Obfuscate code
Summary
The source code must be obfuscated in production environments.
Description
Implementing obfuscation techniques makes it challenging for attackers to reverse engineer the source code. By transforming the code structure and renaming variables, functions, and classes, the obfuscated code becomes harder to read, understand and more resistant to de-compilation.
References
- BSIMM-SE3_2:_18. Use code protection
- CAPEC-188. Reverse engineering
- CWE-1269. Product released in non-release configuration
- AGILE-9. Continuous attention to technical excellence and good design
- CERTJ-ENV02-J. Do not trust the values of environment variables
- MITRE-M1013. Application developer guidance
- MITRE-M1048. Application isolation and sandboxing
- SANS25-23. Improper Control of Generation of Code ('Code Injection')
- HITRUST-01_w. Sensitive system isolation
- HITRUST-09_d. Separation of development, test and operational environments
- HITRUST-10_j. Access control to program source code
- ISO27002-8_25. Secure development lifecycle
- OSSTMM3-11_7_2. Data networks security (controls verification) - Confidentiality
- NISTSSDF-PW_6_2. Configure the compilation, interpreter, and build processes to improve executable security
- PTES-6_2_1_3. Exploitation - Countermeasures (anti-virus encrypting)
- OSAMM-ST. Security Testing
- SIGLITE-SL_89. Is there a formal Software Development Life Cycle (SDLC) process?
- SIG-I_1_19_3. Application security
- SIG-I_2_1. Application security
- CWE25-94. Improper Control of Generation of Code ('Code Injection')
- ISO27001-8_25. Secure development lifecycle
Weaknesses
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan.If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.
Supported In
This requirement is verified in following services
Essential Plan
Advanced Plan