The application must not be subject to error handling vulnerabilities.

From Application Security and Development Security Technical Implementation Guide

Part of ASDV-PL-003235

Associated with: CCI-003272

SV-85013r1_rule The application must not be subject to error handling vulnerabilities.

Vulnerability discussion

Error handling is the failure to check the return values of functions or catch top level exceptions within a program. Improper error handling in an application can lead to an application failure or possibly result in the application entering an insecure state. The primary way to detect error handling vulnerabilities is to perform code reviews. If a manual code review cannot be performed, static code analysis tools should be employed in conjunction with tests to help force the error conditions by specifying invalid input (such as fuzzed data and malformed filenames) and by using different accounts to run the application. These tests may give indications of vulnerability, but they are not comprehensive.In order to minimize error handling errors, ensure proper return code and exception handling is implemented throughout the application.

Check content

Review the application documentation, code review reports and the results from static code analysis tools. Identify the most recent security scans and code analysis testing conducted. Verify testing configuration includes tests for error handling issues. Check test results for identified error handling vulnerabilities within the application. If the test results indicate the existence of error handling vulnerabilities and no remediation evidence is presented, this is a finding. If no test results are available for review, this is a finding.

Fix text

Ensure proper return code and exception handling is implemented throughout the application.

Pro Tips

Powered by sagemincer