Skip to main content

Exclude unverifiable files

Requirement#

Binary and other types of files, which are often not audited for security purposes, should not be stored in the source code repository.

Description#

Binary files usually have a file size greater than their source counterpart, which can eventually affect a repository's performance. Changes done to them are often hard to track for versioning tools or make no sense for a reviewer. Furthermore, security audits on binary files are more complicated or simply not performed, and these could contain serious vulnerabilities such as backdoors, rootkits and exposed sensitive information.

Exceptions#

  • Image files.

References#

  • CWE-510: Trapdoor: A trapdoor is a hidden piece of code that responds to a special input, allowing its user access to resources without passing through the normal security enforcement mechanism.

  • OWASP-ASVS v4.0.1 V10.2 Malicious Code Search.(10.2.3): Verify that the application source code and third party libraries do not contain backdoors, such as hard-coded or additional undocumented accounts or keys, code obfuscation, undocumented binary blobs, rootkits or anti-debugging, insecure debugging features, or otherwise out of date, insecure, or hidden functionality that could be used maliciously if discovered.