Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Preventive File Analysis measure (Harden) #44

Closed
ioggstream opened this issue May 19, 2022 · 2 comments
Closed

Preventive File Analysis measure (Harden) #44

ioggstream opened this issue May 19, 2022 · 2 comments
Labels
new-technique
Milestone
0.15.0

Comments

@ioggstream
Copy link
Contributor

I expect

  • a preventive File Analysis technique under Harden
  • we need to identify the relations between Subroutine, SourceFile and Library

Notes

Since SoftwareUpdate < PlatformHardening it might not apply to SDLC.

Specific techniques based on preventive file analysis:

  1. HardcodedCredentialElimination: the elimination from code of credentials CWE-798 and security relevant constants CWE-547

I want to Harden an Application and SourceCode via HardcodedCredentialElimination

  1. SensitiveInformationElimination: the elimination of sensitive information before storage or transfer (e.g. on a repo) CWE-212. This applies to SourceCode, File, ...

3.DeadCodeElimination: see CWE-561. DC < CWE-1164 < CWE-710 <

  1. ContractFirstDesign: see CWE-1068 < CWE-710 Ensures that WebServerApplication have a consistent design

    I want to Harden WebServerApplication using ContractFirstDesign

  2. ImageCodeSegmentVerification: see CWE-1357 Reliance on uncontrolled components built externally (e.g. jar files

I want to Harden an ImageCodeSegment using ImageCodeSegmentVerification

Other CWE

CWE-1078 Inappropriate codestyle includes various elements, but I don't know how to categorize it. Dead code elimination (aka CWE-561)[https://cwe.mitre.org/data/definitions/561.html] is probably related e.g. to cwe-710
@netfl0 netfl0 added this to the 0.12.0 milestone Jun 8, 2022
@hack-sentinel hack-sentinel mentioned this issue Feb 9, 2023
Open
@netfl0
Copy link
Contributor

netfl0 commented Feb 9, 2023

Yes, we'd call this something like Application Hardening (for the application binaries/distributed software)

We need a new section called Source Code Hardening (for the source code - still in control of developer)

CC @hack-sentinel

@netfl0 netfl0 modified the milestones: 0.12.0, 0.13.0 Feb 9, 2023
@netfl0 netfl0 modified the milestones: 0.13.0, 0.14.0 Nov 8, 2023
@netfl0 netfl0 modified the milestones: 0.14.0, 0.15.0 Feb 15, 2024
@netfl0
Copy link
Contributor

netfl0 commented Apr 26, 2024

closing, tracking on #193

@netfl0 netfl0 closed this as completed Apr 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
new-technique
Projects
None yet
Milestone
0.15.0
Development

No branches or pull requests
2 participants
@netfl0 @ioggstream