IDS,
|
|
254
|
+
title: 'Requirement 8.1.1 Assign Unique IDs for All Users',
|
|
255
|
+
description: 'Ensure every user is assigned a unique identification (ID) before they are granted access to system components or cardholder data. This helps track user activities and ensures accountability.',
|
|
256
|
+
complianceStandard: ComplianceCategory.PCIDSS,
|
|
257
|
+
relatedVulnerabilityIds: authAndCookieIds,
|
|
258
|
+
isNotApplicable: true,
|
|
259
|
+
},
|
|
260
|
+
};
|