-
Notifications
You must be signed in to change notification settings - Fork 161
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replaced AC22 with AC23 and AC24 #243
Conversation
As mentioned in izar#239 AC22 Credential Aging review the threat AC22 Credential Aging was not helpful. This commit replaces AC22 with two new threats AC23 Credential Disclosure and AC24 Hardcoded Credentials. AC23 checks if the lifetime of the credentials is LONG, MANAUL, or UNKNOWN. Currently there is no way to resolve this threat by changing the model, besides setting the a different lifetime. AC24 warns against the use of hardcoded credentials.
967f60c
to
360c222
Compare
These look good to me, thanks! |
@izar thanks. what about the fact "Currently there is no way to resolve this threat by changing the model, besides setting the a different lifetime.", meaning a shorter lifetime. Is it ok to always get this finding, when using a large livetime or should there be a condition checking for a mitigation? Something like |
I am not sure you can't mitigate it by changing the model. If it absolutely needs to have lifetime validity, it can be better protected, you can add "show current sessions" functionality, etc. Perhaps add values LIFETIME_CANT_CHANGE and use that to point to additional controls, and create a finding for LIFETIME? |
Maybe we add a deprecated attribute to AC22 instead and when loading the JSON filter all threats with the deprecated attribute. The content of the attribute could also be the reason why it was detracted. The advantage would be that the old condition would still be intact. Another idea would be to create a deprecated.json in add AC22 there.
Sorry I'm not sure what you mean. I see that you could add and use a custom value by adding
Or do you mean that in pytm there should be a |
Good idea!
That. |
When a threat in `threats.json` has a `DEPRECATED` attribute the threat will be ignored. The value of `DEPRECATED` is irrelevant for pytm, but it can describe the reason for the deprecation.
@izar Is there something missing, which I can do? |
Sorry, dropped this one from my radar. Merged. Thanks!! |
As mentioned in #239 AC22 Credential Aging review the threat AC22 Credential Aging was not helpful.
This commit replaces AC22 with two new threats AC23 Credential Disclosure and AC24 Hardcoded Credentials.
AC23 checks if the lifetime of the credentials is LONG, MANAUL, or UNKNOWN.
Currently there is no way to resolve this threat by changing the model, besides setting the a different lifetime.
AC24 warns against the use of hardcoded credentials.