Kingdom: Environment

This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms.

Insecure Deployment: Malicious Application

Universal

Abstract

Presence of a malicious application might indicate that an attacker installed a backdoor that could render all the application security controls ineffective.

Explanation

Attackers frequently install backdoors in the form of a PHP Shell, which attackers use to execute commands to the underlying operating system with at least the permissions of the web server. This means that attackers can modify or read any file that the web server is capable of reading. In worst cases, the attacker can install malware and take over the server machine. Presence of such a program could either indicate a successful compromise of the application or an insider threat.

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 506

[2] Standards Mapping - FIPS200 SI

[3] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-3 Malicious Code Protection (P1)

[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-3 Malicious Code Protection

[6] Standards Mapping - OWASP Application Security Verification Standard 4.0 10.2.3 Malicious Code Search (L3)

[7] Standards Mapping - OWASP Mobile 2024 M2 Inadequate Supply Chain Security

[8] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[9] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 5.1

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 5.1

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 5.1

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 5.1

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 5.2.1

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 5.2.1

[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 10.2 - Threat and Vulnerability Management

[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 10.2 - Threat and Vulnerability Management

[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 10.2 - Threat and Vulnerability Management

desc.dynamic.xtended_preview.insecure_deployment_malicious_application