Kingdom: Environment
This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms.
Insecure Deployment: Java Applet
Abstract
Use of Java applets could lead to sensitive information disclosure.
Explanation
Programmer's often entrust the applet code with sensitive information without realizing that applets can be easily decompiled and can expose any sensitive data hardcoded in the code. An attacker could decompile the applet and gain access to confidential information, including any hard-coded passwords and keys, within the applet. Java applets pose various risks including:
- Intellectual property theft
- Understanding of the security controls used implemented by the application
- Extraction of confidential information, such as hard-coded passwords and keys
- Malicious alterations to the code with the purpose of compromising unsuspecting application users
- Intellectual property theft
- Understanding of the security controls used implemented by the application
- Extraction of confidential information, such as hard-coded passwords and keys
- Malicious alterations to the code with the purpose of compromising unsuspecting application users
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 200
[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[9] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[10] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[11] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[12] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.4 Sensitive Private Data (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2024 M2 Inadequate Supply Chain Security
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[18] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.dynamic.java.insecure_deployment_java_applet