171 – Remove commented-out code

Summary

The source code must not contain commented-out code when it is deployed to the production environment.

Description

Commented-out code often represents pieces of logic or functionality that is incomplete or used for testing purposes. Leaving such code in the source can lead to the accidental use of outdated or obsolete code by developers. This code may contain security vulnerabilities, deprecated functions, or sensitive information that should not be present in the production environment. When this type of code is present increases the risk of exposing security weaknesses to potential attackers.

Supported In

Advanced: True

References

• CWE-1041. Use of redundant code
• CWE-1085. Invokable control element with excessive volume of commented-out code
• MISRAC-2_4. Sections of code should not be “commented out”
• MITRE-M1013. Application developer guidance
• CMMC-AT_L2-3_2_1. Role-based risk awareness
• HITRUST-10_i. Protection of system test data
• ISO27002-8_25. Secure development lifecycle
• ISO27002-8_28. Secure coding
• WASSEC-6_2_5_2. Information disclosure - Information leakage
• OWASPSCP-8. Data protection
• OSAMM-ST. Security Testing
• C2M2-9_4_d. Implement software security for cybersecurity architecture
• PCI-6_5_6. Changes to all system components are managed securely
• SIG-I_3_2_7. Application security
• ISO27001-8_25. Secure development lifecycle
• ISO27001-8_28. Secure coding

Last updated

2024/02/09