Define secure default options

Summary

The source code must have secure default options ensuring secure failures in the application (try, catch/except; default for switches).

Description

The organization must ensure that its own systems and those of third parties are safe and fully comply with the functions for which they were implemented. For this, baselines must be implemented from the design and development phase, in order to avoid bad practices in the development cycles, e.g., the use of a conditional without a default option, which can cause unexpected behaviors in the system. The systems source code is safer when good programming practices are implemented from the development stage, ensuring the portability and maintenance of the application. If a system is difficult to maintain, vulnerabilities are more prone to arise.

Supported In

This requirement is verified in following services

Plan	Supported
Essential	🔴
Advanced	🟢

References

• OWASP TOP 10-A5. Security misconfiguration
• Agile Alliance-9. Continuous attention to technical excellence and good design
• FACTA-312-B_3. Procedures to enhance accuracy and integrity of information
• MISRA-C-15_0. The MISRA C switch syntax shall be used
• NYDFS-500_2. Cybersecurity program
• MITRE ATT&CK®-M1013. Application developer guidance
• PA-DSS-8_2. Use of necessary and secure services, including those provided by third parties
• POPIA-3A_21. Security measures regarding information processed by operator
• CMMC-AT_L2-3_2_1. Role-based risk awareness
• CMMC-CA_L2-3_12_2. Plan of action
• HITRUST CSF-03_a. Risk management program development
• HITRUST CSF-05_k. Addressing security in third party agreements
• HITRUST CSF-09_e. Service delivery
• HITRUST CSF-10_j. Access control to program source code
• FedRAMP-CA-2_3. Security assessment - External organizations
• ISO/IEC 27002-8_26. Application security requirements
• ISO/IEC 27002-8_28. Secure coding
• WASC-W_15. Application misconfiguration
• NIST SSDF-PW_1_3. Design software to meet security requirements and mitigate security risks
• NIST SSDF-PW_9_2. Configure software to have secure settings by default
• ISSAF-F_5_7. Network security - Router security assessment (disable non-essential services)
• ISSAF-G_9_8. Network security - Firewalls (identify firewall architecture)
• ISSAF-T_6_4. Web application assessment - Identifying web server vendor and version (default files)
• ISSAF-Y_3_1. Database Security - Database services countermeasures
• PTES-5_5_7. Vulnerability analysis - Disassembly and code analysis
• CWE TOP 25-276. Incorrect Default Permissions
• CWE TOP 25-476. NULL pointer dereference
• OWASP SAMM-SA. Security Architecture
• C2M2-7_2_c. Manage third-party risk
• CWE™-453. Insecure default variable initialization
• SANS 25-12. NULL pointer dereference
• SANS 25-25. Incorrect Default Permissions
• ISO/IEC 27001-8_26. Application security requirements
• ISO/IEC 27001-8_28. Secure coding
• Resolution SB 2021 2126-Art_15_3_c. Operative Risk Management - Information Technology Factor
• NIST CSF-PR_PS-06. Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle

Vulnerabilities

• 140. Insecure exceptions - Empty or no catch
• 278. Insecure exceptions - NullPointerException

free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.