Remove commented-out code
Summary
The source code must not contain commented-out code when it is deployed to the production environment.
Description
Commented-out code often represents pieces of logic or functionality that is incomplete or used for testing purposes. Leaving such code in the source can lead to the accidental use of outdated or obsolete code by developers.
This code may contain security vulnerabilities, deprecated functions, or sensitive information that should not be present in the production environment. When this type of code is present increases the risk of exposing security weaknesses to potential attackers.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Essential | 🔴 |
| Advanced | 🟢 |
References
- CWE™-1041. Use of redundant code
- CWE™-1085. Invokable control element with excessive volume of commented-out code
- MISRA-C-2_4. Sections of code should not be “commented out”
- MITRE ATT&CK®-M1013. Application developer guidance
- CMMC-AT_L2-3_2_1. Role-based risk awareness
- HITRUST CSF-10_i. Protection of system test data
- ISO/IEC 27002-8_25. Secure development lifecycle
- ISO/IEC 27002-8_28. Secure coding
- WASSEC-6_2_5_2. Information disclosure - Information leakage
- OWASP SCP-8. Data protection
- OWASP SAMM-ST. Security Testing
- C2M2-9_4_d. Implement software security for cybersecurity architecture
- PCI DSS-6_5_6. Changes to all system components are managed securely
- SIG Core-I_3_2_7. Application security
- ISO/IEC 27001-8_25. Secure development lifecycle
- ISO/IEC 27001-8_28. Secure coding
Vulnerabilities
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.