Principle 12 - Fail Secure
Detail
Systems should maintain confidentiality, integrity and availability by defaulting to a well-defined status after failure, either to a secure failure state or via a recovery procedure to a known secure state. Any transition in state during either failure or recovery should continue to enforce a default action of denial of access if not explicitly granted.
Decision Evaluation Criteria:
- Has a Failure Mode and Effects Analysis exercise been performed which identifies potential failure scenarios and the associated risks to security ?
- Does the design provide mechanisms which manage all potential system failure scenarios in a secure and controlled manner ?
- Has a test plan been created which includes appropriate criteria and desired results ?
- In a fail scenario, does the service revalidate, purge and cleanse sessions before resumption of service ?
Basis
- NIST 17 - Design and operate a system to limit damage and be resilient in response
- CSSLP - Fail secure
- OWASP 2 - Detail session management verification requirements