The source code must not contain commented-out code when it is deployed to the production environment.
Commented-out code often represents pieces of logic or functionality that is incomplete or used for testing purposes. Leaving such code in the source can lead to the accidental use of outdated or obsolete code by developers. This code may contain security vulnerabilities, deprecated functions, or sensitive information that should not be present in the production environment. When this type of code is present increases the risk of exposing security weaknesses to potential attackers.
This requirement is verified in following services
- CWE™-1041. Use of redundant code
- CWE™-1085. Invokable control element with excessive volume of commented-out code
- MISRA-C-2_4. Sections of code should not be “commented out”
- MITRE ATT&CK®-M1013. Application developer guidance
- CMMC-AT_L2-3_2_1. Role-based risk awareness
- HITRUST CSF-10_i. Protection of system test data
- ISO/IEC 27002-8_25. Secure development lifecycle
- ISO/IEC 27002-8_28. Secure coding
- WASSEC-6_2_5_2. Information disclosure - Information leakage
- OWASP SCP-8. Data protection
- OWASP SAMM-ST. Security Testing
- C2M2-9_4_d. Implement software security for cybersecurity architecture
- PCI DSS-6_5_6. Changes to all system components are managed securely
- SIG Core-I_3_2_7. Application security
- ISO/IEC 27001-8_25. Secure development lifecycle
- ISO/IEC 27001-8_28. Secure coding
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.