R323. Exclude unverifiable files

Requirement

Binary and other types of files, which are often not audited with security purposes, should not be stored in the source code repository.

Description

Binary files usually have a file size greater than their source counterpart, which can eventually affect a repository’s performance. Changes done to them are often hard to track for versioning tools or make no sense for a reviewer. Furthermore, security audits on binary files are more complicated or simply not performed, and these could contain serious vulnerabilities such as backdoors, rootkits and exposed sensitive information.

Exceptions

  • Image files.

References

  1. CWE-510: Trapdoor. A trapdoor is a hidden piece of code that responds to a special input, allowing its user access to resources without passing through the normal security enforcement mechanism.

  2. OWASP-ASVS v4.0.1 V10.2 Malicious Code Search.(10.2.3) Verify that the application source code and third party libraries do not contain backdoors, such as hard-coded or additional undocumented accounts or keys, code obfuscation, undocumented binary blobs, rootkits, or anti-debugging, insecure debugging features, or otherwise out of date, insecure, or hidden functionality that could be used maliciously if discovered.

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy