Disable debugging events
Summary
The organization must disable debugging events in production.
Description
Debugging features are essential during the development phase to identify and fix issues in the code. However, these debugging tools and events should not be active or accessible in a production environment, where the software is functioning and serving users. In production, the primary focus is on stability, security, and performance.
Supported In
This requirement is verified in following services
Plan | Supported |
---|---|
Essential | 🟢 |
Advanced | 🟢 |
References
- CAPEC™-113. Interface manipulation
- CAPEC™-116. Excavation
- CWE™-210. Self-generated error message containing sensitive information
- CWE™-497. Exposure of sensitive system information to an unauthorized control sphere
- CWE™-1269. Product released in non-release configuration
- OWASP TOP 10-A5. Security misconfiguration
- CERT-J-ENV06-J. Production code must not contain debugging entry points
- PA-DSS-5_2_5. Improper error handling
- FedRAMP-CA-7. Continuous monitoring
- OWASP SCP-7. Error handling and logging
- OWASP ASVS-14_3_2. Unintended security disclosure
- CWE™-11. Creating debug binary
- CASA-14_3_2. Unintended Security Disclosure
Vulnerabilities
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.