nineinchnick
commented
3 years ago Looks like this issue is not valid anymore. DS01 probably has been repurposed into a different threat (we should not be doing this). Also #127 would solve this.
Open colesmj opened 5 years ago
nineinchnick
commented
3 years ago Looks like this issue is not valid anymore. DS01 probably has been repurposed into a different threat (we should not be doing this). Also #127 would solve this.
"DS01": { "description": "Weak Credential Storage", "source": (Process, Element), "target": Datastore, "condition": "(target.storesPII is True or target.storesSensitiveData is True) and (target.isEncrypted is False or target.providesConfidentiality is False or target.providesIntegrity is False)", },Condition includes storesPII, which would not include credentials (at least not for the target or source); it also includes storesSensitiveData (same comment applies). A better test would be source.hasAccessControl or source.authenticatedWith - these conditions suggest the datastore holds credentials, and the target checks then make sense.