Application free of malicious code
Summary
The application code must be free of malicious code.
Description
There are several ways in which malicious code may be included in an application. It can be imported as part of third party libraries, which may be intentionally malicious or have exploitable vulnerabilities, or it can come as a backdoor left by one of the developers. Therefore, the source code should be audited to guarantee it does not have any backdoors, rootkits, time bombs, logic bombs, etc.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Machine | 🔴 |
| Squad | 🟢 |
References
- BSIMM-CR3_4:_2. Automate malicious code detection
- CAPEC™-438. Modification during manufacture
- CWE™-507. Trojan horse
- CWE™-510. Trapdoor
- CWE™-511. Logic/Time bomb
- NERC CIP-007-6_R3_1. Malicious code prevention
- SOC2®-CC6_8. Logical and physical access controls
- NIST Framework-DE_CM-4. Malicious code is detected
- Agile Alliance-9. Continuous attention to technical excellence and good design
- NYDFS-500_10. Cybersecurity personnel and intelligence
- MITRE ATT&CK®-M1013. Application developer guidance
- MITRE ATT&CK®-M1016. Vulnerability scanning
- MITRE ATT&CK®-M1044. Restrict library loading
- MITRE ATT&CK®-M1047. Audit
- SANS 25-25. Improper Control of Generation of Code ('Code Injection')
- CMMC-AT_L2-3_2_1. Role-based risk awareness
- CMMC-MA_L2-3_7_4. Media inspection
- CMMC-RA_L2-3_11_2. Vulnerability scan
- CMMC-SI_L1-3_14_2. Malicious code protection
- HITRUST CSF-05_k. Addressing security in third party agreements
- HITRUST CSF-09_e. Service delivery
- HITRUST CSF-09_j. Controls against malicious code
- FedRAMP-CA-2_2. Security assessment - Specialized assessments
- FedRAMP-RA-5. Vulnerability scanning
- FedRAMP-SI-3. Malicious code protection
- ISO/IEC 27002-8_26. Application security requirements
- ISA/IEC 62443-SI-3_2. Malicious code protection
- OSSTMM3-10_9_3. Telecommunications security (configurations verification) - Configuration errors
- OWASP Top 10 Privacy Risks-P1. Web application vulnerabilities
- MVSP-2_5. Application design controls - Security libraries
- OWASP SCP-14. General coding practices
- NIST 800-171-1_7. Prevent non-privileged users from executing privileged functions
- NIST 800-171-1_18. Control connection of mobile devices
- SWIFT CSCF-6_1. Malware protection
- OWASP SAMM-IR_1. Find basic code-level vulnerabilities and other high-risk security issues
- OWASP SAMM-IR_3. Code review process to discover language-level and application-specific risks
- OWASP ASVS-10_1_1. Code integrity
- C2M2-9_4_d. Implement software security for cybersecurity architecture
- SIG Lite-SL_89. Is there a formal Software Development Life Cycle (SDLC) process?
- SIG Core-I_2_1. Application security
- OWASP ASVS-10_2_1. Malicious code search
- OWASP ASVS-10_2_6. Malicious code search
- CWE TOP 25-94. Improper Control of Generation of Code ('Code Injection')
- ISO/IEC 27001-8_26. Application security requirements
- CASA-10_1_1. Code Integrity
- Resolution SB 2021 2126-Art_15_3_c. Operative Risk Management - Information Technology Factor
Vulnerabilities
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.