2020-06-30 16:59:06 +02:00
Locking an account which has had too many sequential, failed login attempts within a short time can help resist brute force attacks. This rule raises an issue on authentication code so that such controls can be verified.
== Noncompliant Code Example
2022-02-04 17:28:24 +01:00
[source,text]
2020-06-30 16:59:06 +02:00
----
env.put(Context.SECURITY_PRINCIPAL, principal);
env.put(Context.SECURITY_CREDENTIALS, password);
DirContext ctx = new InitialDirContext(env); // Noncompliant
----
== See
2021-11-01 15:00:32 +01:00
* https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[OWASP Top 10 2021 Category A7] - Identification and Authentication Failures
2022-07-08 13:58:56 +02:00
* https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[OWASP Top 10 2017 Category A2] - Broken Authentication
2022-04-07 08:53:59 -05:00
* https://cwe.mitre.org/data/definitions/307[MITRE, CWE-307] - Improper Restriction of Excessive Authentication Attempts
2020-06-30 16:59:06 +02:00
* https://www.sans.org/top25-software-errors/#cat3[SANS Top 25] - Porous Defenses
