Test 1

TEST 1

Test Case: BIS-2.6.1 Test Name: TC_AUDIT_CODE_FOR_HARDCODED_CREDENTIALS_RECOMMENDED

Objective:

Conduct an independent secure code review (automated + manual) using a licensed static analysis tool to detect any hardcoded credentials or backdoors. The activity is performed at the evaluation agency’s premises.

Tools Used:

  • Licensed Static Analysis Tool (e.g., Fortify SCA, Coverity, Checkmarx, or equivalent)

  • Manual Code Review Techniques

Test Execution Steps:

  1. The vendor visits the evaluation agency with the complete firmware source code and binaries.

  2. The evaluation agency installs and configures their licensed static analysis tool.

  3. A full automated scan is executed to identify occurrences of hardcoded strings (credentials/tokens).

  4. A manual code review is performed on authentication modules, configuration files, and network stack components to verify absence of obfuscated or indirect hardcoded credentials.

Expected Results for Pass:

  • The automated scan shows no instances of hardcoded usernames, passwords, API tokens, or backdoor credentials in the firmware.

  • The manual review confirms the automated findings and ensures no hidden credential logic is embedded in unreachable branches or encrypted constants.

Test Observations:

(To be filled based on review results, e.g., “No hardcoded credentials were identified in any part of the source code or binary scan results.”)

Evidence Provided:

  • Static analysis scan reports

  • Manual review checklist

  • Screenshots of scan outputs

  • Vendor declaration of compliance

Test Case Result:

[To be marked as PASS or FAIL based on actual outcome]

Previous2.6 – Audit Code for Hardcoded CredentialsNext2.7a – Test Firmware Digital Signature Pinning

Last updated

Was this helpful?