Challenge to ASVS Item 10.2.3: Scope and Consistency Concerns

[ImanSharaf]

Current Item Text

10.2.3: "Verify that the application source code and third party libraries do not contain back doors, such as hard-coded or additional undocumented accounts or keys, code obfuscation, undocumented binary blobs, rootkits, or anti-debugging, insecure debugging features, or otherwise out of date, insecure, or hidden functionality that could be used maliciously if discovered."

Scope Inconsistency: Desktop vs. Web Applications

• Reference: ASVS Issue #803
• Concern: ASVS is presumed not to cover desktop applications, yet item 10.2.3 mentions rootkits, which are typically associated with desktop/system-level malware.
• Question: Should references to system-level threats like rootkits be removed to maintain consistency with ASVS's web application focus?

Also, I believe based on the same logic we should remove 14.1.2, as C and C++ are not common languages for web app development.

Furthermore, I believe the final production-ready artifact for any web app should be obfuscated and protected against reverse engineering.

[elarlang]

related: #1468

Furthermore, I believe the final production-ready artifact for any web app should be obfuscated and protected against reverse engineering.

Personally I don't share that view.

[ImanSharaf]

Security through obscurity: While not a complete security solution, obfuscation can add an extra layer of difficulty for potential attackers trying to understand the code.

[ImanSharaf]

@elarlang what about removing 14.1.2 and modifying 10.2.3 to exclude system level keywords?