Use a secure programming language
Summary
System source code must be implemented in a stable, updated, tested and free of known vulnerabilities version of the chosen programming language.
Description
Systems that use an updated and secure version of the programming language helps to mitigate known vulnerabilities that might exist in older versions. Security vulnerabilities in the language itself could be exploited by attackers to compromise the integrity, confidentiality, or availability of the system.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Essential | 🟢 |
| Advanced | 🟢 |
References
- CAPEC™-123. Buffer manipulation
- CAPEC™-129. Pointer manipulation
- CAPEC™-131. Resource leak exposure
- CIS-16_1. Establish and maintain a secure application development process
- CWE™-74. Improper neutralization of special elements in output used by a downstream component ("injection")
- CWE™-400. Uncontrolled resource consumption
- CWE™-710. Improper adherence to coding standards
- CWE™-1325. Improperly controlled sequential memory allocation
- OWASP TOP 10-A6. Vulnerable and outdated components
- Agile Alliance-9. Continuous attention to technical excellence and good design
- CERT-J-MET03-J. Methods that perform a security check must be declared private or final
- MITRE ATT&CK®-M1013. Application developer guidance
- SANS 25-4. User after free
- SANS 25-5. Improper neutralization of special elements used in an OS command (OS command injection)
- SANS 25-7. Out-of-bounds read
- SANS 25-17. Improper restriction of operations within the bounds of a memory buffer
- CMMC-AT_L2-3_2_1. Role-based risk awareness
- HITRUST CSF-10_j. Access control to program source code
- ISO/IEC 27002-8_28. Secure coding
- WASC-A_07. Buffer overflow
- NIST SSDF-PW_5_1. Archive and protect each software release
- NIST SSDF-PW_6_1. Configure the compilation, interpreter, and build processes to improve executable security
- ISSAF-P_6_3. Host security - Linux security (buffer overflows)
- ISSAF-U_15. Web application SQL injections – Countermeasures
- PTES-5_5_7. Vulnerability analysis - Disassembly and code analysis
- MVSP-2_5. Application design controls - Security libraries
- CWE TOP 25-78. Improper neutralization of special elements used in an OS command (OS command injection)
- CWE TOP 25-119. Improper restriction of operations within the bounds of a memory buffer
- CWE TOP 25-125. Out-of-bounds read
- CWE TOP 25-416. User after free
- OWASP SAMM-ST. Security Testing
- OWASP ASVS-5_4_1. Memory, string, and unmanaged code
- C2M2-9_4_d. Implement software security for cybersecurity architecture
- SIG Lite-SL_89. Is there a formal Software Development Life Cycle (SDLC) process?
- SIG Core-I_2_1. Application security
- OWASP ASVS-14_1_2. Build and deploy
- ISO/IEC 27001-8_28. Secure coding
- CASA-14_1_1. Build and Deploy
- NIST CSF-PR_PS-06. Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle
Vulnerabilities
- 067. Improper resource allocation
- 174. Insecure service configuration - Backdoor
- 304. Inappropriate coding practices - Performance
- 316. Improper resource allocation - Buffer overflow
- 317. Improper resource allocation - Memory leak
- 352. Insecure service configuration - Non Masked Variables
- 358. Insecure service configuration - DocumentBuilderFactory
- 366. Inappropriate coding practices - Transparency Conflict
- 379. Inappropriate coding practices - Unnecessary imports
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.