2.4.10 Web User Interface
This section's intended audience is for those personnel who are responsible for the security of the IoT Product or Services Web Systems. Guidance is available from the IoTSF [ref 44]1 regarding Application Security (part E), and Credential Management (part F).
Req No | Requirement | Compliance Class And Applicability | Primary Keyword | Secondary Keyword |
---|---|---|---|---|
2.4.10.1 | Where the product or service provides a web based user interface, Authentication is secured using current best practice cryptography. | Mandatory for Class 1 and above | System | Software |
2.4.10.2 | Where the product or service provides a web browser based interface, access to any restricted/administrator area or functionality shall require authentication. | Mandatory for Class 1 and above | System | Software |
2.4.10.3 | Where the product or service provides a web based management interface, Authentication is secured using current best practice cryptography. | Mandatory for Class 1 and above | System | Software |
2.4.10.4 | Where a web user interface password is used for login authentication, the initial password or factory reset password is unique for every device in the product family. | Mandatory for all classes | System | Software |
2.4.10.5 | The web user interface is protected by an automatic session idle logout timeout function. | Mandatory for Class 1 and above | System | Software |
2.4.10.6 | User passwords are not stored in plain text. | Mandatory for all classes | System | Software |
2.4.10.6.1 | Strong passwords are required, and a random salt value is incorporated with the password. | Mandatory for Class 1 and above | System | Software |
2.4.10.7 | Where passwords are entered on a user interface, the actual pass phrase is obscured by default to prevent the capture of passwords. | Mandatory for Class 1 and above | System | Software |
2.4.10.8 | The web user interface shall follow good practice guidelines. | Mandatory for Class 1 and above | Business | Policy |
2.4.10.9 | A vulnerability assessment has been performed before deployment, and is repeated periodically throughout the lifecycle of the service or product. | Mandatory for Class 1 and above | Business | Process |
2.4.10.10 | All data being transferred over interfaces should be validated where appropriate. This could include checking the data type, length, format, range, authenticity, origin and frequency. | Mandatory for Class 1 and above | System | Software |
2.4.10.11 | Sanitize input in Web applications by using URL encoding or HTML encoding to wrap data and treat it as literal text rather than executable script. | Mandatory for Class 1 and above | System | Software |
2.4.10.12 | All inputs and outputs are validated using for example an allow list (formerly 'whitelist') containing authorised origins of data and valid attributes of such data. | Mandatory for Class 1 and above | System | Software |
2.4.10.13 | Administration Interfaces are accessible only by authorized operators. Mutual Authentication is used over administration interfaces, for example, by using certificates. | Mandatory for Class 1 and above | System | Software |
2.4.10.14 | Reduce the lifetime of sessions to mitigate the risk of session hijacking and replay attacks. (For example to reduce the time an attacker has to capture a session cookie and use it to access an application). | Mandatory for Class 1 and above | System | Software |
2.4.10.15 | All inputs and outputs are checked for validity. Tests to include both expected (valid) and unexpected (invalid) input stimuli. | Mandatory for Class 1 and above | Business | Process |
2.4.10.16 | Web Interfaces should be developed using best practice secure coding techniques and server frameworks. | Mandatory for Class 1 and above | Business | Process |
2.4.10.17 | Password entry follows industry standard practice. | Mandatory for all classes | Business | Process |
2.4.10.18 | Web interface should provide a simple method (one to two clicks) to initiate any security update to the end device | Mandatory for all classes | Business | Process |
2.4.10.19 | Any personal data communicated between the web interface and the device shall be encrypted. Where the data includes sensitive personal data then the encryption must be appropriately secure. | Mandatory for all classes | Business | Process |
Footnotes
-
Enhanced Privacy standard for Anonymous Signatures ISO/IEC20008 [https://www.iso.org/standard/57018.html] ↩