078 – Disable debugging events

Summary

The organization must disable debugging events in production.

Description

Debugging features are essential during the development phase to identify and fix issues in the code. However, these debugging tools and events should not be active or accessible in a production environment, where the software is functioning and serving users. In production, the primary focus is on stability, security, and performance.

Supported In

Essential: True

Advanced: True

References

• CAPEC-113. Interface manipulation
• CAPEC-116. Excavation
• CWE-210. Self-generated error message containing sensitive information
• CWE-497. Exposure of sensitive system information to an unauthorized control sphere
• CWE-1269. Product released in non-release configuration
• OWASP10-A5. Security misconfiguration
• CERTJ-ENV06-J. Production code must not contain debugging entry points
• PADSS-5_2_5. Improper error handling
• FEDRAMP-CA-7. Continuous monitoring
• OWASPSCP-7. Error handling and logging
• ASVS-14_3_2. Unintended security disclosure
• CWE-11. Creating debug binary
• CASA-14_3_2. Unintended Security Disclosure

Weaknesses

• 183 – Debugging enabled in production
• 058 – Debugging enabled in production - APK

Last updated

2024/01/18