Obfuscate code
Summary
The source code must be obfuscated in production environments.
Description
Implementing obfuscation techniques makes it challenging for attackers to reverse engineer the source code. By transforming the code structure and renaming variables, functions, and classes, the obfuscated code becomes harder to read, understand and more resistant to de-compilation.
Supported In
This requirement is verified in following services
Plan | Supported |
---|---|
Essential | 🟢 |
Advanced | 🟢 |
References
- BSIMM-SE3_2:_18. Use code protection
- CAPEC™-188. Reverse engineering
- CWE™-1269. Product released in non-release configuration
- Agile Alliance-9. Continuous attention to technical excellence and good design
- CERT-J-ENV02-J. Do not trust the values of environment variables
- MITRE ATT&CK®-M1013. Application developer guidance
- MITRE ATT&CK®-M1048. Application isolation and sandboxing
- SANS 25-23. Improper Control of Generation of Code ('Code Injection')
- HITRUST CSF-01_w. Sensitive system isolation
- HITRUST CSF-09_d. Separation of development, test and operational environments
- HITRUST CSF-10_j. Access control to program source code
- ISO/IEC 27002-8_25. Secure development lifecycle
- OSSTMM3-11_7_2. Data networks security (controls verification) - Confidentiality
- NIST SSDF-PW_6_2. Configure the compilation, interpreter, and build processes to improve executable security
- PTES-6_2_1_3. Exploitation - Countermeasures (anti-virus encrypting)
- OWASP SAMM-ST. Security Testing
- SIG Lite-SL_89. Is there a formal Software Development Life Cycle (SDLC) process?
- SIG Core-I_1_19_3. Application security
- SIG Core-I_2_1. Application security
- CWE TOP 25-94. Improper Control of Generation of Code ('Code Injection')
- ISO/IEC 27001-8_25. Secure development lifecycle
Vulnerabilities
- 046. Missing secure obfuscation - APK
- 161. Missing secure obfuscation
- 162. Missing secure obfuscation - binary
- 361. Missing secure obfuscation - JavaScript
free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.