Young hacker smiling

We hack your software

zero false positives

Expert intelligence + Specialized technology
DXST - SAST - IAST - SCA - DevSecOps
White Box - Gray Box - Black Box
Attacking Web Applications, APIs, Mobile Apps
Client-Server, Servers, Networks, IoT Devices
ICS: Industrial Control System

REQ.161 Define secure default options

This document contains the details of the security requirements related to the definition and management of source code in the organization. This requirement establishes the importance of defining secure default options in order to avoid unexpected behaviors in the application.

Requirement

Source code must define secure default options ensuring secure failures in the application. (try, catch/except; default en switches)

Description

The organization must ensure that its own systems and those of third parties are safe and fully comply with the functions for which they were implemented. For this, baselines must be implemented from the design and development phase to avoid bad practices in the development cycles, e.g the use of conditional without default option, which can cause unexpected behavior in the system.

The source code in the system is safer when good programming practices are implemented since the development stage ensuring the portability and maintenance of the application. If a system is difficult to maintain it will probably exist vulnerabilities within the source code.

Implementation

  1. Definition of baselines since design/architecture stages in order to guarantee the implementation of good programming practices in the source code development.

  2. In the development lifecycle there must be a responsible for the product review from the source code to the system behavior in order to avoid unexpected behaviors in final stage of the implementation.

  3. Quality code and source code vulnerabilities scanners: They are tools that using lexical and syntactical analyzers perform code revision, processes it, suggest improvements and highlight possible vulnerabilities in the development stage. Using this kind of tools during the development process helps to improve code performance, detect logic excessively complex and simulate security issues that allows the developer to validate and discard false positives.

Attacks

  1. Lead to unexpected behaviors in the application.

  2. Leak sensitive information from unexpected errors.

Attributes

  • Layer: Application Layer

  • Asset: Source Code

  • Scope: Matureness

  • Phase: Building

  • Type of Control: Recommendation


Service status - Terms of Use