From 163535db4bf9657a90440b3bd009221993631aac Mon Sep 17 00:00:00 2001 From: "Luke Stephens (hakluke)" <13975395+hakluke@users.noreply.github.com> Date: Fri, 11 Sep 2020 12:13:22 +1000 Subject: [PATCH 1/3] fixed number ordering on ordered list in no_password_policy remediation advice --- mappings/remediation_advice/remediation_advice.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mappings/remediation_advice/remediation_advice.json b/mappings/remediation_advice/remediation_advice.json index ddcdbf05..cfa6d012 100644 --- a/mappings/remediation_advice/remediation_advice.json +++ b/mappings/remediation_advice/remediation_advice.json @@ -1017,7 +1017,7 @@ }, { "id": "no_password_policy", - "remediation_advice": "1. Allow all characters to be used for passwords to avoid shortening the key space for brute-force guessing.\n2. Do not impose character restrictions such as \"must have at least X number of specific character type\" in the password. This will shorten the key space for brute-force guessing.\n2. Disallow short password lengths. 8 characters is generally considered a good minimum password length.\n3. Allow for a large maximum password length.\n4. Do not advertise the maximum password length as this will shorten the key space for brute-force guessing.\n5. Disallow previous passwords from being used.\n6. Disallow the password being the same as the email or username.", + "remediation_advice": "1. Allow all characters to be used for passwords to avoid shortening the key space for brute-force guessing.\n2. Do not impose character restrictions such as \"must have at least X number of specific character type\" in the password. This will shorten the key space for brute-force guessing.\n3. Disallow short password lengths. 8 characters is generally considered a good minimum password length.\n4. Allow for a large maximum password length.\n5. Do not advertise the maximum password length as this will shorten the key space for brute-force guessing.\n6. Disallow previous passwords from being used.\n7. Disallow the password being the same as the email or username.", "references": [ "https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Authentication_Cheat_Sheet.md#implement-proper-password-strength-controls" ] From c507b17b72c74c6bb99d157a3a408c88cde37606 Mon Sep 17 00:00:00 2001 From: "Luke Stephens (hakluke)" <13975395+hakluke@users.noreply.github.com> Date: Fri, 11 Sep 2020 12:33:18 +1000 Subject: [PATCH 2/3] same issue on different section --- mappings/remediation_advice/remediation_advice.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mappings/remediation_advice/remediation_advice.json b/mappings/remediation_advice/remediation_advice.json index cfa6d012..cb7c3a74 100644 --- a/mappings/remediation_advice/remediation_advice.json +++ b/mappings/remediation_advice/remediation_advice.json @@ -1010,7 +1010,7 @@ "children": [ { "id": "weak_password_policy", - "remediation_advice": "1. Allow all characters to be used for passwords to avoid shortening the key space for brute-force guessing.\n2. Do not impose character restrictions such as \"must have at least X number of specific character type\" in the password. This will shorten the key space for brute-force guessing.\n2. Disallow short password lengths. 8 characters is generally considered a good minimum password length.\n3. Allow for a large maximum password length.\n4. Do not advertise the maximum password length as this will shorten the key space for brute-force guessing.\n5. Disallow previous passwords from being used.\n6. Disallow the password being the same as the email or username.", + "remediation_advice": "1. Allow all characters to be used for passwords to avoid shortening the key space for brute-force guessing.\n2. Do not impose character restrictions such as \"must have at least X number of specific character type\" in the password. This will shorten the key space for brute-force guessing.\n3. Disallow short password lengths. 8 characters is generally considered a good minimum password length.\n4. Allow for a large maximum password length.\n5. Do not advertise the maximum password length as this will shorten the key space for brute-force guessing.\n6. Disallow previous passwords from being used.\n7. Disallow the password being the same as the email or username.", "references": [ "https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Authentication_Cheat_Sheet.md#implement-proper-password-strength-controls" ] From 900cca957055829d0389eca19fb60858f021c0b8 Mon Sep 17 00:00:00 2001 From: "Luke Stephens (hakluke)" <13975395+hakluke@users.noreply.github.com> Date: Fri, 11 Sep 2020 12:35:08 +1000 Subject: [PATCH 3/3] added blank lines around code snippets as advised by MD linter --- mappings/remediation_advice/remediation_advice.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mappings/remediation_advice/remediation_advice.json b/mappings/remediation_advice/remediation_advice.json index cb7c3a74..3d078210 100644 --- a/mappings/remediation_advice/remediation_advice.json +++ b/mappings/remediation_advice/remediation_advice.json @@ -1236,7 +1236,7 @@ }, { "id": "clipboard_enabled", - "remediation_advice": "Ensure that copy/paste functionality is disabled on sensitive content like credit card numbers, social security numbers etc. as other apps on the same device can access data stored in clipboard.\nThe example below disables clipboard for the `textField` TextView in Android:\n```java\ntextField.setCustomSelectionActionModeCallback(new ActionMode.Callback() {\n public boolean onCreateActionMode(ActionMode actionMode, Menu menu) {\n return false;\n }\n\n public boolean onPrepareActionMode(ActionMode actionMode, Menu menu) {\n return false;\n }\n\n public boolean onActionItemClicked(ActionMode actionMode, MenuItem item) {\n return false;\n }\n\n public void onDestroyActionMode(ActionMode actionMode) {\n }\n});\ntextField.setLongClickable(false);\ntextField.setTextIsSelectable(false);\n```\nThe example below disables clipboard for UITextField in iOS:\n```swift\noverride public func canPerformAction(_ action: Selector, withSender sender: Any?) -> Bool {\n if action == #selector(copy(_:)) || action == #selector(paste(_:)) {\n return false\n }\n return true\n}\n```" + "remediation_advice": "Ensure that copy/paste functionality is disabled on sensitive content like credit card numbers, social security numbers etc. as other apps on the same device can access data stored in clipboard.\nThe example below disables clipboard for the `textField` TextView in Android:\n\n```java\ntextField.setCustomSelectionActionModeCallback(new ActionMode.Callback() {\n public boolean onCreateActionMode(ActionMode actionMode, Menu menu) {\n return false;\n }\n\n public boolean onPrepareActionMode(ActionMode actionMode, Menu menu) {\n return false;\n }\n\n public boolean onActionItemClicked(ActionMode actionMode, MenuItem item) {\n return false;\n }\n\n public void onDestroyActionMode(ActionMode actionMode) {\n }\n});\ntextField.setLongClickable(false);\ntextField.setTextIsSelectable(false);\n```\n\nThe example below disables clipboard for UITextField in iOS:\n\n```swift\noverride public func canPerformAction(_ action: Selector, withSender sender: Any?) -> Bool {\n if action == #selector(copy(_:)) || action == #selector(paste(_:)) {\n return false\n }\n return true\n}\n```\n\n" }, { "id": "auto_backup_allowed_by_default",