Use the strict mode
Summary
The organization should set its parsers, linters, compilers and interpreters to run in strict mode.
Description
Systems must use strict mode because it is useful to prevent silent failures that might occur when certain actions, such as using undeclared variables or assigning values to read-only properties, are performed without explicit warnings. Enforcing strict mode often results in code that is more readable and less ambiguous.
Supported In
This requirement is verified in following services
Plan | Supported |
---|---|
Essential | 🔴 |
Advanced | 🟢 |
References
- CAPEC™-123. Buffer manipulation
- CAPEC™-129. Pointer manipulation
- CAPEC™-130. Excessive allocation
- CWE™-611. Improper restriction of XML External Entity reference
- OWASP TOP 10-A5. Security misconfiguration
- OWASP-M TOP 10-M7. Poor code quality
- Agile Alliance-9. Continuous attention to technical excellence and good design
- MISRA-C-1_4. The compiler/linker shall be checked
- MITRE ATT&CK®-M1013. Application developer guidance
- PA-DSS-5_2_2. Buffer Overflow
- SANS 25-1. Out-of-bounds Write
- SANS 25-3. Improper neutralization of special elements used in an SQL command (SQL injection)
- SANS 25-4. User after free
- SANS 25-7. Out-of-bounds read
- SANS 25-17. Improper restriction of operations within the bounds of a memory buffer
- WASSEC-5_3. Parser tolerance
- NIST SSDF-PW_6_1. Configure the compilation, interpreter, and build processes to improve executable security
- CWE TOP 25-89. Improper neutralization of special elements used in an SQL command (SQL injection)
- CWE TOP 25-119. Improper restriction of operations within the bounds of a memory buffer
- CWE TOP 25-125. Out-of-bounds read
- CWE TOP 25-416. User after free
- CWE TOP 25-787. Out-of-bounds Write
- OWASP SAMM-ST. Security Testing
- OWASP ASVS-5_5_2. Deserialization prevention
- OWASP ASVS-14_1_2. Build and deploy
- CASA-5_5_2. Deserialization Prevention
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.