R158. Use a secure programming language

Requirement

System source code must be implemented in a stable, updated, tested, and free of known vulnerabilities version of the chosen programming language.

References

  1. CAPEC-8: Buffer Overflow in an API Call. This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function’s implementation.

  2. CAPEC-9: Buffer Overflow in Local Command-Line Utilities. This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.

  3. CAPEC-10: Buffer Overflow via Environment Variables. This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers.

  4. CWE-120: Classic Buffer Overflow. The program copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

  5. OWASP Top 10 A9:2017-Using Components with Known Vulnerabilities. Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.

  6. OWASP-ASVS v4.0.1 Appendix C: Internet of Things Verification Requirements.(C.11) Verify that any use of banned C functions are replaced with the appropriate safe equivalent functions.

  7. OWASP-ASVS v4.0.1 V5.4 Memory, String, and Unmanaged Code Requirements.(5.4.1) Verify that the application uses memory-safe string, safer memory copy and pointer arithmetic to detect or prevent stack, buffer, or heap overflows.

  8. OWASP-ASVS v4.0.1 V14.2 Dependency.(14.2.1) Verify that all components are up to date, preferably using a dependency checker during build or compile time.

  9. OWASP-ASVS v4.0.1 V14.2 Dependency.(14.2.4) Verify that third party components come from pre-defined, trusted and continually maintained repositories.

  10. PCI DSS v3.2.1 - Requirement 6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches.

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy