Skip to main content

2.4.10 Web User Interface

This section's intended audience is for those personnel who are responsible for the security of the IoT Product or Services Web Systems. Guidance is available from the IoTSF [ref 44]1 regarding Application Security (part E), and Credential Management (part F).

Req NoRequirementCompliance Class And ApplicabilityPrimary KeywordSecondary Keyword
2.4.10.1Where the product or service provides a web based user interface, Authentication is secured using current best practice cryptography.Mandatory for Class 1 and aboveSystemSoftware
2.4.10.2Where the product or service provides a web browser based interface, access to any restricted/administrator area or functionality shall require authentication.Mandatory for Class 1 and aboveSystemSoftware
2.4.10.3Where the product or service provides a web based management interface, Authentication is secured using current best practice cryptography.Mandatory for Class 1 and aboveSystemSoftware
2.4.10.4Where a web user interface password is used for login authentication, the initial password or factory reset password is unique for every device in the product family.Mandatory for all classesSystemSoftware
2.4.10.5The web user interface is protected by an automatic session idle logout timeout function.Mandatory for Class 1 and aboveSystemSoftware
2.4.10.6User passwords are not stored in plain text.Mandatory for all classesSystemSoftware
2.4.10.6.1Strong passwords are required, and a random salt value is incorporated with the password.Mandatory for Class 1 and aboveSystemSoftware
2.4.10.7Where passwords are entered on a user interface, the actual pass phrase is obscured by default to prevent the capture of passwords.Mandatory for Class 1 and aboveSystemSoftware
2.4.10.8The web user interface shall follow good practice guidelines.Mandatory for Class 1 and aboveBusinessPolicy
2.4.10.9A vulnerability assessment has been performed before deployment, and is repeated periodically throughout the lifecycle of the service or product.Mandatory for Class 1 and aboveBusinessProcess
2.4.10.10All data being transferred over interfaces should be validated where appropriate. This could include checking the data type, length, format, range, authenticity, origin and frequency.Mandatory for Class 1 and aboveSystemSoftware
2.4.10.11Sanitize input in Web applications by using URL encoding or HTML encoding to wrap data and treat it as literal text rather than executable script.Mandatory for Class 1 and aboveSystemSoftware
2.4.10.12All inputs and outputs are validated using for example an allow list (formerly 'whitelist') containing authorised origins of data and valid attributes of such data.Mandatory for Class 1 and aboveSystemSoftware
2.4.10.13Administration Interfaces are accessible only by authorized operators. Mutual Authentication is used over administration interfaces, for example, by using certificates.Mandatory for Class 1 and aboveSystemSoftware
2.4.10.14Reduce the lifetime of sessions to mitigate the risk of session hijacking and replay attacks. (For example to reduce the time an attacker has to capture a session cookie and use it to access an application).Mandatory for Class 1 and aboveSystemSoftware
2.4.10.15All inputs and outputs are checked for validity. Tests to include both expected (valid) and unexpected (invalid) input stimuli.Mandatory for Class 1 and aboveBusinessProcess
2.4.10.16Web Interfaces should be developed using best practice secure coding techniques and server frameworks.Mandatory for Class 1 and aboveBusinessProcess
2.4.10.17Password entry follows industry standard practice.Mandatory for all classesBusinessProcess
2.4.10.18Web interface should provide a simple method (one to two clicks) to initiate any security update to the end deviceMandatory for all classesBusinessProcess
2.4.10.19Any personal data communicated between the web interface and the device shall be encrypted. Where the data includes sensitive personal data then the encryption must be appropriately secure.Mandatory for all classesBusinessProcess

Footnotes

  1. Enhanced Privacy standard for Anonymous Signatures ISO/IEC20008 [https://www.iso.org/standard/57018.html]