The designer will ensure the application does not contain source code that is never invoked during operation, except for software components and libraries from approved third-party products.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6149	APP3050	SV-6149r1_rule	DCSQ-1	Medium

Description
Unused libraries increase a program size without any benefits. and may expose an enclave to possible malware. They can be used by a worm as program space, and increase the risk of a buffer overflow attack. As code evaluations are performed, to identify potential vulnerabilities or to identify security enhancements, unused code will not be evaluated and therefore, adds additional unknown risk.

STIG	Date
Application Security and Development Checklist	2014-12-22

Details

Check Text ( C-2961r1_chk )
Ask the application representative if there is a documented process to remove code when it is no longer executed. Also ask if there is a documented process to ensure unnecessary code is not included into a release. If the application is a COTS/GOTS product or is composed of only COTS/GOTS products with no custom code, this check does not apply unless the application is being reviewed by or in conjunction with the COTS/GOTS vendor in which case this check is applicable. The process may include the following: · Source code analysis tools · Development environments that indicate unused source code · Compiler options that detect unreachable code For a web-based application, conduct a spot check of the code directory (e.g., .html, .asp, .jsp, and .php files), sampling at least four files, and ensure the code is executed for the application. If a documented process is not in place, check at least 10 pieces of code. Search for possible 'include files' and scripts. Determine if the 'include files' and scripts exist. Examples of 'include files' and scripts: jsp <%@ include file="include.jsp" %> php asp js 1) If 'include files' and scripts do not exist, it is a finding. 2) If other code is found that is not being used, this is a finding. Document the name of the file containing the offending code in the finding details. For Visual Basic or C/C++ and other applications verify that a documented process is in place to prevent unused source code from being introduced into the application. Verify the process by source code analysis tools results, development environment tools, compiler options or the mechanism documented by process that enforces unused source from being introduced into the application. 3) If the application representative does not have a documented policy or there is no evidence that mechanisms are in place to prevent the introduction of unused code into the application, this is a finding.

Check Text ( C-2961r1_chk )

Ask the application representative if there is a documented process to remove code when it is no longer executed. Also ask if there is a documented process to ensure unnecessary code is not included into a release.

If the application is a COTS/GOTS product or is composed of only COTS/GOTS products with no custom code, this check does not apply unless the application is being reviewed by or in conjunction with the COTS/GOTS vendor in which case this check is applicable.

The process may include the following:
· Source code analysis tools
· Development environments that indicate unused source code
· Compiler options that detect unreachable code

For a web-based application, conduct a spot check of the code directory (e.g., .html, .asp, .jsp, and .php files), sampling at least four files, and ensure the code is executed for the application. If a documented process is not in place, check at least 10 pieces of code. Search for possible 'include files' and scripts. Determine if the 'include files' and scripts exist.

Examples of 'include files' and scripts:

jsp
<%@ include file="include.jsp" %>

php

asp

js

1) If 'include files' and scripts do not exist, it is a finding.

2) If other code is found that is not being used, this is a finding.

Document the name of the file containing the offending code in the finding details.

For Visual Basic or C/C++ and other applications verify that a documented process is in place to prevent unused source code from being introduced into the application. Verify the process by source code analysis tools results, development environment tools, compiler options or the mechanism documented by process that enforces unused source from being introduced into the application.

3) If the application representative does not have a documented policy or there is no evidence that mechanisms are in place to prevent the introduction of unused code into the application, this is a finding.

Fix Text (F-16987r1_fix)
Establish a formal process is in place to remove unnecessary software and libraries.