Eliminate backdoors
Summary
The source code of a system must not perform functions other than those specified in the functional requirements (backdoors).
Description
Sometimes, functionalities other than the ones for which a system was designed are included during development to aid the development and testing processes. These functions often represent backdoors because they leave ports exposed or help in bypassing the authentication and/or authorization mechanisms. Therefore, they should not be part of the production environment, as they could become serious security vulnerabilities.
References
- CAPEC-113. Interface manipulation
- CAPEC-115. Authentication bypass
- CAPEC-438. Modification during manufacture
- CAPEC-554. Functionality bypass
- CIS-5_5. Establish and maintain an inventory of service accounts
- CWE-510. Trapdoor
- CWE-1269. Product released in non-release configuration
- OWASP10-A6. Vulnerable and outdated components
- OWASPM10-M10. Extraneous functionality threat agents
- AGILE-9. Continuous attention to technical excellence and good design
- NYSHIELD-5575_B_6. Personal and private information
- MITRE-M1013. Application developer guidance
- MITRE-M1016. Vulnerability scanning
- PADSS-5_1_2. Test data and accounts are removed before release to customer
- HITRUST-01_l. Remote diagnostic and configuration port protection
- FEDRAMP-CM-7. Least functionality
- OSSTMM3-10_9_3. Telecommunications security (configurations verification) - Configuration errors
- NISTSSDF-PO_5_1. Implement and maintain secure environments for software development
- ISSAF-Q_16_13. Host security - Windows security (registry attacks)
- PTES-5_2_2_1. Vulnerability analysis - Network vulnerability scanners (port based)
- PTES-7_7. Post Exploitation - Persistence
- NIST800115-4_4_1. Passive wireless scanning
- OSAMM-ST. Security Testing
- OSAMM-OM. Operational Management
- ASVS-10_2_3. Malicious code search
- C2M2-9_4_d. Implement software security for cybersecurity architecture
- PCI-2_2_4. Remove or disable all unnecessary functionality
- SIGLITE-SL_89. Is there a formal Software Development Life Cycle (SDLC) process?
- SIG-I_2_1. Application security
- SIG-I_2_6. Application security
- CASA-10_2_3. Malicious Code Search
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan.If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.
Supported In
This requirement is verified in following services
Essential Plan
Advanced Plan