Exclude unverifiable files
Summary
Binary and other types of files, which are often not audited for security purposes, should not be stored in the source code repository.
Description
Binary files usually have a file size greater than their source counterpart, which can eventually affect a repository performance. Changes done to them are often hard to track for versioning tools or make no sense for a reviewer. Furthermore, security audits on binary files are more complicated or simply not performed, and these could contain serious vulnerabilities such as backdoors, rootkits and exposed sensitive information.
References
- OWASPM10-M10. Extraneous functionality threat agents
- MITRE-M1013. Application developer guidance
- CMMC-SI_L1-3_14_5. System & file scanning
- HITRUST-09_h. Capacity management
- ISO27002-8_28. Secure coding
- WASC-W_01. Insufficient authentication
- NISTSSDF-PS_3_1. Archive and protect each software release
- ISSAF-P_6_16. Host security - Linux security (file and directory permission attacks)
- ASVS-8_3_5. Sensitive private data
- ISO27001-8_28. Secure coding
- CASA-8_3_5. Sensitive Private Data
Weaknesses
- 117. Unverifiable files
- 298. Authentication mechanism absence or evasion - Redirect
- 299. Authentication mechanism absence or evasion - JFROG
- 300. Authentication mechanism absence or evasion - Azure
- 365. Authentication mechanism absence or evasion - Response tampering
- 370. Authentication mechanism absence or evasion - Security Image
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.