155 – Application free of malicious code

Summary

The application code must be free of malicious code.

Description

There are several ways in which malicious code may be included in an application. It can be imported as part of third party libraries, which may be intentionally malicious or have exploitable vulnerabilities, or it can come as a backdoor left by one of the developers. Therefore, the source code should be audited to guarantee it does not have any backdoors, rootkits, time bombs, logic bombs, etc.

Supported In

Advanced: True

References

• BSIMM-CR3_4:_3. Automate malicious code detection
• CAPEC-438. Modification during manufacture
• CWE-507. Trojan horse
• CWE-510. Trapdoor
• CWE-511. Logic/Time bomb
• NERCCIP-007-6_R3_1. Malicious code prevention
• SOC2-CC6_8. Logical and physical access controls
• AGILE-9. Continuous attention to technical excellence and good design
• NYDFS-500_10. Cybersecurity personnel and intelligence
• MITRE-M1013. Application developer guidance
• MITRE-M1016. Vulnerability scanning
• MITRE-M1044. Restrict library loading
• MITRE-M1047. Audit
• SANS25-23. Improper Control of Generation of Code ('Code Injection')
• CMMC-AT_L2-3_2_1. Role-based risk awareness
• CMMC-MA_L2-3_7_4. Media inspection
• CMMC-RA_L2-3_11_2. Vulnerability scan
• CMMC-SI_L1-3_14_2. Malicious code protection
• HITRUST-05_k. Addressing security in third party agreements
• HITRUST-09_e. Service delivery
• HITRUST-09_j. Controls against malicious code
• FEDRAMP-CA-2_2. Security assessment - Specialized assessments
• FEDRAMP-RA-5. Vulnerability scanning
• FEDRAMP-SI-3. Malicious code protection
• ISO27002-8_26. Application security requirements
• IEC62443-SI-3_2. Malicious code protection
• OSSTMM3-10_9_3. Telecommunications security (configurations verification) - Configuration errors
• OWASPRISKS-P1. Web application vulnerabilities
• MVSP-2_5. Application design controls - Security libraries
• OWASPSCP-14. General coding practices
• NIST800171-1_7. Prevent non-privileged users from executing privileged functions
• NIST800171-1_18. Control connection of mobile devices
• SWIFTCSC-6_1. Malware protection
• OSAMM-ST. Security Testing
• ASVS-10_1_1. Code integrity
• C2M2-9_4_d. Implement software security for cybersecurity architecture
• SIGLITE-SL_89. Is there a formal Software Development Life Cycle (SDLC) process?
• SIG-I_2_1. Application security
• ASVS-10_2_1. Malicious code search
• ASVS-10_2_6. Malicious code search
• CWE25-94. Improper Control of Generation of Code ('Code Injection')
• ISO27001-8_26. Application security requirements
• CASA-10_1_1. Code Integrity
• RESOLSB-Art_15_3_c. Operative Risk Management - Information Technology Factor
• OWASPMASVS-CODE-3. The app only uses software components without known vulnerabilities

Weaknesses

• 424 – Sideloaded

Last updated

2024/02/09