~/Cedric

No separation of development and operating environments Vulnerabilities

Are the development environments separate? What are the constraints for moving from one to the other? Which development method is used?

A08:2021 – Software and Data Integrity Failures Vulnerabilities

Software and data integrity failures relate to code and infrastructure that does not protect against integrity violations. For example, where objects or data are encoded or serialized into a structure that an attacker can see and modify is vulnerable to insecure deserialization. Another form of this is where an application relies upon plugins, libraries, or modules from untrusted sources, repositories, and content delivery networks (CDNs). An insecure CI/CD pipeline can introduce the potential for unauthorized access, malicious code, or system compromise. Lastly, many applications now include auto-update functionality, where updates are downloaded without sufficient integrity verification and applied to the previously trusted application. Attackers could potentially upload their own updates to be distributed and run on all installations.

The operating system can be accessed and used by everyone (e.g. connection via the guest account) Vulnerabilities

Physical access authorisations are not checked regularly Vulnerabilities

Are physical access rights to sensitive premises regularly reviewed? Users? Administrators?

Disposal is not carried out properly Vulnerabilities

Is there a formal procedure? Is it followed? Is the disposal line correct?

Application requiring computing resources not matched by the equipment (e.g. insufficient RAM) Vulnerabilities

Possibility of booting several operating systems on the same machine (e.g. access to NTFS partitions via Linux) Vulnerabilities

Logical access authorisations are not checked regularly Vulnerabilities

Are logical access rights regularly reviewed? User accounts? Accounts with privileges?

No coordination between the departments concerned before hiring staff and when contracts are modified Vulnerabilities

Hiring, changing department, contract termination Removal of physical rights Removal of logical rights Return of hardware Is there a formal procedure?

The operating system does not log system records or events Vulnerabilities