Back

Test the system for broken authentication and session management.


CONTROL ID
01320
CONTROL TYPE
Testing
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Perform penetration tests, as necessary., CC ID: 00655

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Robust System Security Testing, in respect of critical e-banking systems, needs to incorporate, inter-alia, specifications relating to information leakage, business logic, authentication, authorization, input data validation, exception/error handling, session management, cryptography and detailed lo… (Critical components of information security 11) c.32., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Networks are scanned at least monthly to identify any credentials that are being stored in the clear. (Control: ISM-1875; Revision: 0, Australian Government Information Security Manual, September 2023)
  • Interview responsible personnel and examine the software development policies and procedures to verify broken authentication and session management is addressed with coding techniques, such as incorporating timeouts and rotation of session identifications after successful logins, flagging session to… (Testing Procedures § 6.5.10, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • The organization must ensure the development of software is based on secure coding guidelines and prevents common coding vulnerabilities such as insecure communications. (§ 6.5.7, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • The software development process must address common coding vulnerabilities, to include broken authentication and session management. (PCI DSS Requirements § 6.5.10, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • All users should be properly authenticated, and account credentials and session tokens should be protected appropriately for internal and external web payment applications. (§ 5.2.7, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1)
  • Do coding techniques address broken authentication and session management? (PCI DSS Question 6.5.10, PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Do coding techniques address broken authentication and session management? (PCI DSS Question 6.5.10, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Do coding techniques address broken authentication and session management? (PCI DSS Question 6.5.10, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)