logo

Incomplete Documentation of Program Execution

Incomplete Base
Structure: Simple
Description

This weakness occurs when a system's documentation fails to completely list all the ways its behavior can be controlled or changed during execution.

Extended Description

For developers and administrators, incomplete documentation creates hidden risks. Without a full list of control mechanisms, you might miss critical security settings, deploy the software incorrectly, or be unable to reproduce or debug issues. This gap turns routine configuration and troubleshooting into a guessing game, potentially leading to insecure defaults, operational failures, or unintended exposure. Common undocumented controls include environment variables, configuration files, registry keys, command-line arguments, and system-level settings. Attackers can exploit these hidden knobs to bypass security, escalate privileges, or cause instability. Thorough documentation of all execution controls is therefore a foundational security practice, not just a convenience.
References 1
Providing a Framework for Effective Software Quality Assessment
Robert A. Martin and Lawrence H. Shafer
07-1996
https://www.researchgate.net/publication/285403022_PROVIDING_A_FRAMEWORK_FOR_EFFECTIVE_SOFTWARE_QUALITY_MEASUREMENT_MAKING_A_SCIENCE_OF_RISK_ASSESSMENT(2023-04-07)
ID: REF-963
Related Weaknesses
ChildOf: Insufficient Technical Documentation (CWE-1059)