Code Quality / Broken Functionality

Description

Broken Functionality refers to a incomplete, incorrectly implemented, or only partially removed functionality, which may be relevant concerning security of the system.
For example, a broken password reset, or login-related functionality may have an impact on the confidentiality, integrity or availability of the system.
Additionally, this type of issue documents the state of the application at the time of the assessment.

Risk

The risk associated with a broken functionality depends on the type of functionality involved and to what degree the functionality likely does not provide its intended functionality. However, a broken functionality often indicates parts of the application that are unfinished or not properly maintained, and is therefore associated with a certain technical debt.

Solution

To mitigate the vulnerability, incomplete functionality should not be active in a production build. This could for example be prevented by developing functionality in a separate branch and only merging once it is ready to be deployed, or using feature toggles in the code, which prevent the newly developed functionality from being executed. Additionally, active functionality should be tested regularly in automated unit and integration tests to ensure that it is working as intended. Features that are not used, needed or maintained anymore should be removed from the code completely as soon as possible in order to not interfere with the system and potentially increase the attack surface or weaken the security of the system.