Common run-time libraries
The programs and utilities marked with an asterisk (*) are not covered in this sec-
tion. Please refer to the appropriate Gazette section.
Compilers and their related utilities are resources whose security varies depending
on the Corporate Security Policy concerning compilation on secure systems. Many
sites control compilations by enforcing that all compilation be performed on a devel-
opment system. Application change control policy governs the method and security to
update the secure application.
Some sites do not use certain languages, but all sites use at least one language com-
piler for the secure application. Language compilation controls are a fundamental
method that companies can use to control their application.
RISK Compilers can be destructive because code can be inserted or deleted to
circumvent previously implemented controls.
RISK Language compilers might be used to develop test or hacking programs
to access sensitive data.
AP-ADVICE-COMPS-01 On secure systems, languages that are not in active
use should be secured from use and other language compilers should be accessi-
ble only to necessary personnel.
On secure systems, only members of the group (if any) responsible for compiling
programs on the secure system should have access to secure object files.
AP-ADVICE-COMPS-02 To protect applications from inadvertent or mali-
cious changes or outages, compilers and related utilities should be absent or very
tightly locked down on secure systems.
AP-ADVICE-COMPS-03 On secure systems, compilers should not be acces-
sible to prevent unauthorized access to secure data.
On development systems, members of the development group responsible for
compiling programs should have access according to need.
AP-ADVICE-COMPS-04 Compilers and their associated files should be
accessible to the groups needing access.
Securing Compiler Components
Access to the C language components is required for compilation. Securing the com-
piler object file controls the use of the language.