Page 31 - The Malicious Code Section wording as a bit difficult to read, wordy #23
Comments
|
Hi there, We have completely re-vamped the malicious code section, replacing it with a single Level 3 control: "Verify that a code review looks for malicious code, back doors, easter eggs, and logic flaws." I hope this covers off your feedback, as we also felt that the section was pretty dire and unreviewable. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Page 31 - The Malicious Code Section wording as a bit difficult to read, wordy
We should try to use positive wording
Examples:
V13.1 Verify that no malicious code is in any code that was either developed or modified in order to create the application.
V13.3 Verify that all code implementing or using authentication controls is not affected by any malicious code.
V13.6 Verify that all input validation controls are not affected by any malicious code.
V13.7 Verify that all code implementing or using output validation controls is not affected by any malicious code.
Possible Solutions:
13.1 Verify that the code used to develop or create the application is free of malicious code.
13.3 Verify that malicious code cannot affect code that implements or uses authentication controls
13.6 Verify that malicious code cannot affect input validation controls.
13.7 Verify that malicious code cannot affect code that implements or uses output validation controls.
“Affect” may be changed to, “interact with” or “impact”
The text was updated successfully, but these errors were encountered: