154 – Eliminate backdoors

Summary

The source code of a system must not perform functions other than those specified in the functional requirements (backdoors).

Description

Sometimes, functionalities other than the ones for which a system was designed are included during development to aid the development and testing processes. These functions often represent backdoors because they leave ports exposed or help in bypassing the authentication and/or authorization mechanisms. Therefore, they should not be part of the production environment, as they could become serious security vulnerabilities.

Supported In

Advanced: True

References

• CAPEC-113. Interface manipulation
• CAPEC-115. Authentication bypass
• CAPEC-438. Modification during manufacture
• CAPEC-554. Functionality bypass
• CIS-5_5. Establish and maintain an inventory of service accounts
• CWE-510. Trapdoor
• CWE-1269. Product released in non-release configuration
• OWASP10-A6. Vulnerable and outdated components
• OWASPM10-M10. Extraneous functionality threat agents
• AGILE-9. Continuous attention to technical excellence and good design
• NYSHIELD-5575_B_6. Personal and private information
• MITRE-M1013. Application developer guidance
• MITRE-M1016. Vulnerability scanning
• PADSS-5_1_2. Test data and accounts are removed before release to customer
• HITRUST-01_l. Remote diagnostic and configuration port protection
• FEDRAMP-CM-7. Least functionality
• OSSTMM3-10_9_3. Telecommunications security (configurations verification) - Configuration errors
• NISTSSDF-PO_5_1. Implement and maintain secure environments for software development
• ISSAF-Q_16_13. Host security - Windows security (registry attacks)
• PTES-5_2_2_1. Vulnerability analysis - Network vulnerability scanners (port based)
• PTES-7_7. Post Exploitation - Persistence
• NIST800115-4_4_1. Passive wireless scanning
• OSAMM-ST. Security Testing
• OSAMM-OM. Operational Management
• ASVS-10_2_3. Malicious code search
• C2M2-9_4_d. Implement software security for cybersecurity architecture
• PCI-2_2_4. Remove or disable all unnecessary functionality
• SIGLITE-SL_89. Is there a formal Software Development Life Cycle (SDLC) process?
• SIG-I_2_1. Application security
• SIG-I_2_6. Application security
• CASA-10_2_3. Malicious Code Search

Last updated

2024/02/09