Eliminate backdoors


The source code of a system must not perform functions other than those specified in the functional requirements (backdoors).


Sometimes, functionalities other than the ones for which a system was designed are included during development to aid the development and testing processes. These functions often represent backdoors because they leave ports exposed or help in bypassing the authentication and/or authorization mechanisms. Therefore, they should not be part of the production environment, as they could become serious security vulnerabilities.


  • CAPEC-113: API Manipulation: An adversary manipulates the use or processing of an Application Programming Interface (API) resulting in an adverse impact upon the security of the system implementing the API. This can allow the adversary to execute functionality not intended by the API implementation, possibly compromising the system which integrates the API.

  • CAPEC-115: Authentication Bypass: An attacker gains access to application, service or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.

  • CAPEC-438: Modification During Manufacture: An attacker modifies a technology, product or component during a stage in its manufacture for the purpose of carrying out an attack against some entity involved in the supply chain lifecycle.

  • CAPEC-554: Functionality Bypass: An adversary attacks a system by bypassing some or all functionality intended to protect it.

  • CIS Controls. 20.8 Control and Monitor Accounts Associated With Penetration Testing: Any user or system accounts used to perform penetration testing should be controlled and monitored to make sure they are only being used for legitimate purposes, and are removed or restored to normal function after testing is over.

  • CWE-510: Trapdoor: A trapdoor is a hidden piece of code that responds to a special input, allowing its user access to resources without passing through the normal security enforcement mechanism.

  • CWE-1269: Product Released in Non-Release Configuration: The product released to market is released in pre-production or manufacturing configuration.

  • OWASP-ASVS v4.0.1 Appendix C: Internet of Things Verification Requirements.(C.13): Verify all code including third-party binaries, libraries, frameworks are reviewed for hardcoded credentials (backdoors).

  • OWASP-ASVS v4.0.1 V10.2 Malicious Code Search.(10.2.3): Verify that the application source code and third party libraries do not contain backdoors, such as hard-coded or additional undocumented accounts or keys, code obfuscation, undocumented binary blobs, rootkits, or anti-debugging, insecure debugging features, or otherwise out of date, insecure, or hidden functionality that could be used maliciously if discovered.

  • PCI DSS v3.2.1 - Requirement 6.3.1: Remove development, test and/or custom application accounts, user IDs and passwords before applications become active or are released to customers.

  • PCI DSS v3.2.1 - Requirement 6.4.4: Processes must include removal of test data and accounts from system components before the system becomes active / goes into production.