Define secure default options

Summary

The source code must have secure default options ensuring secure failures in the application (try, catch/except; default for switches).

Description

The organization must ensure that its own systems and those of third parties are safe and fully comply with the functions for which they were implemented. For this, baselines must be implemented from the design and development phase, in order to avoid bad practices in the development cycles, e.g., the use of a conditional without a default option, which can cause unexpected behaviors in the system. The systems source code is safer when good programming practices are implemented from the development stage, ensuring the portability and maintenance of the application. If a system is difficult to maintain, vulnerabilities are more prone to arise.

Supported In

This requirement is verified in following services

Plan	Supported
Machine	🔴
Squad	🟢

References

• OWASP TOP 10-A5. Security misconfiguration
• Agile Alliance-9. Continuous attention to technical excellence and good design
• FACTA-312-B_3. Procedures to enhance accuracy and integrity of information
• MISRA-C-15_0. The MISRA C switch syntax shall be used
• NYDFS-500_2. Cybersecurity program
• MITRE ATT&CK®-M1013. Application developer guidance
• PA-DSS-8_2. Use of necessary and secure services, including those provided by third parties
• POPIA-3A_21. Security measures regarding information processed by operator
• CMMC-AT_L2-3_2_1. Role-based risk awareness
• CMMC-CA_L2-3_12_2. Plan of action
• HITRUST CSF-03_a. Risk management program development
• HITRUST CSF-05_k. Addressing security in third party agreements
• HITRUST CSF-09_e. Service delivery
• HITRUST CSF-10_j. Access control to program source code
• FedRAMP-CA-2_3. Security assessment - External organizations
• ISO/IEC 27002-8_26. Application security requirements
• ISO/IEC 27002-8_28. Secure coding
• WASC-W_15. Application misconfiguration
• NIST SSDF-PW_1_3. Design software to meet security requirements and mitigate security risks
• NIST SSDF-PW_9_2. Configure software to have secure settings by default
• ISSAF-F_5_7. Network security - Router security assessment (disable non-essential services)
• ISSAF-G_9_8. Network security - Firewalls (identify firewall architecture)
• ISSAF-T_6_4. Web application assessment - Identifying web server vendor and version (default files)
• ISSAF-Y_3_1. Database Security - Database services countermeasures
• PTES-5_5_7. Vulnerability analysis - Disassembly and code analysis
• OWASP MASVS-V7_6. Code quality and build setting requirements
• CWE TOP 25-276. Incorrect default permissions
• CWE TOP 25-476. NULL pointer dereference
• OWASP SAMM-SA_2. Software design process toward known-secure services and secure-by-default designs
• C2M2-7_2_c. Manage third-party risk
• CWE™-453. Insecure default variable initialization
• OWASP MASVS-V7_9. Code quality and build setting requirements
• SANS 25-20. Incorrect Default Permissions
• ISO/IEC 27001-8_26. Application security requirements
• ISO/IEC 27001-8_28. Secure coding
• Resolution SB 2021 2126-Art_15_3_c. Operative Risk Management - Information Technology Factor

Vulnerabilities

• 140. Insecure exceptions - Empty or no catch
• 278. Insecure exceptions - NullPointerException

free trial

Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.