R078. Disable debugging events

Requirement

The organization must disable debugging events in production.

References

  1. CAPEC-113: API Manipulation. An adversary manipulates the use or processing of an Application Programming Interface (API) resulting in an adverse impact upon the security of the system implementing the API. This can allow the adversary to execute functionality not intended by the API implementation, possibly compromising the system which integrates the API.

  2. CAPEC-116: Excavation. An adversary actively probes the target in a manner that is designed to solicit information that could be leveraged for malicious purposes. This is achieved by exploring the target via ordinary interactions for the purpose of gathering intelligence about the target, or by sending data that is syntactically invalid or non-standard in an attempt to produce a response that contains the desired data.

  3. CWE-209: Generation of Error Message Containing Sensitive Information. The software generates an error message that includes sensitive information about its environment, users, or associated data.

  4. CWE-210: Self-generated Error Message Containing Sensitive Information. The software identifies an error condition and creates its own diagnostic or error messages that contain sensitive information.

  5. CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere. The application does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the application does.

  6. CWE-1269: Product Released in Non-Release Configuration. The product released to market is released in pre-production or manufacturing configuration.

  7. OWASP Top 10 A6:2017-Security Misconfiguration. Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.

  8. OWASP-ASVS v4.0.1 Appendix C: Internet of Things Verification Requirements.(C.1) Verify that application layer debugging interfaces such USB, UART, and other serial variants are disabled or protected by a complex password.

  9. OWASP-ASVS v4.0.1 Appendix C: Internet of Things Verification Requirements.(C.26) Verify that only micro controllers that support disabling debugging interfaces (e.g., JTAG, SWD) are used.

  10. OWASP-ASVS v4.0.1 Appendix C: Internet of Things Verification Requirements.(C.4) Verify that on-chip debugging interfaces such as JTAG or SWD are disabled or that an available protection mechanism is enabled and configured appropriately.

  11. OWASP-ASVS v4.0.1 Appendix C: Internet of Things Verification Requirements.(C.18) Verify security controls are in place to hinder firmware reverse engineering (e.g., removal of verbose debugging symbols).

  12. OWASP-ASVS v4.0.1 V7.4 Error Handling.(7.4.1) Verify that a generic message is shown when an unexpected or security sensitive error occurs, potentially with a unique ID which support personnel can use to investigate.

  13. OWASP-ASVS v4.0.1 V14.3 Unintended Security Disclosure Requirements.(14.3.2) Verify that web or application server and application framework debug modes are disabled in production to eliminate debug features, developer consoles, and unintended security disclosures.

  14. PCI DSS v3.2.1 - Requirement 6.5.5 Address common coding vulnerabilities in software-development processes such as improper error handling.

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy