Authentication and authorisation of clients is performed when clients call web APIs that facilitate modification of data.
Ensure authentication mechanisms are flexible and secure by supporting multiple authentication methods while phasing out weak or deprecated authenticators. For example, design authentication systems to support agile authenticator management, allowing users to adopt stronger authentication methods like hardware tokens or biometrics while smoothly deprecating insecure ones; Avoid reliance on email and SMS-based authentication, as they are classified as "restricted" by NIST 800-63 and may be removed from future security standards; Implement adaptive authentication to provide secure, user-friendly login experiences based on risk assessment; Continuously evaluate and update authentication strategies to align with evolving security best practices.
Organizations must conduct security tests to validate that all standard security controls function as intended, ensuring robust protection of confidentiality, integrity, and availability (CIA) of both data and services. These tests should cover critical security mechanisms, including authentication, access control, input validation, encoding, escaping, and encryption to detect potential weaknesses. Security testing should be integrated into the development lifecycle, systematically verifying that security controls are correctly implemented and effective in preventing unauthorized access or data manipulation. The objective is to ensure that applications enforce security policies consistently, mitigating risks before deployment. By continuously assessing the effectiveness of security defenses, organizations can proactively identify gaps and reinforce their security posture, reducing the likelihood of security failures in production environments.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-16-01-01-01 | Integrate security testing into the development lifecycle | Systematically integrate security testing into the development lifecycle, ensuring that security controls are tested throughout the application’s development and deployment. | Development | Security Engineers, DevOps Teams |
| SSS-02-16-01-01-02 | Test authentication and access control mechanisms | Validate the effectiveness of authentication and access control mechanisms to ensure that only authorized users can access sensitive data or services. This testing should include both functional and boundary cases. | Development | Security Engineers, QA Teams |
| SSS-02-16-01-01-03 | Test input validation, encoding, and escaping | Verify that input validation is robust and correctly implemented to prevent malicious data input, including testing for encoding and escaping issues that could lead to injection vulnerabilities. | Development | Security Engineers, QA Teams |
| SSS-02-16-01-01-04 | Test encryption and data protection controls | Ensure encryption mechanisms are correctly implemented and that data is adequately protected during storage and transmission. This includes validating key management, encryption strength, and data integrity checks. | Development | Security Engineers, IT Operations |
| SSS-02-16-01-01-05 | Conduct regular security audits | Perform periodic audits and security reviews to ensure that all security controls remain effective and up-to-date, particularly when there are updates or changes to the application. | Post-deployment | Security Engineers, Compliance Officers |
| SSS-02-16-01-01-06 | Simulate attack scenarios | Conduct simulated attack scenarios (e.g., penetration testing, red teaming) to test how well the system withstands potential real-world security threats and identify vulnerabilities before they can be exploited. | Development | Security Engineers, Penetration Testers |
| SSS-02-16-01-01-07 | Identify and mitigate security gaps | Continuously assess the effectiveness of all security defenses. Identify any weaknesses or gaps in the security posture and apply corrective measures to enhance overall security. | Post-deployment | Security Engineers, IT Operations |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1818) OWASP Application Security Verification Standard OWASP SAMM: Software Assurance Maturity Model (V-RT-1-A) |