158 – Use a secure programming language

Summary

System source code must be implemented in a stable, updated, tested and free of known vulnerabilities version of the chosen programming language.

Description

Systems that use an updated and secure version of the programming language helps to mitigate known vulnerabilities that might exist in older versions. Security vulnerabilities in the language itself could be exploited by attackers to compromise the integrity, confidentiality, or availability of the system.

Supported In

Essential: True

Advanced: True

References

• CAPEC-123. Buffer manipulation
• CAPEC-129. Pointer manipulation
• CAPEC-131. Resource leak exposure
• CIS-16_1. Establish and maintain a secure application development process
• CWE-74. Improper neutralization of special elements in output used by a downstream component ("injection")
• CWE-400. Uncontrolled resource consumption
• CWE-710. Improper adherence to coding standards
• CWE-1325. Improperly controlled sequential memory allocation
• OWASP10-A6. Vulnerable and outdated components
• AGILE-9. Continuous attention to technical excellence and good design
• CERTJ-MET03-J. Methods that perform a security check must be declared private or final
• MITRE-M1013. Application developer guidance
• SANS25-4. User after free
• SANS25-5. Improper neutralization of special elements used in an OS command (OS command injection)
• SANS25-7. Out-of-bounds read
• SANS25-17. Improper restriction of operations within the bounds of a memory buffer
• CMMC-AT_L2-3_2_1. Role-based risk awareness
• HITRUST-10_j. Access control to program source code
• ISO27002-8_28. Secure coding
• WASC-A_07. Buffer overflow
• NISTSSDF-PW_5_1. Archive and protect each software release
• NISTSSDF-PW_6_1. Configure the compilation, interpreter, and build processes to improve executable security
• ISSAF-P_6_3. Host security - Linux security (buffer overflows)
• ISSAF-U_15. Web application SQL injections – Countermeasures
• PTES-5_5_7. Vulnerability analysis - Disassembly and code analysis
• MVSP-2_5. Application design controls - Security libraries
• CWE25-78. Improper neutralization of special elements used in an OS command (OS command injection)
• CWE25-119. Improper restriction of operations within the bounds of a memory buffer
• CWE25-125. Out-of-bounds read
• CWE25-416. User after free
• OSAMM-ST. Security Testing
• ASVS-5_4_1. Memory, string, and unmanaged code
• C2M2-9_4_d. Implement software security for cybersecurity architecture
• SIGLITE-SL_89. Is there a formal Software Development Life Cycle (SDLC) process?
• SIG-I_2_1. Application security
• ASVS-14_1_2. Build and deploy
• ISO27001-8_28. Secure coding
• CASA-14_1_1. Build and Deploy
• NIST-PR_PS-06. Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle

Weaknesses

• 174 – Insecure service configuration - Backdoor
• 304 – Inappropriate coding practices - Performance
• 316 – Improper resource allocation - Buffer overflow
• 317 – Improper resource allocation - Memory leak
• 352 – Insecure service configuration - Non Masked Variables
• 358 – Insecure service configuration - DocumentBuilderFactory
• 366 – Inappropriate coding practices - Transparency Conflict
• 067 – Improper resource allocation

Last updated

2024/03/05