323 – Exclude unverifiable files

Summary

Binary and other types of files, which are often not audited for security purposes, should not be stored in the source code repository.

Description

Binary files usually have a file size greater than their source counterpart, which can eventually affect a repository performance. Changes done to them are often hard to track for versioning tools or make no sense for a reviewer. Furthermore, security audits on binary files are more complicated or simply not performed, and these could contain serious vulnerabilities such as backdoors, rootkits and exposed sensitive information.

Supported In

Essential: True

Advanced: True

References

• OWASPM10-M10. Extraneous functionality threat agents
• MITRE-M1013. Application developer guidance
• CMMC-SI_L1-3_14_5. System & file scanning
• HITRUST-09_h. Capacity management
• ISO27002-8_28. Secure coding
• WASC-W_01. Insufficient authentication
• NISTSSDF-PS_3_1. Archive and protect each software release
• ISSAF-P_6_16. Host security - Linux security (file and directory permission attacks)
• ASVS-8_3_5. Sensitive private data
• ISO27001-8_28. Secure coding
• CASA-8_3_5. Sensitive Private Data

Weaknesses

• 117 – Unverifiable files
• 298 – Authentication mechanism absence or evasion - Redirect
• 299 – Authentication mechanism absence or evasion - JFROG
• 300 – Authentication mechanism absence or evasion - Azure
• 365 – Authentication mechanism absence or evasion - Response tampering
• 370 – Authentication mechanism absence or evasion - Security Image

Last updated

2023/09/18