Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-2614

Authentication attempts should be limited in number

    Details

    • Message:
      Make sure infinite authentication attempts are not permitted.
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Targeted languages:
      ABAP, C#, C, C++, Cobol, Flex, Java, JavaScript, Objective-C, PHP, PL/I, PL/SQL, Python, RPG, Swift, VB.Net, VB6
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      1h
    • Analysis Scope:
      Main Sources
    • Common Rule:
      Yes
    • CWE:
      CWE-307
    • OWASP:
      A2
    • SANS Top 25:
      Porous Defenses

      Description

      Locking an account which has had too many sequential, failed login attempts within a short time can help resist brute force attacks. This rule raises an issue on authentication code so that such controls can be verified.

      Noncompliant Code Example

      env.put(Context.SECURITY_PRINCIPAL, principal);
      env.put(Context.SECURITY_CREDENTIALS, password);
      
      DirContext ctx = new InitialDirContext(env);  // Noncompliant
      

      See

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              ann.campbell.2 Ann Campbell
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: