Eliminate backdoors
Summary
The source code of a system must not perform functions other than those specified in the functional requirements (backdoors).
Description
Sometimes, functionalities other than the ones for which a system was designed are included during development to aid the development and testing processes. These functions often represent backdoors because they leave ports exposed or help in bypassing the authentication and/or authorization mechanisms. Therefore, they should not be part of the production environment, as they could become serious security vulnerabilities.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Machine | 🔴 |
| Squad | 🟢 |
References
- CAPEC™-113. Interface manipulation
- CAPEC™-115. Authentication bypass
- CAPEC™-438. Modification during manufacture
- CAPEC™-554. Functionality bypass
- CIS-5_5. Establish and maintain an inventory of service accounts
- CWE™-510. Trapdoor
- CWE™-1269. Product released in non-release configuration
- OWASP TOP 10-A6. Vulnerable and outdated components
- OWASP-M TOP 10-M10. Extraneous functionality threat agents
- NIST Framework-PR_DS-7. The development and testing environments are separate from the production environment
- Agile Alliance-9. Continuous attention to technical excellence and good design
- NY SHIELD Act-5575_B_6. Personal and private information
- MITRE ATT&CK®-M1013. Application developer guidance
- MITRE ATT&CK®-M1016. Vulnerability scanning
- PA-DSS-5_1_2. Test data and accounts are removed before release to customer
- HITRUST CSF-01_l. Remote diagnostic and configuration port protection
- FedRAMP-CM-7. Least functionality
- OSSTMM3-10_9_3. Telecommunications security (configurations verification) - Configuration errors
- NIST SSDF-PO_5_1. Implement and maintain secure environments for software development
- ISSAF-Q_16_13. Host security - Windows security (registry attacks)
- PTES-5_2_2_1. Vulnerability analysis - Network vulnerability scanners (port based)
- PTES-7_7. Post Exploitation - Persistence
- NIST 800-115-4_4_1. Passive wireless scanning
- OWASP SAMM-IR_3. Code review process to discover language-level and application-specific risks
- OWASP SAMM-EH_1. Baseline operational environment for applications and software components
- OWASP ASVS-10_2_3. Malicious code search
- C2M2-9_4_d. Implement software security for cybersecurity architecture
- PCI DSS-2_2_4. Remove or disable all unnecessary functionality
- SIG Lite-SL_89. Is there a formal Software Development Life Cycle (SDLC) process?
- SIG Core-I_2_1. Application security
- SIG Core-I_2_6. Application security
- CASA-10_2_3. Malicious Code Search
Vulnerabilities
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.