WARNING! Gitlab maintenance operation scheduled for Thursday, 18 June between 19:00 and 20:00 (CET). During this time window, short service interruptions (less than 5 minutes) may occur. Thank you in advance for your understanding.
@@ -1148,27 +1148,12 @@ Guidance: Appropriate authorization depends on the use case and the asset. For e
* Evidence: List of interfaces allowing access to security-relevant assets, record of activities used to attempt unauthorized access to security-relevant assets, log of results of attempts
#### 5.2.5.3 MI-DPAH: Documentation of product assets accessible from host
The product shall be accompanied by documentation for all interfaces for the product that can be accessed by the host, describing what product assets are accessible from the interface and what type of access is appropriate for representative use cases or risk profiles.
Guidance: This requirement gives the user or integrator of the product the necessary information they need to implement an appropriate level of access control in the host system. This requirement does not specify how the host implements access control.
* Applicability: Physical network interface
* Reference: TR-SDEF
* Objective: Secure by default
* Preparation: Define a method that can be used to find all interfaces on the product accessible from the host
* Activities: For each interface, review the documentation to see if it is listed and provides the necessary information
* Verdict: If every interface discovered is listed in the documentation and has the required information => PASS, otherwise => FAIL
* Evidence: Method to list all interfaces accessible from the host, list of interfaces discovered, documentation of assets
#### 5.2.5.4 MI-PDDI-1: Document how to protect access to debug/management interfaces
All debug/management interfaces on the product shall be documented as to how to protect or disable them.
Guidance: This is for the use case of selling to an integrator.
* Applicability: Physical network interface
* Reference: TR-SDEF
* Objective: Secure by default
* Preparation: Examine the documentation for how to protect or disable the debug/management interfaces of the product
@@ -1967,7 +1952,6 @@ MI-MDOC: Document transfer of risk of minimizing impact to operating environment
MI-MNET: Minimize negative impact of network transmission
MI-MAMP: Minimize negative impact of network traffic amplification
MI-ADEF: Authorization required by default to access security-relevant assets
MI-DPAH: Documentation of product assets accessible from host
MI-PDDI-1: Document how to protect access to debug/management interfaces
MI-PDDI-2: Protect or disable local software access to debug/management interfaces
MI-PDDI-3: Protect or disable network access to debug/management interfaces
@@ -2077,9 +2061,9 @@ Requirements that mitigate this threat: CDST, SDEF, DMIN, LOGG
Mitigations for Likelihood:
* Medium to Low: ADEF, DPAH, PDDI-1
* Medium to Low: ADEF, PDDI-1
* High to Low: ADEF, DPAH, PDDI-2 if PHY = 2, PDDI-3 if SFT = 2, PDDI-4 if NET = 2
* High to Low: ADEF, PDDI-2 if PHY = 2, PDDI-3 if SFT = 2, PDDI-4 if NET = 2
Mitigations for Impact:
@@ -2383,7 +2367,7 @@ For each risk untreated by the product itself, a corresponding mitigation has be
