159 – Obfuscate code

Summary

The source code must be obfuscated in production environments.

Description

Implementing obfuscation techniques makes it challenging for attackers to reverse engineer the source code. By transforming the code structure and renaming variables, functions, and classes, the obfuscated code becomes harder to read, understand and more resistant to de-compilation.

Supported In

Essential: True

Advanced: True

References

• BSIMM-SE3_2:_18. Use code protection
• CAPEC-188. Reverse engineering
• CWE-1269. Product released in non-release configuration
• AGILE-9. Continuous attention to technical excellence and good design
• CERTJ-ENV02-J. Do not trust the values of environment variables
• MITRE-M1013. Application developer guidance
• MITRE-M1048. Application isolation and sandboxing
• SANS25-23. Improper Control of Generation of Code ('Code Injection')
• HITRUST-01_w. Sensitive system isolation
• HITRUST-09_d. Separation of development, test and operational environments
• HITRUST-10_j. Access control to program source code
• ISO27002-8_25. Secure development lifecycle
• OSSTMM3-11_7_2. Data networks security (controls verification) - Confidentiality
• NISTSSDF-PW_6_2. Configure the compilation, interpreter, and build processes to improve executable security
• PTES-6_2_1_3. Exploitation - Countermeasures (anti-virus encrypting)
• OSAMM-ST. Security Testing
• SIGLITE-SL_89. Is there a formal Software Development Life Cycle (SDLC) process?
• SIG-I_1_19_3. Application security
• SIG-I_2_1. Application security
• CWE25-94. Improper Control of Generation of Code ('Code Injection')
• ISO27001-8_25. Secure development lifecycle

Weaknesses

• 161 – Missing secure obfuscation
• 162 – Missing secure obfuscation - binary
• 361 – Missing secure obfuscation - JavaScript
• 046 – Missing secure obfuscation - APK

Last updated

2024/02/09