Disable insecure functionalities
Summary
The organization must disable or carefully control the insecure functions of a system (system hardening).
Description
Sometimes, platforms include functionalities that are not required or could be harmful for some applications built on top of or residing in them. Other times, applications are developed including functionalities that allow actions that could be considered insecure. All these functionalities should be disabled or otherwise controlled to prevent them from compromising the system's security. Furthermore, the system must enforce those controls on trusted enforcement points such as access control gateways, severs and serverless functions.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Machine | 🟢 |
| Squad | 🟢 |
References
- CAPEC™-161. Infrastructure manipulation
- CAPEC™-212. Functionality misuse
- CAPEC™-677. Server Motherboard Compromise
- CAPEC™-678. System Build Data Maliciously Altered
- CAPEC™-701. Browser in the Middle (BiTM)
- CIS-9_4. Restrict unnecessary or unauthorized browser and email client extensions
- CWE™-78. Improper neutralization of special elements used in an OS command ("OS command injection")
- CWE™-98. Improper control of filename for include/require statement in PHP program ("PHP remote file inclusion")
- CWE™-114. Process control
- CWE™-284. Improper access control
- CWE™-444. Inconsistent interpretation of HTTP requests ("HTTP request smuggling")
- CWE™-548. Exposure of information through directory listing
- CWE™-602. Client-side enforcement of server-side security
- CWE™-693. Protection mechanism failure
- CWE™-749. Exposed dangerous method or function
- CWE™-1392. Use of Default Credentials
- CWE™-1393. Use of Default Password
- CWE™-1394. Use of Default Cryptographic Key
- OWASP TOP 10-A1. Broken access control
- OWASP TOP 10-A4. Insecure design
- OWASP TOP 10-A5. Security misconfiguration
- OWASP-M TOP 10-M1. Improper platform usage
- NIST Framework-PR_AC-2. Physical access to assets is managed and protected
- Agile Alliance-9. Continuous attention to technical excellence and good design
- Agile Alliance-11. Best architectures, requirements, and designs
- NYDFS-500_2. Cybersecurity program
- MITRE ATT&CK®-M1042. Disable or remove feature or program
- MITRE ATT&CK®-M1054. Software configuration
- MITRE ATT&CK®-M1057. Data loss prevention
- PA-DSS-5_2_8. Improper access controls
- CMMC-CM_L2-3_4_2. Security configuration enforcement
- HITRUST CSF-03_a. Risk management program development
- ISO/IEC 27002-8_26. Application security requirements
- ISO/IEC 27002-8_27. Secure system architecture and engineering principles
- ISA/IEC 62443-RDF-5_3. User content filtering
- WASSEC-6_2_3_6. Client-side attacks - Flash-related attack
- WASSEC-6_2_4_3. Command execution - OS command injection
- WASSEC-6_2_4_8. Command execution - Remote file includes
- WASSEC-6_2_5_5. Information disclosure - Insecure HTTP methods enabled
- OSSTMM3-9_3_1. Wireless security (active detection verification) - Channel monitoring
- WASC-A_42. Abuse of functionality
- WASC-A_26. HTTP request smuggling
- WASC-A_30. Mail command injection
- WASC-A_31. OS commanding
- WASC-A_05. Remote file inclusion (RFI)
- WASC-W_16. Directory indexing
- NIST SSDF-PS_1_1. Protect all forms of code from unauthorized access and tampering
- NIST SSDF-PW_5_1. Archive and protect each software release
- NIST SSDF-RV_2_2. Assess, prioritize, and remediate vulnerabilities
- ISSAF-F_1. Network security - Router security assessment (router identification)
- ISSAF-J_7_3_5. Network security - Anti-virus system (methodology)
- ISSAF-P_4. Host security - Linux security (identify ports and services)
- ISSAF-P_4_1. Host security - Linux security (identify ports and users)
- ISSAF-P_6_1. Host security - Linux security (remote attacks)
- ISSAF-Q_16_10. Host security - Windows security (SMB attacks)
- ISSAF-T_12_2. Web application assessment - Browsable directories check
- ISSAF-T_13_3. Web application assessment - Test invalidated parameters (Cross Site Tracing)
- ISSAF-V_13. Application security - Source code auditing (command injection)
- PTES-3_4_1_5_8. Corporate - Infrastructure assets (defense technologies)
- PTES-3_6_1_3_8. External footprinting - Active footprinting (DNS bruteforce)
- PTES-5_2_3_2. Vulnerability analysis - Web application scanners (directory listing or brute forcing)
- PTES-5_4_2_3. Vulnerability analysis - Manual validation specific protocol (DNS)
- PTES-6_2_1. Exploitation - Countermeasures (anti-virus)
- PTES-6_2_3. Exploitation - Countermeasures (data execution prevention)
- PTES-6_2_5. Exploitation - Countermeasures (web application firewall)
- PTES-7_3_1_3. Post exploitation - Network infrastructure analysis (DNS servers)
- PTES-7_3_1_5. Post exploitation - Network infrastructure analysis (proxy servers)
- PTES-7_4_4_1. Post Exploitation - Pillaging (user information on system)
- OWASP Top 10 Privacy Risks-P1. Web application vulnerabilities
- OWASP Top 10 Privacy Risks-P3. Insufficient data breach response
- MVSP-2_3. Application design controls - Security Headers
- MVSP-3_3. Application implementation controls - Vulnerability prevention
- OWASP SCP-8. Data protection
- OWASP SCP-10. System configuration
- OWASP SCP-11. Database security
- OWASP SCP-14. General coding practices
- BSAFSS-SM_4-1. Software measures to prevent counterfeiting and tampering
- BSAFSS-SI_1-2. Avoid architectural weaknesses of authentication failure
- OWASP MASVS-V1_10. Architecture, design and threat modeling requirements
- OWASP MASVS-V6_5. Platform interaction requirements
- OWASP MASVS-V6_7. Platform interaction requirements
- OWASP MASVS-V7_6. Code quality and build setting requirements
- NIST 800-171-4_2. Establish and enforce security configuration settings for information technology products
- CWE TOP 25-78. Improper neutralization of special elements used in an OS command (OS command injection)
- CWE TOP 25-119. Improper restriction of operations within the bounds of a memory buffer
- CWE TOP 25-416. User after free
- CWE TOP 25-476. NULL pointer dereference
- NIST 800-115-4_2. Network port and service identification
- SWIFT CSCF-2_3. System hardening
- SWIFT CSCF-2_10. Application hardening
- SWIFT CSCF-3_1. Physical security
- OWASP SAMM-SA_2. Software design process toward known-secure services and secure-by-default designs
- OWASP SAMM-EH_2. Improve confidence in application operations by hardening the operating environment
- OWASP ASVS-5_2_5. Sanitization and sandboxing
- OWASP ASVS-5_3_8. Output encoding and injection prevention
- OWASP ASVS-8_1_1. General data protection
- OWASP ASVS-10_3_3. Application integrity
- OWASP ASVS-12_3_6. File execution
- OWASP ASVS-14_1_3. Build and deploy
- OWASP ASVS-14_4_1. HTTP security headers
- C2M2-9_4_a. Implement software security for cybersecurity architecture
- C2M2-9_4_c. Implement software security for cybersecurity architecture
- PCI DSS-1_2_2. Network security controls are configured and maintained
- PCI DSS-1_2_6. Network security controls are configured and maintained
- PCI DSS-2_2_4. Remove or disable all unnecessary functionality
- PCI DSS-5_3_2. Anti-malware mechanisms and processes are active and monitored
- PCI DSS-6_3_3. Security vulnerabilities are identified and addressed
- PCI DSS-10_7_2. Failures of critical security control systems are detected and responded to promptly
- SIG Lite-SL_89. Is there a formal Software Development Life Cycle (SDLC) process?
- SIG Core-I_2_1. Application security
- SIG Core-I_2_9_4. Application security
- OWASP ASVS-4_3_1. Other access control considerations
- OWASP ASVS-12_3_4. File execution
- OWASP ASVS-12_3_5. File execution
- OWASP ASVS-13_2_1. RESTful web service
- OWASP ASVS-13_2_5. RESTful web service
- OWASP ASVS-14_5_1. HTTP request header validation
- OWASP MASVS-V7_9. Code quality and build setting requirements
- OWASP MASVS-V8_5. Resilience requirements - Impede dynamic analysis and tampering
- OWASP API Security Top 10-API6. Mass Assignment
- OWASP API Security Top 10-API7. Security Misconfiguration
- OWASP API Security Top 10-API9. Improper Assets Management
- SANS 25-7. Use After Free
- SANS 25-17. Improper Neutralization of Special Elements used in a Command ('Command Injection')
- ISO/IEC 27001-8_26. Application security requirements
- ISO/IEC 27001-8_27. Secure system architecture and engineering principles
- CASA-4_3_1. Other Access Control Considerations
- CASA-4_3_2. Other Access Control Considerations
- CASA-5_2_5. Sanitization and Sandboxing
- CASA-5_3_8. Output Encoding and Injection Prevention
- CASA-8_1_1. General Data Protection
- CASA-10_3_3. Application Integrity
Vulnerabilities
- 004. Remote command execution
- 009. Sensitive information in source code
- 014. Insecure functionality
- 044. Insecure HTTP methods enabled
- 047. Automatic information enumeration
- 055. Insecure service configuration - ADB Backups
- 056. Anonymous connection
- 060. Insecure service configuration - Host verification
- 061. Remote File Inclusion
- 070. Insecure service configuration - ELB
- 110. HTTP request smuggling
- 111. Out-of-bounds read
- 115. Security controls bypass or absence
- 116. XS-Leaks
- 125. Directory listing
- 134. Insecure or unset HTTP headers - CORS
- 135. Insecure or unset HTTP headers - X-XSS Protection
- 136. Insecure or unset HTTP headers - Cache Control
- 137. Insecure or unset HTTP headers - X-Permitted-Cross-Domain-Policies
- 138. Inappropriate coding practices
- 140. Insecure exceptions - Empty or no catch
- 142. Sensitive information in source code - API Key
- 143. Inappropriate coding practices - Eval function
- 152. Insecure or unset HTTP headers - X-Frame Options
- 153. Insecure or unset HTTP headers - Accept
- 164. Insecure service configuration
- 165. Insecure service configuration - AWS
- 166. Insecure service configuration - Kerberoast
- 167. Insecure service configuration - Wireless Certificates
- 168. Insecure service configuration - Keystore
- 170. Insecure service configuration - Antivirus
- 171. Insecure service configuration - Firewall
- 172. Insecure service configuration - App Backup
- 173. Insecure service configuration - Backup
- 175. Insecure service configuration - DNS
- 176. Insecure service configuration - SSH
- 177. Insecure service configuration - Security Groups
- 178. Insecure service configuration - RDP
- 179. Insecure service configuration - SMB
- 180. Insecure service configuration - SMTP
- 181. Insecure service configuration - DynamoDB
- 205. Insufficient Physical Access Controls
- 206. Security controls bypass or absence - Anti hooking
- 207. Security controls bypass or absence - SSLPinning
- 208. Security controls bypass or absence - Antivirus
- 209. Security controls bypass or absence - Emulator
- 210. Security controls bypass or absence - Facial Recognition
- 212. Security controls bypass or absence - Cloudflare
- 250. Non-encrypted hard drives
- 252. Automatic information enumeration - Open ports
- 253. Automatic information enumeration - AWS
- 254. Automatic information enumeration - Credit Cards
- 255. Insecure functionality - Pass the hash
- 260. Insecure Binary compilation
- 268. Insecure service configuration - Webview
- 270. Insecure functionality - File Creation
- 271. Insecure functionality - Password management
- 272. Insecure functionality - Masking
- 273. Insecure functionality - Fingerprint
- 278. Insecure exceptions - NullPointerException
- 283. Automatic information enumeration - Personal Information
- 285. Insecure service configuration - App Transport Security
- 293. Insecure service configuration - Key pair
- 294. Insecure service configuration - OTP
- 302. Insecure functionality - Session management
- 305. Security controls bypass or absence - Data creation
- 308. Enabled default configuration
- 312. Insecure service configuration - Signatures
- 313. Insecure service configuration - Certificates
- 314. Insecure service configuration - DB
- 315. Insecure service configuration - CloudDB
- 319. Insecure service configuration - Roles
- 320. Insecure service configuration - LDAP
- 324. Insecure functionality - User management
- 326. Sensitive information in source code - Dependencies
- 329. Insecure or unset HTTP headers - Content-Type
- 333. Insecure service configuration - EC2
- 334. Insecure service configuration - IAM
- 335. Insecure service configuration - Bucket
- 338. Insecure service configuration - Salt
- 339. Insecure service configuration - Request Validation
- 343. Insecure service configuration - BREACH Attack
- 345. Security controls bypass or absence - Session Invalidation
- 347. Insecure service configuration - Task Hijacking
- 351. Automatic information enumeration - Corporate information
- 359. Sensitive information in source code - Credentials
- 367. Sensitive information in source code - Git history
- 374. Security controls bypass or absence - Debug Protection
- 375. Security controls bypass or absence - Tampering Protection
- 376. Security controls bypass or absence - Reversing Protection
- 380. Supply Chain Attack - Docker
- 381. Supply Chain Attack - Terraform
- 384. Inappropriate coding practices - Wildcard export
- 392. Security controls bypass or absence - Firewall
- 396. Insecure service configuration - KMS
- 398. Fragment Injection
- 404. OS Command Injection
- 414. Insecure service configuration - Header Checking
- 417. Account Takeover
- 418. Insecure service configuration - Docker
- 422. Server side template injection
- 426. Supply Chain Attack - Kubernetes
- 431. Supply Chain Attack - NPM
- 432. Inappropriate coding practices - relative path command
- 434. Client-side template injection
- 436. Security controls bypass or absence - Fingerprint
- 437. Supply Chain Attack - GitHub Actions
- 439. Sensitive information in source code - IP
- 440. Insecure or unset HTTP headers - Permissions-Policy
- 442. SMTP header injection
free trial
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.