Summary

The source code of a system must not perform functions other than those specified in the functional requirements (backdoors).

Description

Sometimes, functionalities other than the ones for which a system was designed are included during development to aid the development and testing processes. These functions often represent backdoors because they leave ports exposed or help in bypassing the authentication and/or authorization mechanisms. Therefore, they should not be part of the production environment, as they could become serious security vulnerabilities.

Supported In

This requirement is verified in following services

References

• CAPEC™-113. Interface manipulation
• CAPEC™-115. Authentication bypass
• CAPEC™-438. Modification during manufacture
• CAPEC™-554. Functionality bypass
• CIS-5_5. Establish and maintain an inventory of service accounts
• CWE™-510. Trapdoor
• CWE™-1269. Product released in non-release configuration
• OWASP TOP 10-A6. Vulnerable and outdated components
• OWASP-M TOP 10-M10. Extraneous functionality threat agents
• Agile Alliance-9. Continuous attention to technical excellence and good design
• NY SHIELD Act-5575_B_6. Personal and private information
• MITRE ATT&CK®-M1013. Application developer guidance
• MITRE ATT&CK®-M1016. Vulnerability scanning
• PA-DSS-5_1_2. Test data and accounts are removed before release to customer
• HITRUST CSF-01_l. Remote diagnostic and configuration port protection
• FedRAMP-CM-7. Least functionality
• OSSTMM3-10_9_3. Telecommunications security (configurations verification) - Configuration errors
• NIST SSDF-PO_5_1. Implement and maintain secure environments for software development
• ISSAF-Q_16_13. Host security - Windows security (registry attacks)
• PTES-5_2_2_1. Vulnerability analysis - Network vulnerability scanners (port based)
• PTES-7_7. Post Exploitation - Persistence
• NIST 800-115-4_4_1. Passive wireless scanning
• OWASP SAMM-ST. Security Testing
• OWASP SAMM-OM. Operational Management
• OWASP ASVS-10_2_3. Malicious code search
• C2M2-9_4_d. Implement software security for cybersecurity architecture
• PCI DSS-2_2_4. Remove or disable all unnecessary functionality
• SIG Lite-SL_89. Is there a formal Software Development Life Cycle (SDLC) process?
• SIG Core-I_2_1. Application security
• SIG Core-I_2_6. Application security
• CASA-10_2_3. Malicious Code Search

Vulnerabilities

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.