161 – Define secure default options

Summary

The source code must have secure default options ensuring secure failures in the application (try, catch/except; default for switches).

Description

The organization must ensure that its own systems and those of third parties are safe and fully comply with the functions for which they were implemented. For this, baselines must be implemented from the design and development phase, in order to avoid bad practices in the development cycles, e.g., the use of a conditional without a default option, which can cause unexpected behaviors in the system. The systems source code is safer when good programming practices are implemented from the development stage, ensuring the portability and maintenance of the application. If a system is difficult to maintain, vulnerabilities are more prone to arise.

Supported In

Advanced: True

References

• OWASP10-A5. Security misconfiguration
• AGILE-9. Continuous attention to technical excellence and good design
• FACTA-312-B_3. Procedures to enhance accuracy and integrity of information
• MISRAC-15_0. The MISRA C switch syntax shall be used
• NYDFS-500_2. Cybersecurity program
• MITRE-M1013. Application developer guidance
• PADSS-8_2. Use of necessary and secure services, including those provided by third parties
• POPIA-3A_21. Security measures regarding information processed by operator
• CMMC-AT_L2-3_2_1. Role-based risk awareness
• CMMC-CA_L2-3_12_2. Plan of action
• HITRUST-03_a. Risk management program development
• HITRUST-05_k. Addressing security in third party agreements
• HITRUST-09_e. Service delivery
• HITRUST-10_j. Access control to program source code
• FEDRAMP-CA-2_3. Security assessment - External organizations
• ISO27002-8_26. Application security requirements
• ISO27002-8_28. Secure coding
• WASC-W_15. Application misconfiguration
• NISTSSDF-PW_1_3. Design software to meet security requirements and mitigate security risks
• NISTSSDF-PW_9_2. Configure software to have secure settings by default
• ISSAF-F_5_7. Network security - Router security assessment (disable non-essential services)
• ISSAF-G_9_8. Network security - Firewalls (identify firewall architecture)
• ISSAF-T_6_4. Web application assessment - Identifying web server vendor and version (default files)
• ISSAF-Y_3_1. Database Security - Database services countermeasures
• PTES-5_5_7. Vulnerability analysis - Disassembly and code analysis
• CWE25-276. Incorrect Default Permissions
• CWE25-476. NULL pointer dereference
• OSAMM-SA. Security Architecture
• C2M2-7_2_c. Manage third-party risk
• CWE-453. Insecure default variable initialization
• SANS25-12. NULL pointer dereference
• SANS25-25. Incorrect Default Permissions
• ISO27001-8_26. Application security requirements
• ISO27001-8_28. Secure coding
• RESOLSB-Art_15_3_c. Operative Risk Management - Information Technology Factor
• NIST-PR_PS-06. Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle

Weaknesses

• 140 – Insecure exceptions - Empty or no catch
• 278 – Insecure exceptions - NullPointerException

Last updated

2024/03/05