Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

Application Security and Development Checklist

  • Version/Release: V3R10
  • Published: 2014-12-22
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

b
The designer will ensure applications requiring user authentication are PK-enabled and are designed and implemented to support hardware tokens (e.g., CAC for NIPRNet).
Medium - V-6127 - SV-6127r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3280
Vuln IDs
  • V-6127
Rule IDs
  • SV-6127r1_rule
Non PK-enabled applications can allow unauthorized persons or entities to intercept information. A PK-enabled application gives assurance of the user accessing the application.System AdministratorIATS-1, IATS-2
Checks: C-2938r1_chk

This check is not applicable where application users are determined to have authorized access to the application and are not eligible to receive a CAC/DoD PKI certificate (e.g., retirees, dependents, etc.), as defined by DoDI 8520.2. 1) Ask the application representative if an application is PK-enabled. If the answer is no, this a finding. If the application is in a production environment, the application representative should be able to login to the application with a CAC. If the application resides on the SIPRNet, or in a test environment, the application representative may only have test certificates and should be able to login to the application with a soft certificate. Note: The certificates for this check do not need to be DoD approved certificates. 2) If the application representative cannot log in to the application with either soft certificates or certificates from a CAC, it is a finding. Ask the application representative where the certificate store is for the application and verify there are the correct test or production certificates for user authentication. Make certain a certificate is required for user authentication. Ask the application representative to temporarily remove the certificate from the certificate store and authenticate to the application. For web application using Internet Explorer from the Tools Menu Select “Internet Options” Select “Content” tab Select “Certificates” Select “Remove” Other applications certificate stores will have similar features. 3) If the application representative can login to the application without either soft certificates or certificates stored on a CAC or another authentication mechanism, this is a CAT I finding for check APP3460. This finding should not be recorded for this check. 4) Ask the application representative to demonstrate encryption is being used for authentication. If the application representative cannot demonstrate encryption is being used, it is a finding.

Fix: F-17017r1_fix

Modify the application to use certificate based authentication.

b
The designer and IAO will ensure PK-enabled applications are designed and implemented to use approved credentials authorized under the DoD PKI program.
Medium - V-6128 - SV-6128r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3290
Vuln IDs
  • V-6128
Rule IDs
  • SV-6128r1_rule
Using unapproved PKI certificates could allow access by non-DoD and unauthorized users.System AdministratorIATS-1, IATS-2
Checks: C-2940r1_chk

Policy: The designer and IAO will ensure PK-enabled applications are designed and implemented to use approved credentials authorized under the DoD PKI program. The IAO will ensure the PK-enabled applications are configured to honor only approved DoD PKI certificates. If the application is not PK-enabled, this check is not applicable. If the application resides on the SIPRNet and PKI infrastructure is unavailable, this check is not applicable. Ask whether the application utilizes PKI certificates other than DoD PKI and External Certification Authority (ECA) certificates. Verify the certificate used in authentication in APP3280. Internet Explorer can be used to view certificate information: Select “Tools” Select “Internet Options” Select “Content” tab Select “Certificates” Select the certificate used for authentication: Click “View” Select “Details” tab Select “Issuer” If the application utilizes PKI certificates other than DoD PKI and ECA certificates, this is a finding.

Fix: F-17018r1_fix

Configure the application to use approved DoD PKI certificates.

c
The designer will ensure the application using PKI validates certificates for expiration, confirms origin is from a DoD authorized CA, and verifies the certificate has not been revoked by CRL or OCSP, and CRL cache (if used) is updated at least daily.
High - V-6129 - SV-6129r2_rule
RMF Control
Severity
High
CCI
Version
APP3305
Vuln IDs
  • V-6129
Rule IDs
  • SV-6129r2_rule
The application should not provide access to users or other entities using expired, revoked or improperly signed certificates because the identity cannot be verified. System AdministratorIATS-1, IATS-2
Checks: C-2943r2_chk

If the application is not PK-enabled, this check is not applicable. If the application resides on the SIPRNet and PKI infrastructure is unavailable, this check is not applicable. This check is not applicable where system users are determined to be information privileged individuals, volunteers, or reservists, as required in the DoDI 8520.2. DoD test certificates can be obtained from the following website: http://jitc.fhu.disa.mil/pki/lab2.html Note: Before executing this check, the following certificate types need to be obtained: • Expired • Revoked • Improperly Signed If the application is PK-enabled and is not using DoD PKI certificates, the application representative will need to provide these certificates. If the application is PK-enabled and is not using DoD PKI certificates, the application representative will need to provide these certificates. If the application is a web-application that utilizes client certificates, validate proper PKI-functionality by using a test system configured to use an expired certificate, a revoked certificate and an improperly signed certificate. The test system should contain three user profiles: One with a revoked certificate, one with an expired certificate, and one with an improperly signed certificate. Log on with each of the user accounts for which there is an associated “bad certificate” profile and perform selected functions in the application that requires the use of a certificate (e.g., authentication). 1) If the expired, revoked, or improperly signed certificate can be used for application functions, it is a finding. Also, review the web server’s configuration to ascertain whether appropriate certificate validity checks are occurring. 2) If the web server does not check for and deny expired, revoked, or improperly signed certificates, it is a finding. If the application is not a web-application, work with an application SA to identify PK-enabled application functions, and then sequentially install the invalid certificates, testing each of the functions against each of the certificates. 3) Any successful use of any of the invalid certificates is a finding. If a finding is found in any of the preceding steps, document the details of the finding to include the following: • Which of the invalid certificates was accepted (potentially more than one). • The specific application functions that accepted the invalid certificate. *Note: Do not use (WS-Security, SAML, and XML) security libraries that do not perform full certificate validation adequately. Checking should include the certificate against the CA’s Certificate Revocation List (CRL) or the Online Certificate Status Protocol (OCSP).

Fix: F-17021r1_fix

Enable the application to provide certificate validation.

b
The designer will ensure the application has the capability to require account passwords that conform to DoD policy.
Medium - V-6130 - SV-6130r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3320
Vuln IDs
  • V-6130
Rule IDs
  • SV-6130r1_rule
Weak passwords can be guessed or easily cracked using various methods. This can potentially lead to unauthorized access to the application. System AdministratorIAIA-1
Checks: C-2942r1_chk

Policy: The designer will ensure the application has the capability to require account passwords having a minimum of 15 alphanumeric characters in length. The designer will ensure the application has the capability to require account passwords contain a mix of upper case letters, lower case letters, numbers, and special characters. The Designer will ensure the application has the capability to require account passwords be changed every 60 days or more frequently. The Designer will ensure passwords do not contain personal information such as names, telephone numbers, account names, birthdates, or dictionary words. The Designer will ensure the application has the capability to limit reuse of account passwords within the last 10 password changes. The Designer will ensure the application has the capability to limit user changes to their account passwords once every 24 hours with the exception of privileged or administrative users. The Designer will ensure the application has the capability to require new account passwords differ from the previous password by at least four characters when a password is changed. The IAO will configure the application to ensure account passwords conform to DoD password policy. If the entire authentication process for the application is performed by the operating system (such is the case for a Desktop Application), this check is Not Applicable. First, inventory all the password based authentication processes present in the application. For example, a web server may effectively act as a client when authenticating with a back-end database server. Peer-to-peer processes also are included because each peer still acts in the role of a client or server for particular transactions. Each process must be evaluated separately. If multiple processes must be used for a single authentication attempt, the combination of the processes should be evaluated to ensure this check is fully met. In addition, the authentication may involve a user account database specific to the application or it may involve leveraging the authentication service of an operating system or directory service. 1) If the authentication process involves the presentation of a user account name only, this is a finding. If the authentication is based on passwords, the passwords must have the following characteristics: • A minimum of 15 characters • Include at least one uppercase alphabetic character • Include at least one lowercase alphabetic character • Include at least one non-alphanumeric (special) character • Expire after 60 days • Be different from the previous 10 passwords used • Be changeable by the administrator at any time • Be changeable by the associated user only once in a 24 hour period (for human user accounts) • Not be changeable by users other than the administrator or the user with which the password is associated • Not contain personal information such as names, telephone numbers, account names, birthdates or dictionary words. 2) If the passwords do not have these characteristics, it is a finding. To verify compliance with these requirements, check the configuration of the software that manages the authentication process (e.g., OS, directory, and database or application software) and determine if each of the criteria listed are met. Also sample individual accounts to determine if any of the policy settings are overridden (e.g., password set to never expire). Focus on non-human user accounts, as these are the most likely to violate the stated requirements. Non-human accounts, sometimes known as services accounts, may not be set to expire after 60 days.

Fix: F-4422r1_fix

Enable PKI authentication. Enable the application to require account passwords having a minimum of 15 alphanumeric characters in length. Enable the application to require account passwords contain a mix of upper case letters, lower case letters, numbers, and special characters. Enable the application to require account passwords be changed every 60 days or more frequently. Enable the application to ensure passwords do not contain personal information such as names, telephone numbers, account names, birthdays, or dictionary words. Enable the application to limit reuse of account passwords within the last 10 password changes. Enable the application to limit user changes to their account passwords once every 24 hours with the exception of privileged or administrative users. Enable the application to require new account passwords differ from the previous password by at least four characters when a password is changed. Configure the application to ensure account passwords conform to DoD password policy.

b
The designer will ensure the application prevents the creation of duplicate accounts.
Medium - V-6131 - SV-6131r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3380
Vuln IDs
  • V-6131
Rule IDs
  • SV-6131r1_rule
Duplicate user accounts can create a situation where multiple users will be mapped to a single account. These duplicate user accounts may cause users to assume other users roles and privilege escalation. If user IDs are not unique and individual, user activity may not be accurately audited and unauthorized activity may not be seen by the audit system. System AdministratorIAIA-1
Checks: C-2945r1_chk

If the user accounts used in the application are only operating system or database accounts, this check is Not Applicable. Identify duplicate userids. If these are not available, sort the list by the user name and, if applicable, associated ID number so that duplicates will be contiguous and thus easier to locate. 1) If any duplicates user accounts are discovered, it is a finding. The finding details should specify the duplicates by name, unless they are too numerous to document, in which case a numerical count of the IDs is more appropriate.

Fix: F-17029r1_fix

Remove duplicate user accounts.

a
The IAO will ensure all user accounts are disabled which are authorized to have access to the application but have not authenticated within the past 35 days.
Low - V-6132 - SV-6132r2_rule
RMF Control
Severity
Low
CCI
Version
APP6240
Vuln IDs
  • V-6132
Rule IDs
  • SV-6132r2_rule
Disabling inactive userids ensures access and privilege are available to only those who need it.System AdministratorIAAC-1, IAIA-1
Checks: C-3050r1_chk

If the user accounts used in the application are only operating system or database accounts this check is Not Applicable. Identify all users that have not authenticated in the past 35 days. 1) If any of these accounts are enabled, it is a finding.

Fix: F-4424r1_fix

APP6240-DG-AP

b
The IAO will ensure unnecessary built-in application accounts are disabled.
Medium - V-6133 - SV-6133r1_rule
RMF Control
Severity
Medium
CCI
Version
APP6250
Vuln IDs
  • V-6133
Rule IDs
  • SV-6133r1_rule
Default passwords and properties of built-in accounts are often publicly available. Anyone with necessary knowledge, internal or external, can compromise an application using built-in accounts.System AdministratorIAIA-1
Checks: C-3051r1_chk

If the user accounts used in the application are only operating system or database accounts, this check is Not Applicable. Built-in accounts are those that are added as part of the installation of the application software. These accounts exist for many common commercial off-the-shelf (COTS) or open source components of enterprise applications (e.g., OS, web browser or database software). If SRRs are performed for these components, this is not applicable because the other SRRs will capture the relevant information and findings. If not, read the installation documentation to identify the built-in accounts. Also peruse the account list for obvious examples (e.g., accounts with vendor names such as Oracle or Tivoli). Verify that these accounts have been removed or disabled. If enabled built-in accounts are present, ask the application representative the reason for their existence. 1) If these accounts are not necessary to run the application, it is a finding. 2) If any of these accounts are privileged, it is a finding.

Fix: F-4425r1_fix

Disable unnecessary built-in userids

c
The IAO will ensure default passwords are changed.
High - V-6134 - SV-6134r1_rule
RMF Control
Severity
High
CCI
Version
APP6260
Vuln IDs
  • V-6134
Rule IDs
  • SV-6134r1_rule
Default passwords can easily be compromised by attackers allowing immediate access to the applications.System AdministratorIAIA-1
Checks: C-3052r1_chk

Run a password-cracking tool, if available, on a copy of each account database (there may be more than one in the application infrastructure). 1) If the password-cracking tool is able to crack the password of a privileged user, this is a CAT I finding. 2) If the password-cracking tool is able to crack the password of a non-privileged user, this is a CAT II finding. Manually attempt to authenticate with the published default password for that account, if such a default password exists. 3) If any privileged built-in account uses a default password – no matter how complex – this is a CAT I finding. 4) If a non-privileged account has a default password, this is a CAT II finding.

Fix: F-4426r1_fix

Change default passwords.

b
The designer will ensure the appropriate cryptography is used to protect stored DoD information if required by the information owner.
Medium - V-6135 - SV-6135r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3210
Vuln IDs
  • V-6135
Rule IDs
  • SV-6135r1_rule
Application data needs to be properly protected. Content of application data contains not only operationally sensitive data, but also personal data covered by the privacy act that needs to be protected internally and externally. Classifed data could be compromised if the required level of encryption is not utilized. System AdministratorECCR-1, ECCR-2, ECCR-3
Checks: C-2946r1_chk

The designer will ensure: - NIST-certified cryptography is used to protect stored sensitive information if required by the information owner. - NIST-certified cryptography is used to store classified non-Sources and Methods Intelligence (SAMI) information if required by the information owner. - A classified enclave containing SAMI data is encrypted with NSA-approved cryptography. Review the system security plan or interview the application representative to determine the classification of data in the application. Also, review encryption mechanisms protecting the data. This should include all data stored by REST-Style or SOAP-based web services. NIST-certified cryptography should be used to protect stored sensitive information if required by the information owner. NIST-certified cryptography should be used to protect stored classified non-SAMI data if required by the information owner. NSA-approved cryptography should be used to protect stored classified SAMI information. 1) If data at rest is not protected with the appropriate level of encryption, this is a finding.

Fix: F-17009r1_fix

Configure system to encrypt stored sensitive information as required by the data owner; ensure encryption is performed using NIST FIPS 140-2 validated encryption. Replace cryptography that is not NIST certified. Encrypt stored, non-SAMI classified information using NIST FIPS 140-2 validated encryption. Implement NSA validated type-1 encryption of all SAMI data stored in the enclave. Remove the SAMI from the enclave. Remove the uncleared users from the enclave.

c
The designer will ensure data transmitted through a commercial or wireless network is protected using an appropriate form of cryptography.
High - V-6136 - SV-6136r1_rule
RMF Control
Severity
High
CCI
Version
APP3250
Vuln IDs
  • V-6136
Rule IDs
  • SV-6136r1_rule
Unencrypted sensitive application data could be intercepted in transit.System AdministratorECCT-1, ECCT-2, ECNK-1, ECNK-2
Checks: C-2947r1_chk

Policy: The designer will ensure unclassified, sensitive data transmitted through a commercial or wireless network is protected using NIST certified cryptography. The designer will ensure classified data, transmitted through a network that is cleared to a lower level than the data being transmitted, is separately protected using NSA approved cryptography. The designer will ensure data in transit through a network at the same classification level, but which must be separated for need to know reasons, is protected minimally with NIST certified cryptography. The designer will ensure SAMI data in transit through a network at the same classification level is protected with NSA approved cryptography. Interview the application representative to determine if sensitive data is transmitted over a commercial circuit or wireless network (e.g., NIPRNet, ISP, etc.). 1) If any sensitive data is transferred over a commercial or wireless network and is not encrypted using NIST FIPS 140-2 validated encryption, this is a CAT I finding. Interview the application representative to determine if classified data is transmitted over a network cleared to a lower level than the data. (e.g., TS over SIPRNet, Secret over NIPRNet, etc.). 2) If classified data is transmitted over a network cleared to a lower level than the data and NSA approved type-1 encryption is not used to encrypt the data, this is a CAT I finding. Interview the application representative and determine if the data in transit must be separated for need to know reasons. 3) If data in transit across a network at the same classification level is separated for need-to-know reasons and the data is not minimally encrypted using NIST FIPS 140-2 validated encryption, this is a CAT II finding. Interview the application representative and determine if SAMI data is transmitted. 4) If SAMI data in transit across a network at the same classification level is not separately encrypted using NSA type-1 approved encryption, this is a CAT II finding. *Note: These checks apply to all data transmitted by REST-styled or SOAP-based Web Services.

Fix: F-17014r1_fix

Encrypt data in transit.

b
The designer will ensure the application uses the Federal Information Processing Standard (FIPS) 140-2 validated cryptographic modules and random number generator if the application implements encryption, key exchange, digital signature, and hash functionality.
Medium - V-6137 - SV-6137r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3150
Vuln IDs
  • V-6137
Rule IDs
  • SV-6137r1_rule
Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity and DoD data may be compromised due to weak algorithms.If the module is not on the FIPS validated encryption list, this is a CAT III finding. If there is no module being used, this is a CAT II finding. System AdministratorDCNR-1, ECCR-1, ECCR-2, ECCT-1, ECCT-2
Checks: C-2948r1_chk

If the application does not utilize encryption, key exchange, digital signature, or hash, FIPS 140-2 cryptography is not required and this check is not applicable. Identify all application or supporting infrastructure features that require cryptography such as, file encryption, VPN, SSH, etc. Verify the application is using FIPS-140 validated cryptographic modules. The National Institute of Standards and Technology’s FIPS 140-1 and FIPS 140-2 Vendor List is located at: http://csrc.nist.gov/cryptval/. 1) If the application requiring encryption, key exchange, digital signature or hash is using an unapproved module or no module, it is a finding. 2) If the application utilizes unapproved modules for cryptographic random number generation, it is a finding. Note: If the application uses WS Security tokens, W3C XML Signature can be used to digitally sign messages and provide message integrity.

Fix: F-16997r1_fix

Utilize FIPS 140-2 cryptography for modules implementing encryption, key exchange, digital signature, and hash.

b
The designer will ensure the application design includes audits on all access to need-to-know information and key application events.
Medium - V-6138 - SV-6138r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3680
Vuln IDs
  • V-6138
Rule IDs
  • SV-6138r1_rule
Properly logged and monitored audit logs not only assist in combating threats, but also play a key role in diagnosis, forensics, and recovery. System AdministratorECAR-1, ECAR-2, ECAR-3
Checks: C-2950r1_chk

MAC I or DoD Information Systems processing classified information, require the following events and data for auditing. Types of events are: - Successful and unsuccessful attempts to access security files. - Successful and unsuccessful logons. - Denial of access resulting from excessive number of logon attempts. - Blocking or blacklisting a user ID, terminal or access port. - Activities that might modify, bypass, or negate safeguards controlled by the system. - Possible use of covert channel mechanisms. - Privileged activities and other system-level access. - Starting and ending time for access to the system. - Security relevant actions associated with periods processing or the changing of security labels or categories of information. - Deletion or modification of data. Audit records include: - User ID - Date and time of the event - Type of event - Success or failure of event - origin of request (e.g., originating host’s IP address) for Identification and Authentication events only - name of data object modified or deleted for deletion or modification events only - reason user is blocked or blacklisted for blocking or blacklisting events only - Data required to monitor for the possible use of covert channels events only MAC II DoD Information Systems processing sensitive information require the following events and data for auditing. Types of events are: - Successful and unsuccessful attempts to access security files. - Successful and unsuccessful logons. - Denial of access resulting from excessive number of logon attempts. - Blocking or blacklisting a user ID, terminal or access port. - Activities that might modify, bypass, or negate safeguards controlled by the system. - Deletion or modification of data. Audit records include: - User ID - Date and time of the event - Type of event - Success or failure of event - origin of request (e.g., originating host’s IP address) for Identification and Authentication events only - name of data object modified or deleted for deletion or modification events only - reason user is blocked or blacklisted for blocking or blacklisting events only MAC III or DoD Information Systems processing publicly released information require the following events and data for auditing. Types of events are: - Successful and unsuccessful attempts to access security files. - Deletion or modification of data Audit records include: - User ID - Date and time of the event - Type of event - origin of request (e.g., originating host’s IP address) for Identification and Authentication events only. - name of data object modified or deleted for deletion or modification events only 1) If all the required events and associated details are not included in the log or there is not a logging mechanism, it is a finding. *Note: The mechanism that performs auditing may be a combination of the operating system, web server, database, application, etc. Also web services may be distributed over many geographic locations; however, auditing requirements remain the same in web services as they do in a traditional application.

Fix: F-17118r1_fix

Implement logging of security-relevant events.

a
The designer will ensure the application has a capability to notify an administrator when audit logs are nearing capacity as specified in the system documentation.
Low - V-6139 - SV-6139r1_rule
RMF Control
Severity
Low
CCI
Version
APP3650
Vuln IDs
  • V-6139
Rule IDs
  • SV-6139r1_rule
If an application audit log reaches capacity without warning, it will stop logging important system and security events. It could also open the system up for a type of denial of service attack, if an application halts with a full log.System AdministratorECAT-2
Checks: C-2952r1_chk

Examine the application documentation and ask the application representative what automated mechanism is in place to ensure the administrator is notified when the application logs are near capacity. 1) If an automated mechanism is not in place to warn the administrator, it is a finding. If the application representative or the documentation indicates a mechanism is in place, examine the configuration of the mechanism to ensure the process is present and executing. 2) If an automated mechanism is not executing, it is a finding. Note: This may be automated by the operating system of the application servers.

Fix: F-17116r1_fix

Implement a warning mechanism to notify system administrators when the audit records are near full.

b
The designer and IAO will ensure the audit trail is readable only by the application and auditors and protected against modification and deletion by unauthorized individuals.
Medium - V-6140 - SV-6140r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3690
Vuln IDs
  • V-6140
Rule IDs
  • SV-6140r1_rule
Excessive permissions of audit records allow cover up of intrusion or misuse of the application.System AdministratorECTP-1
Checks: C-2953r1_chk

Locate the application audit log location. Examine the properties of the log files. For a Windows system, the NTFS file permissions should be System – Full control, Administrators and Application Administrators - Read, and Auditors - Full Control. 1) If the log files have permissions more permissive than what is listed, it is a finding. For UNIX systems, use the ls –la (or equivalent) command to check the permissions of the audit log files. 2) If excessive permissions exist, it is a finding.

Fix: F-4432r1_fix

Correct permissions on application audit logs.

c
The designer will ensure access control mechanisms exist to ensure data is accessed and changed only by authorized personnel.
High - V-6141 - SV-6141r1_rule
RMF Control
Severity
High
CCI
Version
APP3480
Vuln IDs
  • V-6141
Rule IDs
  • SV-6141r1_rule
If access control mechanisms are not in place, anonymous users could potentially make unauthorized read and modification requests to the application data which is an immediate loss of the integrity of the data. Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor, will directly and immediately result in loss of Confidentiality, Availability or Integrity of the system associated data. System AdministratorECCD-2, ECLP-1, ECPA-1
Checks: C-2955r1_chk

Policy: The designer will ensure access control mechanisms exist to ensure data is accessed and changed only by authorized personnel. The designer will ensure the access procedures enforce the principles of separation of duties and "least privilege." The IAO will ensure the access procedures enforce the principles of separation of duties and "least privilege." Ask the application representative if particular administrative and user functions can be restricted to certain roles. The objective is to ensure that the application prohibits combination of roles that represent an IA risk. In particular, inquire about separation of duties between the following: • Personnel that review and clear audit logs and personnel that perform non-audit administration. • Personnel that create, modify, and delete access control rules and personnel that perform either data entry or application programming. Some applications may only contain administrator access and no other access. For example, network appliances may have administrator only access. Web applications with no user authentication required are also considered to contain a single role, unless the web application provides administrative access to publish web server content. 1) If the application is designed specifically to only have one role, this check is not applicable. 2) If the application representative states that the application does not enforce separation of duties between the roles listed above, it is a finding. If the representative claims that the required separation exists, identify which software component is enforcing it. Evidence of enforcement can either involve the display of relevant security configuration settings or a demonstration using different user accounts, each assigned to a different role. 3) If the application representative cannot provide evidence of separation of duties, it is a finding. *Note: Web services are required to implement role-based access control.

Fix: F-17090r1_fix

Implement access control mechanisms.

b
The designer will ensure all access authorizations to data are revoked prior to initial assignment, allocation or reallocation to an unused state.
Medium - V-6142 - SV-6142r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3240
Vuln IDs
  • V-6142
Rule IDs
  • SV-6142r1_rule
DoD data may be compromised if applications do not protect residual data in objects when they are allocated to an unused state. Access authorizations to data should be revoked prior to initial assignment, allocation or reallocation to an unused state because subsequent use of the object could allow access to the residual data.System AdministratorECRC-1
Checks: C-2956r1_chk

Ask the application for the design document. Review the design document to ensure the application handles objects so that no residual data exists when reusing objects. No information, including encrypted representations of information, produced by a prior actions is available to any subsequent use of the object. There should be no residual data from the former object. Verify the design document objects which are reused within the application do not contain any residual information. 1) If the design document does not exist or does not address object reuse, it is a finding.

Fix: F-17013r1_fix

Revoke access authorizations to data revoked prior to initial assignment, allocation, or reallocation, to an unused state.

b
The designer will ensure the application executes with no more privileges than necessary for proper operation.
Medium - V-6143 - SV-6143r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3500
Vuln IDs
  • V-6143
Rule IDs
  • SV-6143r1_rule
An application with unnecessary access privileges can give an attacker access to the underlying operating system.System AdministratorECLP-1
Checks: C-3671r1_chk

Identify the application user account(s) that the application uses to run. These accounts include the application processes (defined by Control Panel Services (Windows) or ps –ef (UNIX)) or for an n-tier application, the account that connects from one service (such as a web server) to another (such as a database server). Determine the user groups in which each account is a member. List the user rights assigned to these users and groups and evaluate whether any of them are unnecessary. 1) If the rights are unnecessary, it is a finding. 2) If the account is a member of the Administrators group (Windows) or has a User Identification (UID) of 0 (i.e., is equivalent to root in UNIX), it is a finding. 3) If this account is a member of the SYSAdmin fixed server role in SQL Server, it is a finding. 4) If the account has DDL (Data Definition Language) privileges (create, drop, alter), or other system privileges, it is a finding. Search the file system to determine if these users or groups have ownership or permissions to any files or directories. Review the list of files and identify any that are outside the scope of the application. 5) If there are such files outside the scope of the application, it is a finding. Check ownership and permissions; identify permissions beyond the minimum necessary to support the application. 6) If there are instances of unnecessary ownership or permissions, it is a finding. The finding details should note the full path of the file(s) and the associated issue (i.e., outside scope, permissions improperly granted to user X, etc.). 7) If the target is a .NET application that executes with least privileges using code access security (CAS), this is not a finding.

Fix: F-4447r1_fix

Modify the application to remove unnecessary privileges.

b
The designer will ensure the application provides a capability to limit the number of logon sessions per user and per application.
Medium - V-6144 - SV-6144r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3410
Vuln IDs
  • V-6144
Rule IDs
  • SV-6144r1_rule
If a user account has been compromised, limiting the number of sessions will allow the administrator to detect if the account has been compromised by an indication that the maximum number of sessions has been exceeded. Also, limiting the number of sessions affords an application the ability to prevent resources from becoming overloaded, and prevent a large scale DoS.System AdministratorECLO-1
Checks: C-2958r1_chk

Work with the application representative to identify application modules that involve user or process sessions (e.g., a user may initiate a session with a web server, which in turn maintains sessions with a backend database server). For each session type, ask the application representative the limits on: • Number of sessions per user ID • Number of sessions per application 1) If the application representative states the session limits are absent for any of the session types, it is a finding. In many cases, session configuration parameters can be examined. If configuration parameters are embedded within the application, they may not be available for review. Any configuration settings that are not configurable should be manually tested. The preferred method depends on the application environment. 2) If there is no evidence of a required session limit on one or more of the session types, it is a finding. The finding details should note specifically which types of sessions are left unbounded, and thus, more vulnerable to DoS attacks.

Fix: F-17073r1_fix

Implement limits on: • Number of sessions per user ID • Number of sessions per application Implement session limits.

b
If the application contains classified data, the Program Manager will ensure a Security Classification Guide exists containing data elements and their classification.
Medium - V-6145 - SV-6145r1_rule
RMF Control
Severity
Medium
CCI
Version
APP2040
Vuln IDs
  • V-6145
Rule IDs
  • SV-6145r1_rule
Without a classification guide the marking, storage, and output media of classified material can be inadvertently mixed with unclassified material, leading to its possible loss or compromise. Information Assurance OfficerDCSD-1
Checks: C-3053r1_chk

The IAO will ensure the classification guide for the application data exists and is available to users. If the application does not process classified information, this check is not applicable. The application may already be covered by a higher level program or other classification guide. If classification guide is not written specifically to the application, the sensitive application data should be reviewed to determine whether it is contained in the classification guide. DoD 5200.1-R, January 1997 identifies requirements for security classification and/or declassification guides (http://www.dtic.mil/whs/directives/corres/pdf/520001r.pdf). Security classification guides shall provide the following information: • Identify specific items, elements, or categories of information to be protected. • State the specific classification to be assigned to each item or element of information and, when useful, specify items of information that are unclassified. • Provide declassification instructions for each item or element of information, to include the applicable exemption category for information exempted from automatic declassification. • State a concise reason for classification for each item, element, or category of information that, at a minimum, cites the applicable classification categories in Section 1.5 of E.O. 12958. • Identify any special handling caveats that apply to items, elements, or categories of information. • Identify, by name or personal identifier and position title, the original classification authority approving the guide and the date of that approval. • Provide a point-of-contact for questions about the guide and suggestions for improvement. • For information exempted from automatic declassification because its disclosure would reveal foreign government information or violate a statute, treaty, or international agreement, the security classification guide will identify the government or specify the applicable statute, treaty, or international agreement, as appropriate. 1) If the security classification guide does not exist, or does not contain data elements and their classification, it is a finding.

Fix: F-16971r1_fix

Create and maintain a security classification guide.

c
The designer will ensure the application has the capability to mark sensitive/classified output when required.
High - V-6146 - SV-6146r1_rule
RMF Control
Severity
High
CCI
Version
APP3270
Vuln IDs
  • V-6146
Rule IDs
  • SV-6146r1_rule
Failure to properly mark output could result in a disclosure of sensitive or classified data which is an immediate loss in confidentiality. Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor, will directly and immediately result in loss of Confidentiality, Availability or Integrity of the system associated data. System AdministratorECML-1
Checks: C-2959r1_chk

Before actual testing, determine which application functions to examine, giving preference to report generation capabilities and the most common user transactions that involve sensitive data (FOUO, secret or above). Ask the application representative for the application’s classification guide. This guide should document the data elements and their classification. Logon to the application and perform these in sequence, printing output when applicable. The application representative’s assistance may be required to perform these steps. For each function, note whether the appropriate markings appear on the displayed and printed output. If a classification document does not exist, data must be marked at the highest classification of the system. Appropriate markings for an application are as follows: For classified data, markings are required at a minimum at the top and the bottom of screens and reports. For FOUO data, markings are required at a minimum of the bottom of the screen or report. In some cases, technology may prohibit the appropriate markings on printed documents. For example, in some cases, it is not possible to mark all pages top and bottom when a user prints from a browser. If this is the case, ask the application representative if user procedures exist for manually marking printed documents. If procedures do exist, examine the procedures to ensure that if the users were to follow the procedures the data would be marked correctly. Also, ask how these procedures are distributed to the users. 1) If appropriate markings are not present within the application and it is technically possible to have the markings present, it is a finding. 2) If it is not technically feasible to meet the minimum marking requirement and no user procedures exist or if followed the procedures will result in incorrect markings, or the procedures are not readily available to users, it is a finding. In any case of a finding, the finding details should specify which functions failed to produce the desired results. After completing the test, destroy all printed output using the site’s preferred method for disposal. For example: utilizing a shredder or disposal in burn bags. Note: Physical markings on hardware do not meet this requirement.

Fix: F-17016r1_fix

Enable the application to adequately mark sensitive/classified output.

b
The Test Manager will ensure the application does not modify data files outside the scope of the application.
Medium - V-6147 - SV-6147r1_rule
RMF Control
Severity
Medium
CCI
Version
APP5030
Vuln IDs
  • V-6147
Rule IDs
  • SV-6147r1_rule
Modifying data or files outside the scope of the application could lead to system instability in the event of an application problem. Also, a problem with this application could effect the operation of another application.System AdministratorECRC-1
Checks: C-3054r1_chk

On each computer in the application infrastructure, search the file system for files created or modified in the past week. If the response is too voluminous (more than 200 files), find the files created or modified in the past day. Search through the list for files and identify those that appear to be outside the scope of the application. Ask the application representative how the file relates to the application. If the application is a COTS/GOTS product or is composed of only COTS/GOTS products with no custom code, this check does not apply unless the application is being reviewed by or in conjunction with the COTS/GOTS vendor in which case this check is applicable. 1) If the creation or modification of the file does not have a clear purpose, it is a finding. The finding details should include the full path of the file. The method described above may not catch all instances of out-of-scope modifications because the file(s) may have been modified prior to the threshold date or because the files may be residing on a system other than those examined. If additional information is obtained later in the review regarding improper modification of files, revisit this check. This information may be uncovered when the reviewer obtains more detailed knowledge of how the application works during subsequent checks.

Fix: F-17140r1_fix

Restrict the application to modify data files within the scope of the application.

b
The designer will ensure threat models are documented and reviewed for each application release and updated as required by design and functionality changes or new threats are discovered.
Medium - V-6148 - SV-6148r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3020
Vuln IDs
  • V-6148
Rule IDs
  • SV-6148r1_rule
The lack of threat modeling will potentially leave unidentified threats for attackers to utilize to gain access to the application.System AdministratorDCSQ-1
Checks: C-2960r1_chk

Review the threat model and identify the following sections are present: • Identified threats • Potential mitigations • Mitigations selected based on risk analysis Detailed information on threat modeling can be found at the Open Web Application Security Project (OWASP) website. If the application is a COTS/GOTS product or is composed of only COTS/GOTS products with no custom code, this check does not apply unless the application is being reviewed by or in conjunction with the COTS/GOTS vendor in which case this check is applicable. 1) If the threat model does not exist, or does not have identified threats, potential mitigations, and mitigations selected based on risk analysis, as sections within the Threat Model, it is a finding. 2) If the threat model has not been updated to reflect the application release being reviewed, this is a finding. Verify the mitigations selected in the threat model have been implemented. 3) If the mitigations selected based on risk analysis have not been implemented, this is a finding. Review the identified threats from the each of the application’s networked components. For example, a backend server may accept SQL queries and SSH connections and also have an NFS share. Next, examine firewall rules and router ACLs that prevent clients from reaching these access points, effectively reducing the area of the threat surface. For example, if the backend database accepts queries but is in an enclave where there are no user workstations and firewall rules allow only web traffic, this is not a finding. For each of the remaining access points, attempt to access these resources in a similar manner as the application would without utilizing the user interface (e.g., send SQL query using a tool outside of the application or attempt to access a share using command line utilities). 4) If a user can authenticate to any of these remaining access points outside of the intended user interface, this is a finding. The finding details should note the application component accessed and the method or tool used to access it.

Fix: F-16986r1_fix

Establish and maintain threat models and review for each application release and when new threats are discovered. Identify potential mitigations to identified threats. Ensure mitigations are implemented to threats based on their risk analysis.

b
The designer will ensure the application does not contain source code that is never invoked during operation, except for software components and libraries from approved third-party products.
Medium - V-6149 - SV-6149r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3050
Vuln IDs
  • V-6149
Rule IDs
  • SV-6149r1_rule
Unused libraries increase a program size without any benefits. and may expose an enclave to possible malware. They can be used by a worm as program space, and increase the risk of a buffer overflow attack. As code evaluations are performed, to identify potential vulnerabilities or to identify security enhancements, unused code will not be evaluated and therefore, adds additional unknown risk. System AdministratorDCSQ-1
Checks: C-2961r1_chk

Ask the application representative if there is a documented process to remove code when it is no longer executed. Also ask if there is a documented process to ensure unnecessary code is not included into a release. If the application is a COTS/GOTS product or is composed of only COTS/GOTS products with no custom code, this check does not apply unless the application is being reviewed by or in conjunction with the COTS/GOTS vendor in which case this check is applicable. The process may include the following: · Source code analysis tools · Development environments that indicate unused source code · Compiler options that detect unreachable code For a web-based application, conduct a spot check of the code directory (e.g., .html, .asp, .jsp, and .php files), sampling at least four files, and ensure the code is executed for the application. If a documented process is not in place, check at least 10 pieces of code. Search for possible 'include files' and scripts. Determine if the 'include files' and scripts exist. Examples of 'include files' and scripts: jsp <%@ include file="include.jsp" %> php <?php include("include.php"); ?> asp <!--#include file="include.html"--> js <script src="include.js" type="text/javascript"></script> 1) If 'include files' and scripts do not exist, it is a finding. 2) If other code is found that is not being used, this is a finding. Document the name of the file containing the offending code in the finding details. For Visual Basic or C/C++ and other applications verify that a documented process is in place to prevent unused source code from being introduced into the application. Verify the process by source code analysis tools results, development environment tools, compiler options or the mechanism documented by process that enforces unused source from being introduced into the application. 3) If the application representative does not have a documented policy or there is no evidence that mechanisms are in place to prevent the introduction of unused code into the application, this is a finding.

Fix: F-16987r1_fix

Establish a formal process is in place to remove unnecessary software and libraries.

b
The Designer will ensure the application does not store configuration and control files in the same directory as user data.
Medium - V-6150 - SV-6150r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3060
Vuln IDs
  • V-6150
Rule IDs
  • SV-6150r1_rule
Application code and data require two very different security requirements, authentication and authorization (especially in file access). Without proper authentication and authorization there is the potential for existing code to be changed. These changes in code can lead to a Denial of Service (DoS) attack or allow malicious code to be placed within the application. In addition, collocating application data and code complicates many issues such as backup, recovery, directory access privilege, and upgrades.System AdministratorDCPA-1
Checks: C-3055r1_chk

Ask the application representative or examine the application documentation to determine the location of the application code and data. Examine the directory where the application code is located. 1) If the application data is located in the same directory as the code, this is a finding.

Fix: F-16988r1_fix

Separate the application data into a different directory than the application code.

b
The IAO will ensure unnecessary services are disabled or removed.
Medium - V-6151 - SV-6151r1_rule
RMF Control
Severity
Medium
CCI
Version
APP6030
Vuln IDs
  • V-6151
Rule IDs
  • SV-6151r1_rule
Unnecessary services and software increases the security risk by increasing the potential attack surface of the application.System AdministratorDCSD-1
Checks: C-3056r1_chk

Examine the configuration of the servers. Determine what software is installed on the servers. Determine which services are needed for the application by examining the application design and accreditation documentation and interviewing the application representative. For example, in cases where two web servers (IIS and Apache) are installed, and only one is being used. 1) If there are services or software present not needed for the application, it is a finding.

Fix: F-4455r1_fix

Remove unnecessary services or software.

b
The designer will ensure the application is capable of displaying a customizable click-through banner at logon which prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating "OK.”
Medium - V-6152 - SV-6152r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3440
Vuln IDs
  • V-6152
Rule IDs
  • SV-6152r1_rule
A logon banner is used to warn users against unauthorized entry and the possibility of legal action for unauthorized users, and advise all users that system use constitutes consent to monitoring, recording, and auditing, and that they have no expectation of privacy. Failure to display a logon warning banner without this type of information could adversely impact the ability to prosecute unauthorized users and users who abuse the system.System AdministratorECWM-1
Checks: C-3030r1_chk

Logon to the application. If a warning message appears, compare it to the two following banners: (Use the following banner for desktops, laptops, and other devices accommodating banners of 1300 characters) You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. At any time, the USG may inspect and seize data stored on this IS. Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. (For Blackberries and other PDAs/PEDs with severe character limitations use the following banner): I've read & consent to terms in IS user agreem't. These banners are mandatory and deviations are not permitted except as authorized in writing by the Deputy Assistant Secretary of Defense for Information and Identity Assurance. 1) If the login banner is not one of the above banners or the login banner is missing this is a finding. If the only way to access the application is through the OS, then an additional banner is not required at the application level.

Fix: F-17077r1_fix

Modify or configure the application to present the DoD warning banner at login.

c
The designer will ensure the application removes authentication credentials on client computers after a session terminates.
High - V-6153 - SV-6153r1_rule
RMF Control
Severity
High
CCI
Version
APP3430
Vuln IDs
  • V-6153
Rule IDs
  • SV-6153r1_rule
Leaving authentication credentials stored at the client level allows potential access to session information that can be used by subsequent users of a shared workstation and could also be exported and used on other workstation providing immediate unauthorized access to the application. System AdministratorIAIA-1, IAIA-2
Checks: C-3032r1_chk

Persistent cookies are the primary means by which an application stores authentication information over more than one browser session. If the application is a web-based application, verify that Internet Explorer (IE) is set to warn the user before accepting a cookie. Logon to the application and perform several standard operations, noting if the application ever prompts the user to accept a cookie. Log out, close the browser and check the /Windows/cookies, /Windows/profiles/xyz/cookies, and the /documents and settings/xyz/cookies directories (where xyz is replaced by the Windows user profile name). If a cookie has been placed in either of these directories, open it (using Notepad or another text editor) and search for identification or authentication data that remain after to check for sensitive application data. 1) If authentication credentials exist (e.g., a password), this is a CAT I finding. 2) If identification information (e.g., user name, ID, or key properties) exists, but is not accompanied by authentication credentials such as a password, this is a CAT II finding. The application may use means other than cookies to store user information. If the reviewer detects an alternative mechanism for storing I&A information locally, examine the credentials found. 3) If authentication data (e.g., a password) is found, this is a CAT I finding. 4) If identification information is found (e.g., user name, ID, or key properties) but is not accompanied by authentication credentials such as a password, this is a CAT II finding. 5) If the application will initiate additional sessions without requiring authentication after logging out of the application, this is a CAT I finding. Web applications using autocomplete can be setup to store passwords and sensitive data. Many operating systems centrally control the autocomplete feature and it should be disabled. Workstations that do not have this feature disabled by default have the risk of storage of password information and sensitive information. Examples include public kiosks and home workstations connecting to the NIPRNet where this feature may be disabled. View the html pages that contain password and sensitive information to determine if autocomplete feature has been turned off. Example form html: <FORM AUTOCOMPLETE = "off"> Autocompletes are explained further at the Microsoft website. http://msdn.microsoft.com/en-us/library/ms533486(VS.85).aspx 6) If the application is configured to allow autocomplete for passwords, this is a CAT I finding. 7) If the application is configured to allow for sensitive information fields, this is a CAT II finding.

Fix: F-17076r1_fix

Modify the application to remove authentication credentials on workstations after a session terminates.

b
The designer will ensure the application is organized by functionality and roles to support the assignment of specific roles to specific application functions.
Medium - V-6154 - SV-6154r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3470
Vuln IDs
  • V-6154
Rule IDs
  • SV-6154r1_rule
Without a least privilege policy, a user can gain access to information that he or she is not entitled to and can compromise confidentiality, integrity, and availability of the system. Also, minimizing privileges reduces the risk associated with hijacked accounts. Role based accounts can separate administrative and non-administrative rights in different roles. System AdministratorECLP-1, ECPA-1
Checks: C-3033r1_chk

Policy: The designer will ensure the application is organized by functionality and roles to support the assignment of specific roles to specific application functions. The IAO will ensure access to privileged accounts is limited to privileged users. The IAO will ensure non-privileged accounts are limited to non-privileged users. The IAO will ensure the application account is established and administered in accordance with a role based access scheme to enforce least privilege and separation of duties. Check: Log on as an unprivileged user. Examine the user interfaces (such as, graphical, web, and command line) to determine if any administrative functions are available. Privileged functions include the following: • Create, modify, and delete user accounts and groups • Grant, modify, and remove file or database permissions • Configure password and account lockout policy • Configure policy regarding the number and length of sessions • Change passwords or certificates of users other than oneself • Determine how the application will respond to error conditions • Determine auditable events and related parameters • Establish log sizes, fill thresholds, and fill behavior (i.e., what happens when the log is full) Some applications may only contain administrator access and no other access. For example, network appliances may have administrator only access. Web applications with no user authentication required are also considered to contain a single role, unless the web application provides administrative access to publish web server content. 1) If the application is designed specifically to only have one role, this check is not applicable. 2) If non-privileged users have the ability to perform any of the functions listed above, it is a finding. Finding details should specify which of the functions are not restricted to privileged users. Work closely with the application SA before testing any administrative changes to ensure local change management procedures are followed. Immediately back out of any changes that occur during testing. Review administrative rights assignments in all application components, including the database software and operating system. On Windows systems, review each of the User Rights to determine which users and groups are given more than default capabilities. User Rights can be viewed by using DumpSec, then selecting Reports, Dump Rights. 3) If privileged rights are granted to non-privileged users, it is a finding. *Note: Web services are required to separate functionality by roles.

Fix: F-17088r1_fix

Modify the application to be organized by functionality and roles to support the assignment of specific roles to specific application functions. Assign privileged accounts only to privileged users. Assign non-privileged accounts only to non-privileged users. Establish and administer accounts in accordance with a role based access scheme to enforce least privilege, and separation of duties.

b
The designer will ensure the application provides a capability to terminate a session and log out.
Medium - V-6155 - SV-6155r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3420
Vuln IDs
  • V-6155
Rule IDs
  • SV-6155r1_rule
If a user cannot log out of the application, subsequent users of a shared system could continue to use the previous user's session to the application.System AdministratorDCSQ-1
Checks: C-3034r1_chk

Log on to the application and then attempt to log out. If this option is not available, ask the application representative to explain how this function is performed. 1) If the ability to log out is absent or is hidden to the extent most users cannot reasonably expect to easily find it, it is a finding.

Fix: F-17075r1_fix

Implement a capability to terminate a session and logout.

c
The designer will ensure the application does not contain embedded authentication data.
High - V-6156 - SV-6156r1_rule
RMF Control
Severity
High
CCI
Version
APP3350
Vuln IDs
  • V-6156
Rule IDs
  • SV-6156r1_rule
Authentication data stored in code could potentially be read and used by anonymous users to gain access to a backend database or application server. This could lead to immediate access to a backend server. System AdministratorIAIA-1, IAIA-2
Checks: C-14176r1_chk

Review source code (including global.asa, if present), configuration files, scripts, HTML file, and any ASCII files to locate any instances in which a password, certificate, or sensitive data is included in code. If credentials were found, check the file permissions on the offending file. 1) If the file permissions indicate that the file has no access control permissions (everyone can read or is world readable), this is a CAT I finding. 2) If there is a level of file protection that requires that at least authenticated users have read access, this is a CAT I finding. 3) If a level of protection exists that only administrators or those with a UID of 0 can read the file, this is a CAT II finding. The finding details should note specifically where the offending credentials or data were located and what resources they enabled.

Fix: F-17025r1_fix

Remove embedded authentication data stored in code, configuration files, scripts, HTML file, or any ASCII files.

b
The designer will ensure the application does not contain invalid URL or path references.
Medium - V-6157 - SV-6157r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3080
Vuln IDs
  • V-6157
Rule IDs
  • SV-6157r1_rule
Resource information in code can easily advertise available vulnerabilities to unauthorized users. By placing the references into configuration files, the files can be further protected by file permissions and will be separated for ease of updating.System AdministratorDCSQ-1
Checks: C-14177r1_chk

Search the source code for common URL prefixes and suffixes and to the extent feasible with available tools, NFS shares, NetBIOS shares and IP addresses. All such resources should be captured from configuration files (i.e., “http://”, ftp://, “.mil”, “.com”). 1) If any references are invalid, it is a finding.

Fix: F-16990r1_fix

Remove any invalid URL or path references from the application.

b
The designer will ensure the application only embeds mobile code in e-mail which does not execute automatically when the user opens the e-mail body or attachment.
Medium - V-6158 - SV-6158r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3740
Vuln IDs
  • V-6158
Rule IDs
  • SV-6158r1_rule
The practice of opening e-mails with executable code renders the recipient vulnerable to Internet worms, malicious content, and other threats.System AdministratorDCMC-1
Checks: C-3036r1_chk

If the application does not send e-mail, this check is not applicable. If the application sends e-mail, ask for user documentation and test results of e-mail portion of application. Additionally, execute the email portion of the application. If possible, configure mail to send to an established email account. If network configurations prevent actual mail delivery, perform the check by examining the mail in the mail queue. Examine documentation and email output. 1) If any email message contains files with the following extensions (.exe, .bat, .vbs, .reg, .jse, .js, .shs, .vbe, .wsc, .sct, .wsf, .wsh), it is a finding.

Fix: F-17125r1_fix

Remove executable mobile code from email messages.

b
The designer will ensure unsigned Category 1A mobile code is not used in the application in accordance with DoD policy.
Medium - V-6159 - SV-6159r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3700
Vuln IDs
  • V-6159
Rule IDs
  • SV-6159r1_rule
Use of un-trusted Level 1 and 2 mobile code technologies can introduce security vulnerabilities and malicious code into the client system. System AdministratorDCMC-1
Checks: C-3037r1_chk

The designer will ensure Category 1A mobile code used in an application is signed with a DoD-approved code-signing certificate. The designer will ensure signed Category 1A mobile code used in an application is obtained from a trusted source and is designated as trusted. The designer will ensure Category 1X mobile code is not used in applications. The designer will ensure signed Category 2 mobile code used in an application is signed with a DoD-approved code signing certificate. The designer will ensure Category 2 mobile code not executing in a constrained execution environment is obtained from a trusted source over an assured channel using at least one of the following measures: Interview the application representative and examine the application documentation to determine if Category 1A or 2 mobile code is used. The URL of the application must be added to the Trusted Sites zone. This is accomplished via the Tools, Internet Options, and Security Tab. Select the Trusted Sites zone. Click the sites button. Enter the URL into the text box below the Add this site to this zone message. Click Add. Click OK. Note: This requires administrator privileges to add URL to sites on a STIG compliant workstation. Next, test the application. This testing should include functional testing from all major components of the application. If mobile code is in use, the browser will prompt to download the control. At the download prompt, the browser will indicate that code has been digitally signed. 1) If the code has not been signed or the application warns that a control cannot be invoked due to security settings, it is a finding. 2) If the code has not been signed with a DoD approved PKI certificate, it is a finding.

Fix: F-17119r1_fix

Sign Category 1 or Category 2 mobile code.

b
The designer will ensure unsigned Category 2 mobile code executing in a constrained environment has no access to local system and network resources.
Medium - V-6160 - SV-6160r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3720
Vuln IDs
  • V-6160
Rule IDs
  • SV-6160r1_rule
Mobile code cannot conform to traditional installation and configuration safeguards, therefore, the use of local operating system resources and spawning of network connections introduce harmful and uncertain effects.System AdministratorDCMC-1
Checks: C-3038r1_chk

If the application does not contain mobile code, this is not applicable. If any mobile code is being transmitted by the application, examine the configuration of the test machine to ensure that no network connections exist. This can be accomplished by typing the netstat command from the command prompt on a Windows client. Ensure that after the mobile code is executed, network connections do not exist. 1) If the application transmits mobile code that attempts to access local operating system resources or establish network connections to servers other than the application server, it is a finding.

Fix: F-17120r1_fix

Remove unsigned unconstrained mobile code.

b
The designer will ensure signed Category 1A and Category 2 mobile code signature is validated before executing.
Medium - V-6161 - SV-6161r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3710
Vuln IDs
  • V-6161
Rule IDs
  • SV-6161r1_rule
Untrusted mobile code may contain malware or malicious code and digital signatures provide a source of the content which is crucial to authentication and trust of the data. System AdministratorDCMC-1
Checks: C-3039r1_chk

Ask the application representative and examine the documentation to determine if the application accepts file inputs via e-mail, ftp, file uploads or other automated mechanisms. If the application does not accept file uploads, this check is not applicable. If the application accepts inputs, investigate the process that is used to process the request. If the process could contain mobile code, a mechanism must exist to ensure that before mobile code is executed, its signature must be validated. The following examples are intended to show determination of the finding: Non-finding example: The application allows upload of data. The data file is parsed looking for specific pieces of information in an expected format. An application program in accordance with established business rules then processes the data. This situation would be not a finding. Finding example: The application allows upload of data. The data file is sent directly to an execution module for processing. This example could include a .doc file that is sent directly to MS Word for processing. Using this example, if there was a process in place to ensure that the document was digitally signed and validated to be a DoD approved PKI certificate before processing, this would be not a finding.

Fix: F-17121r1_fix

Verify mobile code before executing.

b
The designer will ensure uncategorized or emerging mobile code is not used in applications.
Medium - V-6162 - SV-6162r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3730
Vuln IDs
  • V-6162
Rule IDs
  • SV-6162r1_rule
Mobile code does not require any traditional software acceptance testing or security validation. Mobile code needs to follow sound policy to maintain a reasonable level of trust. Mobile code that does not fall into existing policy cannot be trusted.System AdministratorSystems ProgrammerDCMC-1
Checks: C-3040r1_chk

Ask the application representative for design documentation and examine the documentation to determine if additional mobile code types are being used that have not been defined in the mobile code policy. By definition, mobile code is software obtained from remote systems outside the enclave boundary, transferred across a network, and then downloaded and executed on a local system without explicit installation or execution by the recipient. In order to determine if an emerging technology is covered by the current policy, excerpts of the DoD Mobile Code Policy dated 23 October 2006, and policy memorandum are included so the reviewer knows what types of technologies are included, which he or she must know to determine what is outside the scope of the policy. The memorandum containing the Mobile Code Technologies Risk Category List is available here: https://powhatan.iiie.disa.mil/mcp/mobile-code-memo-2011Mar14.pdf Items covered by the policy include: • ActiveX • Windows Scripting Host when used as mobile code • Unix Shell Scripts when used as mobile code • DOS batch scripts when used as mobile code • Java applets and other Java mobile code • Visual Basic for Applications (VBA) • LotusScript • PerfectScript • Postscript • JavaScript (including Jscript and ECMAScript variants) • VBScript • Portable Document Format (PDF) • Shockwave/Flash • Rich Internet Applications Currently the following are not designated as mobile code by the policy: • XML • SMIL • QuickTime • VRML (exclusive of any associated Java applets or JavaScript scripts) The following are outside the scope of the DoD Mobile Code Policy: • Scripts and applets embedded in or linked to web pages and executed in the context of the web server. Examples of this are Java servlets, Java Server pages, CGI, Active Server Pages, CFML, PHP, SSI, server-side JavaScript, server-side LotusScript. • Local programs and command scripts • Distributed object-oriented programming systems (e.g., CORBA, DCOM). • Software patches, updates, including self-extracting updates - software updates that must be invoked explicitly by the user are outside the mobile code policy. Examples of technologies in this area include: Netscape SmartUpdate, Microsoft Windows Update, Netscape web browser plug-ins and Linux. If other types of mobile code technologies are present that are not covered by the policy, a written waiver must be granted by the CIO (allowing use of emerging mobile code technology). Also uncategorized mobile code must be submitted for approval. 1) If the application representative is unable to present the written waiver granted by the CIO, it is finding. 2) If the application representative provides acceptable written waiver granted by the CIO, it is not a finding.

Fix: F-4470r1_fix

Remove uncategorized mobile code.

b
The Designer will ensure the application removes temporary storage of files and cookies when the application is terminated.
Medium - V-6163 - SV-6163r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3100
Vuln IDs
  • V-6163
Rule IDs
  • SV-6163r1_rule
If the application does not remove temporary data (e.g., authentication data, temporary files containing sensitive data, etc.) this temporary data could be used to re-authenticate the user or allow unauthorized access to sensitive data.System AdministratorECRC-1
Checks: C-3046r1_chk

Check application to ensure that memory is being released. Also ensure database connections are closed, if applicable. Ask the application representative to demonstrate memory and database connections are released when the application is terminated. 1) If memory is not released and the application is not using garbage collection process for memory (e.g., Java Applications), this is a finding. 2) If the application creates new database connections on entry to the application and does not release them on exit of the application, this is a finding. Ask the application representative to access the application, perform selected actions, and exit the application. Ask the application representative to search for files recently created. For a Windows System: Use Windows Explorer to search for all files (*.*) created today, and then examine the times to narrow the scope of the files to examine. For a Unix System: Enter: # touch -t 200301211020 /tmp/testdatefile The -t flag represents the time option. The time format to be used with -t is {[CC]YYMMDDhhmm[ss]} where the century [CC] and the seconds [ss] are optional fields. The resulting file is: -rw-r--r-- 1 root root 0 Jan 21 10:20 /tmp/testdatefile Enter a second command: # find / -newer /tmp/testdatefile --> This will produce all files on the system with a date later than that of 'testdatefile'. # find ./* -newer /tmp/testdatefile --> This will produce all files, recursively, in the current directory with a date later than that of 'testdatefile'. 3) If this list includes temporary files that are not being deleted by the application, this is a finding.

Fix: F-16992r1_fix

Configure or redesign the application to remove all temporary files before the application exits.

c
The designer will ensure the application validates all input.
High - V-6164 - SV-6164r1_rule
RMF Control
Severity
High
CCI
Version
APP3510
Vuln IDs
  • V-6164
Rule IDs
  • SV-6164r1_rule
Absence of input validation opens an application to improper manipulation of data. The lack of input validation can lead immediate access of application, denial of service, and corruption of data. System AdministratorDCSQ-1
Checks: C-3729r1_chk

Ask the application representative for the test plans for the application. Examine the test plan to determine if testing was performed for invalid input. Invalid input includes presence of scripting tags within text fields, query string manipulation, and invalid data types and sizes. If the test plans indicate these types of tests were performed, only a small sampling of testing is required. If the test plans do not exist or do not indicate that these types of tests were performed, more detailed testing is required. Testing should include logging on to the application and entering invalid data. If there are various user types defined within the system, this test should be repeated for all user types. Test the application for invalid sizes and types. Test input fields on all pages/screens of the application. Try to exceed buffer limits on the input fields. Try to put wrong types of data in the input fields. For example, put character data in a numeric field. 1) If an unauthenticated user can enter invalid input to bypass access control mechanisms, this is a CAT I finding. 2) If an authenticated user can enter invalid input to gain elevated access, this is a CAT I finding. 3) If the application requires the entry of IP addresses is not capable of handling IPv6 formats that are 128 bits long, this is a CAT II finding. 4) If the application is not capable of handling IPv6 formats and accepts characters that are of hexadecimal notation including colons, this is a CAT II finding.

Fix: F-4472r1_fix

Modify the application to validate all input.

c
The designer will ensure the application does not have buffer overflows, use functions known to be vulnerable to buffer overflows, and does not use signed values for memory allocation where permitted by the programming language.
High - V-6165 - SV-6165r2_rule
RMF Control
Severity
High
CCI
Version
APP3590
Vuln IDs
  • V-6165
Rule IDs
  • SV-6165r2_rule
Buffer overflow attacks occur when improperly validated input is passed to an application overwriting of memory. Usually, buffer overflow errors stop execution of the application causing a minimum of denial of service and possibly a system call to a command shell giving the attacker access to the underlying operating system.System AdministratorDCSQ-1
Checks: C-3049r3_chk

Ask the application representative for code review or scan results from the entire application. This can be provided as results from an automated code review or a vulnerability scanning tool. See section 5.4 of the Application Security and Development STIG for additional details on code review and tools. If the results are provided from a manual code review, the results will need to describe how buffer overflow vulnerabilities and functions vulnerable to buffer overflows are identified during code reviews. 1) If scan results are provided and buffer overflow vulnerabilities have been identified in the report, this is a finding. 2) If scan results are provided but do not include the scan configuration settings which show that the application was tested for buffer overflows, this is a finding. 3) If manual test results are provided and the report does not confirm the lack of buffer overflows and also describe how buffer overflows and functions vulnerable to buffer overflows are identified during the code review, this is a finding. *Note: For IPV6 capable applications, check existing libraries to ensure they are capable of processing the increased size of IPv6 addresses to avoid buffer overflows.

Fix: F-17110r1_fix

Modify the application to protect against buffer overflows vulnerabilities.

b
The designer will ensure the application is not subject to error handling vulnerabilities.
Medium - V-6166 - SV-6166r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3120
Vuln IDs
  • V-6166
Rule IDs
  • SV-6166r1_rule
Unhandled exceptions leaves users with no means to properly respond to errors. Mishandled exceptions can transmit information that can be used in future security breaches. Properly handled errors allow applications to follow security procedures and guidelines in an informed manner. If too much information is revealed in the error message, it can be used as the basis for an attack.System AdministratorDCSQ-1
Checks: C-3042r1_chk

Use the error messages generated from APP3510 as input into this check. Ensure that the application provides error handling processes. The application code should not rely on internal system generated error handling. 1) If the errors are not being handled by the application, and are being processed by the underlying internal system, this is a CAT III finding. Inspect the verbiage of the message. Ensure that the application does not provide information that can be used by an attacker. 2) If any of the following types of errors are displayed, this is a CAT II finding. Error messages should not include variable names, variable types, SQL strings, or source code. Errors that contain field names from the screen and a description of what should be in the field should not be considered a finding.

Fix: F-16994r1_fix

Add code to properly handle or trap errors.

b
The designer will ensure application initialization, shutdown, and aborts are designed to keep the application in a secure state.
Medium - V-6167 - SV-6167r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3140
Vuln IDs
  • V-6167
Rule IDs
  • SV-6167r1_rule
An application could be compromised, providing an attack vector into the enclave if application initialization, shutdown, and aborts are not designed to keep the application in a secure state. If an application fails without closing or shutting down processes or open sessions; authentication and validation mechanisms are in doubt. Responsible application development practices must be applied to ensure the failed application is handled gracefully to prevent creation of security risks. System AdministratorDCSS-2
Checks: C-3043r1_chk

The design of the application should account for the following: 1) Connections to databases are left open 2) Access control mechanisms are disabled. 3) Data left in temporary locations. Testing application failure will require taking down parts of the application. Examine application test plans and procedures to determine if this type of failure was tested. If test plans exist, validate the tests by performing a subset of the checks. If test plans do not exist, an application failure must be simulated. Simulate a failure. This can be accomplished by stopping the web server service and/or the database service. Also, for applications using web services, stop the web service and/or the database. Check to ensure that application data is still protected. Some examples of tests follow. Try to submit SQL queries to the database. Ensure that the database requires authentication before returning data. Try to read the application source files; access should not be granted to these files because the application is not operating. Try to open database files; data should not be available because the application is not operational. 1) If any of these tests fail, it is a finding.

Fix: F-16996r1_fix

Fix any vulnerabilities found when the application is an insecure state (initialization, shutdown and aborts).

b
The designer will ensure applications requiring server authentication are PK-enabled.
Medium - V-6168 - SV-6168r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3300
Vuln IDs
  • V-6168
Rule IDs
  • SV-6168r1_rule
Applications not using PKI are at risk of containing many password vulnerabilities. PKI is the preferred method of authentication. System AdministratorIATS-1, IATS-2
Checks: C-2944r1_chk

Ask the application SA or developer if the application enables clients to authenticate to the server or the application it is communicating with. The most common example of this type of authentication is when a client validates a server’s PKI certificate when initiating an SSL or IPSEC connection. 1) If the SA or developer answers that this capability is not present, this is a finding. If the SA or developer states that the capability is present, validate this by logging on to each component that supports authentication of servers. For web applications, note cases in which the client browser issues a warning that the server’s certificate is not valid. Reasons include: • A trusted certificate authority did not issue the certificate • The certificate has expired • The name of the certificate does not match the URL of the page you are trying to view The client application should provide a function to allow or disallow the server access to the client application. The server must be setup with a certificate for identification. Determine if the application checks for server authentication before allowing the user to continue. The server’s certificate should be checked by the user’s web browser or client application. 2) If there is no server certificate or the client application does not validate the server certificate, it is a finding.

Fix: F-17019r1_fix

Enable the application to use PKI for authentication.

b
The Program Manager and Designer will ensure the use of new IPs, data services, and associated ports used by the application are submitted to the appropriate approving authority for that organization, which in turn are submitted through the DoD Ports, Protocols, and Services Management (DoD PPSM).
Medium - V-6169 - SV-6169r2_rule
RMF Control
Severity
Medium
CCI
Version
APP2100
Vuln IDs
  • V-6169
Rule IDs
  • SV-6169r2_rule
Failure to comply with DoD Ports, Protocols, and Services (PPS) Vulnerability Analysis and associated PPS mitigations may result in compromise of enclave boundary protections and/or functionality of the application.System AdministratorDCPP-1
Checks: C-2964r1_chk

All application ports, protocols, and services needed for application operation need to be in compliance with the DoD Ports and Protocols guidance. Check (http://iase.disa.mil/ports/index.html) to ensure the ports, protocols, and services are in compliance with the PPS CAL. Check all necessary ports and protocols needed for application operation (only those accessed from outside the local enclave) are checked against the DoD Ports and Protocols guidance to ensure compliance. Identify the ports needed for the application: • Look at System Security Plan/Accreditation documentation • Ask System Administrator • Go to Network Administrator Retina Scanner • Go to Network Reviewer • If a network scan is available, use it • Use netstat/task manager • Check /etc/services 1) If the application is not in compliance with DoD Ports and Protocols guidance, it is a finding.

Fix: F-4481r1_fix

Ensure your Accreditation documentation lists all interfaces and the ports, protocols, and services used. Ensure that all ports, protocols, and services are used in accordance with the DoD PPSM.

a
The Program Manager and designer will ensure any IA, or IA enabled, products used by the application are NIAP approved or in the NIAP approval process.
Low - V-6170 - SV-6170r1_rule
RMF Control
Severity
Low
CCI
Version
APP2070
Vuln IDs
  • V-6170
Rule IDs
  • SV-6170r1_rule
IA or IA enabled products that have not been evaluated by NIAP may degrade the security posture of the enclave, if they do not operate as expected, be configured incorrectly, or have hidden security flaws. System AdministratorDCAS-1
Checks: C-2963r1_chk

List all IA or IA enabled products that are part of the application. Such products must be satisfactorily evaluated and validated either prior to purchase or as a condition of purchase; i.e., vendors will warrant, in their responses to a solicitation and as a condition of the contract, that the vendor's products will be satisfactorily validated within a period of time specified in the solicitation and the contract. Purchase contracts shall specify that product validation will be maintained for updated versions or modifications by subsequent evaluation or through participation in the National IA Partnership (NIAP) / Common Criteria Evaluated Products. 1) If the products have not been evaluated or are in the process of being evaluated, it is a finding. According to NSTISSP 11, an IA enabled product is a product or technology whose primary role is not security, but which provides security services as an associated feature of its intended operating capabilities. To meet the intent of NSTISSP 11, acquired IA enabled products must be evaluated if the IA features are going to be used to perform one of following security services: availability, integrity, confidentiality, authentication, or non-repudiation. Therefore, the determination of whether an IA enabled product must be evaluated will be dependent upon how that particular product will be used within the consumer's system architecture. Examples of such products include security enabled web browsers, screening routers, and security enabled messaging systems. Although NSTISSP 11 uses both terms, the policy as stated applies equally to both types of products. A list of certified products is available on the common criteria website: http://www.commoncriteriaportal.org/products.html Below are definitions of IA and IA enabled products from DoD Instruction 8500.2. IA Product - Product or technology whose primary purpose is to provide security services e.g., confidentiality, authentication, integrity, access control or non-repudiation of data; correct known vulnerabilities; and/or provide layered defense against various categories of non-authorized or malicious penetrations of information systems or networks. Examples include such products as data/network encryptors, firewalls, and intrusion detection devices. IA Enabled Product - Product or technology whose primary role is not security, but which provides security services as an associated feature of its intended operating capabilities. Examples include such products as security-enabled web browsers, screening routers, trusted operating systems, and security-enabled messaging systems.

Fix: F-16974r1_fix

Limit the acquisition of all IA, and IA enabled Commercial-off-the-Shelf (COTS) IT products, to products that have been evaluated or validated through The International Common Criteria (CC) for Information Security Technology Evaluation Mutual Recognition Arrangement or The NIAP Evaluation and Validation Program. IA and IA enabled COTS IT Products containing encryption capabilities are required to be evaluated and validated through The FIPS Validation Program

b
The IAO will ensure recovery procedures and technical system features exist so recovery is performed in a secure and verifiable manner. The IAO will document circumstances inhibiting a trusted recovery.
Medium - V-6171 - SV-6171r1_rule
RMF Control
Severity
Medium
CCI
Version
APP6160
Vuln IDs
  • V-6171
Rule IDs
  • SV-6171r1_rule
Without a disaster recovery plan, the application is susceptible to interruption in service due to damage within the processing site.System AdministratorCODP-1, CODP-2, CODP-3
Checks: C-3057r1_chk

Ensure that a disaster recovery plan is in place for the application. If the application is part of the site’s disaster recovery plan, ensure that the plan contains detailed instructions pertaining to the application. Ensure that recovery procedures indicate the steps needed for secure recovery. 1) If a disaster recovery plan does not exist or the application is not part of the site’s disaster recovery plan, it is a finding. Verify that the recovery procedures include any special considerations for trusted recovery. 2) If any special considerations for trusted recovery are not documented, it is a finding.

Fix: F-4483r1_fix

Create and maintain a disaster recovery plan.

b
The IAO will ensure data backup is performed at required intervals in accordance with DoD policy.
Medium - V-6172 - SV-6172r1_rule
RMF Control
Severity
Medium
CCI
Version
APP6190
Vuln IDs
  • V-6172
Rule IDs
  • SV-6172r1_rule
Without proper backups, the application is not protected from the loss of data or the operating environment in the event of hardware or software failure.System AdministratorCODB-1, CODB-2, CODB-3
Checks: C-3058r1_chk

Check the following based on the MAC level of the application. For MAC 3 applications: Validate backup procedures exist and are performed at least weekly. A sampling of system backups should be checked to ensure compliance with the control. For MAC 2 applications: Validate backup procedures exist and are performed at least daily. Validate recovery media is stored at an off-site location and ensure the data is protected in accordance with its mission assurance category and confidentiality level. This validation can be performed by examining an SLA or MOU/MOA that states the protection levels of the data and how it should be stored. A sampling of system backups should be checked to ensure compliance with the control. Verify that the organization tests backup information to ensure media reliability and information integrity. Verify that the organization selectively uses backup information in the restoration of information system functions as part of annual contingency plan testing. For MAC 1 applications: Validate that the procedures have been defined for system redundancy and they are properly implemented and are executing the procedures. Verify that the redundant system is properly separated from the primary system (i.e., located in a different building or in a different city). This validation should be performed by examining the secondary system and ensuring its operation. Examine the SLA or MOU/MOA to ensure redundant capability is addressed. Finding details should indicate the type of validation performed. Examine the mirror capability testing procedures and results to insure the capability is properly tested at 6 month minimum intervals. 1) If any of the requirements above for the MAC level of the application are not met, it is a finding.

Fix: F-4484r1_fix

Develop and implement backup procedures.

b
The IAO will ensure application audit trails are retained for at least 1 year for applications without SAMI data, and 5 years for applications including SAMI data.
Medium - V-6173 - SV-6173r1_rule
RMF Control
Severity
Medium
CCI
Version
APP6140
Vuln IDs
  • V-6173
Rule IDs
  • SV-6173r1_rule
Log files are a requirement to trace intruder activity or to audit user activity.System AdministratorECRR-1
Checks: C-3059r1_chk

Ensure a process is in place to retain application audit log files for one year and five years for SAMI data. 1) If audit logs have not been retained for one year or five years for SAMI data, this is a finding.

Fix: F-4485r1_fix

Retain application audit log files for one year and five years for SAMI data.

b
The IAO will ensure production database exports have database administration credentials and sensitive data removed before releasing the export.
Medium - V-6174 - SV-6174r2_rule
RMF Control
Severity
Medium
CCI
Version
APP6100
Vuln IDs
  • V-6174
Rule IDs
  • SV-6174r2_rule
Production database exports are often used to populate development databases. Test and development environments do not typically have the same rigid security protections that production environments do. When production data is used in test and development, the production database exports will need to be scrubbed to prevent information like passwords and other sensitive data from becoming available to development and test staff who may not have a need to know. Sensitive data should not be included in database exports because of classification, privacy, and other types of data protection requirement issues. Not all application developers have a need to know sensitive information such as HIPAA data, Privacy Act Data, production admin passwords or classified data.System AdministratorECAN-1
Checks: C-3060r2_chk

Ask if any database exports from this database are imported to development databases. If no database exports exist, this check is not applicable. If there are such exports, ask if policy and procedures are in place to require the modification of the production database account passwords after import into the development database. 1) If there are no policy and procedures in place to modify production database account passwords, it is a finding. If there are such exports, ask if the production database includes sensitive data identified by the data owner as sensitive such as passwords, financial, personnel, personal, HIPAA, Privacy Act, or classified data is included. 2) If any database exports include sensitive data and it is not modified or removed prior to or after import to the development database, it is a finding. 3) If there are no policy and procedures in place to modify production database account passwords, it is a finding. If there are such exports, ask if the production database includes sensitive data identified by the data owner as sensitive such as financial, personnel, personal, HIPAA, Privacy Act, or classified data is included. 4) If any database exports include sensitive data, and it is not modified or removed prior to or after import to the development database, it is a finding.

Fix: F-4642r2_fix

Remove sensitive data from production database exports.

b
The Program Manager will ensure a System Security Plan (SSP) is established to describe the technical, administrative, and procedural IA program and policies governing the DoD information system, and identifying all IA personnel and specific IA requirements and objectives.
Medium - V-6197 - SV-6197r2_rule
RMF Control
Severity
Medium
CCI
Version
APP2010
Vuln IDs
  • V-6197
Rule IDs
  • SV-6197r2_rule
If the DAA, IAM, or IAO are not performing assigned functions in accordance with DoD requirements, it could impact the overall security of the facility, personnel, systems, and data, which could lead to degraded security. If the DAA and the IAM/IAO are not appointed in writing, there will be no way to ensure they understand the responsibilities of the position and the appointment criteria. The lack of a complete System Security Plan (SSP) could lead to ineffective secure operations and impede accreditation. A System Identification Profile (SIP) and the DIACAP Implementation Plan (DIP) may be considered as sufficient proof of compliance as long as the documentation provides all of the information that is needed to meet the requirement.Information Assurance ManagerDCSD-1
Checks: C-3061r1_chk

The Program Manager will ensure all appointments to required IA roles are established in writing to include assigned duties and appointment criteria, such as training, security clearance, and IT designation. The IAO will ensure all appointments to required IA roles are established in writing to include assigned duties and appointment criteria such as training, security clearance, and IT designation. Interview the application representative and validate that the required IA roles are established in writing. These roles are DAA and the IAM/IAO. This written notification must include assigned duties and appointment criteria such as training, security clearance, and IT-designation. If a traditional review is conducted at the same time as the application review, this check is not applicable. Also validate a SSP exists and describes the technical, administrative, and procedural IA program and policies that govern the DoD information system, and identifies all IA personnel and specific IA requirements and objectives (e.g., requirements for data handling or dissemination, system redundancy and backup, or emergency response). 1) If the SSP does not exist or is incomplete, it is a finding. 2) If the IA Roles and assigned duties and appointment criteria are not made in writing, it is a finding. Ask site personnel which IAO or IAM for the systems/application is part of the application review. 3) If the IAO or IAM is unknown, or not assigned, this is a finding.

Fix: F-5232r1_fix

Establish the required IA roles in writing. The directive must include assigned duties and appointment criteria such as training, security clearance, and IT-designation. Prepare a SSP that describes the technical, administrative, and procedural IA program and policies that govern the DoD information system, and identifies all IA personnel and specific IA requirements and objectives (e.g., requirements for data handling or dissemination, system redundancy and backup, or emergency response).

b
The Program Manager and IAO will ensure development systems, build systems, test systems, and all components comply with all appropriate DoD STIGs, NSA guides, and all applicable DoD policies. The Test Manager will ensure both client and server machines are STIG compliant.
Medium - V-6198 - SV-6198r1_rule
RMF Control
Severity
Medium
CCI
Version
APP2160
Vuln IDs
  • V-6198
Rule IDs
  • SV-6198r1_rule
Applications developed on a non STIG compliant platform may not function when deployed to a STIG compliant platform, and therefore cause a potential denial of service to the users and the application, or require lessening security requirements on the client side of the application. System AdministratorDCCS-1, DCCS-2, ECSC-1
Checks: C-2962r1_chk

The application and the application client (e.g., web browser, C++ application, etc.) must be designed to work on a STIG compliant platform. Vulnerabilities are discovered frequently and security updates must be applied constantly and may not be reflected in the latest baseline of a secure image of the operating system. Any finding required to make the application client operate correctly will be documented in this check. Conduct a review of the application and the application client platform using the SRR process or utilize an up to date application/client platform SRR if available. Ensure the application client platform was included in the overall application SRR review. Ensure the SRR was completed after the most recent system updates or changes. If the client is Windows based and the application uses either a browser interface or an MS Office Product, a Desktop Application review must also be conducted. 1) If the review of the application client platform produces findings indicating that the application client will not operate correctly in a STIG compliant environment, it is a finding. Ensure the application review includes test and build systems. All deployment, development, as well as test and build systems should be included in the application review to ensure the applicable DoD approved or other acceptable security configuration documents have been applied. 2) If the application review does not include all deployment, development, as well as test and build systems, it is a finding.

Fix: F-16983r1_fix

Configure application client, application development, as well as test and build systems using the approved DoD security guidance (e.g., DoD STIGs, NSA Guides, etc.)

b
The designer will create and update the Design Document for each release of the application.
Medium - V-7013 - SV-7372r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3010
Vuln IDs
  • V-7013
Rule IDs
  • SV-7372r1_rule
The detailed functional architecture must be documented to ensure all risks are assessed and mitigated to the maximum extent practical. Failure to do so may result in unexposed risk, and failure to mitigate the risk leading to failure or compromise of the system.System AdministratorDCFA-1
Checks: C-3655r1_chk

Ask the application representative for the design document for the application. Review the design document. If the application is a COTS/GOTS product or is composed of only COTS/GOTS products with no custom code, this check does not apply unless the application is being reviewed by or in conjunction with the COTS/GOTS vendor in which case this check is applicable. Examine the design document and/or the threat model for the application and verify the following information is documented: ­- All external interfaces. ­- The nature of information being exchanged. ­- Any protections on the external interface. ­- User roles required for access control and the access privileges assigned to each role. ­- Unique security requirements (e.g., encryption of key data elements at rest). ­- Categories of sensitive information processed by the application, and their specific protection plans (e.g., PII, HIPAA). ­- Restoration priority of subsystems, processes, or information. ­- Verify the organization includes documentation describing the design and implementation details of the security controls employed within the information system with sufficient detail. 1) If the design document is incomplete, it is a finding.

Fix: F-16985r1_fix

Create and maintain the Design Document for each release of the application and identify the following: ­- All external interfaces (from the threat model) ­- The nature of information being exchanged ­- Categories of sensitive information processed or stored and their specific protection plans ­- The protection mechanisms associated with each interface ­- User roles required for access control ­- Access privileges assigned to each role ­- Unique application security requirements ­- Categories of sensitive information processed or stored and specific protection plans (e.g., Privacy Act, HIPAA, etc.) ­- Restoration priority of subsystems, processes, or information.

b
The Program Manager will provide an Application Configuration Guide to the application hosting providers to include a list of all potential hosting enclaves and connection rules and requirements.
Medium - V-16773 - SV-17773r1_rule
RMF Control
Severity
Medium
CCI
Version
APP2020
Vuln IDs
  • V-16773
Rule IDs
  • SV-17773r1_rule
The security posture of the enclave could be degraded if an Application Configuration Guide is not available and followed by application developers. System AdministratorDCID-1, EBCR-1
Checks: C-17749r1_chk

Detailed policy requirements: The Program Manager will provide an Application Configuration Guide to the application hosting providers. The Program Manager will provide a list of all potential hosting enclaves and connection rules and requirements. The Program Manager will ensure development systems, build systems, and test systems have a standardized environment and are documented in the Application Configuration Guide. The Designer will ensure known security assumptions, implications, system level protections, best practices, and required permissions are documented in the Application Configuration Guide. The Designer will ensure deployment configuration settings are documented in the Application Configuration Guide. The IAO will ensure the application is deployed in a manner consistent with the Application Configuration Guide provided by the developers. The Application Configuration Guide is any document or collection of documents used to configure the application. These documents may be part of a user guide, secure configuration guide, or any guidance that satisfies the requirements below: The Application Configuration Guide must be made available to application hosting providers. The Application Configuration Guide will contain a list of all potential hosting enclaves and connection rules and requirements. Development systems, build systems, and test systems must operate in a standardized environment. These settings are to be documented in the Application Configuration Guide. Examples include: • Versions of compilers used • Build options when creating applications and components • Versions of COTS software (used as part of the application) • For web applications, which browsers and what versions are supported All known security assumptions, implications, system level protections, best practices, and required permissions are documented in the Application Configuration Guide. All deployment configuration settings are documented in the Application Configuration Guide. Examples include: • Encryptions Settings • PKI Certificate Configuration Settings • Password Settings All deployment configuration settings from the Application Configuration Guide should be implemented. Ask the application representative for Application Configuration Guide or other guidance where these requirements are documented. Verify the configuration settings have been implemented. 1) If any of the above information is missing, or the Application Configuration Guide does not exist, it is a finding. 2) If the settings in the Application Configuration Guide are not implemented, it is a finding.

Fix: F-16969r1_fix

Create and maintain an Application Configuration Guide and provide it to the application hosting facility.

b
The Program Manager will ensure the system has been assigned specific MAC and confidentiality levels.
Medium - V-16775 - SV-17775r1_rule
RMF Control
Severity
Medium
CCI
Version
APP2050
Vuln IDs
  • V-16775
Rule IDs
  • SV-17775r1_rule
The site security posture and mission completion could be adversely affected if site managed applications and data are not properly assigned with the MAC and confidentiality levels.System AdministratorDCSD-1
Checks: C-17751r1_chk

Interview the application representative to determine if the system documentation has identified the Mission Assurance Category (MAC) and confidentiality levels of the application. 1) If no system documentation exists that identifies the MAC and confidentiality levels, it is a finding.

Fix: F-16972r1_fix

Document the Mission Assurance Category (MAC) and confidentiality levels of the application.

b
The Program Manager will ensure the development team follows a set of coding standards.
Medium - V-16776 - SV-17776r1_rule
RMF Control
Severity
Medium
CCI
Version
APP2060
Vuln IDs
  • V-16776
Rule IDs
  • SV-17776r1_rule
Implementing coding standards provides many benefits to the development process. These benefits include readability, consistency, and ease of integration. Code conforming to a standard format is easier to read, especially if someone other than the original developer is examining the code. In addition, formatted code can be debugged and corrected faster than unformatted code. Introducing coding standards can help increase the consistency, reliability, and security of the application by ensuring common programming structures and tasks are handled by similar methods, as well as, reducing the occurrence of common logic errors. Coding standards also allow developers to quickly adapt to code which has been developed by various members of a development team. Coding standards are useful in the code review process as well as in situations where a team member leaves and duties must then be assigned to another team member. Coding standards often cover the use of white space characters, variable naming conventions, function naming conventions, and comment styles. Information Assurance ManagerDCSQ-1
Checks: C-17752r1_chk

The Program Manager will ensure the development team follows a set of coding standards. The Program Manager will ensure the development team creates a list of unsafe functions to avoid and document this list in the coding standards. The Designer will follow the established coding standards established for the project. The Designer will not use unsafe functions documented in the project coding standards. If the application is a COTS/GOTS product or is composed of only COTS/GOTS products with no custom code, this check does not apply unless the application is being reviewed by or in conjunction with the COTS/GOTS vendor in which case this check is applicable. Interview the application representative to determine if a documented set of coding standards exists. Ask the application representative to demonstrate coding standards are being followed by reviewing a sample of code. Also, check the coding standards for a list of unsafe functions or section documenting there are no unsafe functions. 1) If no coding standards exist at an organizational or project level, it is a finding. 2) If documented coding standards are not being followed, it is a finding. 3) If there is no documented list of unsafe functions, or the coding standards do not document that there are no unsafe functions (for that particular language), it is a finding.

Fix: F-16973r1_fix

Adopt and document coding standards.

b
The Program Manager will ensure COTS IA and IA enabled products, comply with NIAP/NSA endorsed protection profiles.
Medium - V-16777 - SV-17777r1_rule
RMF Control
Severity
Medium
CCI
Version
APP2080
Vuln IDs
  • V-16777
Rule IDs
  • SV-17777r1_rule
The security posture of the enclave could be compromised if applications are not at the approved NIAP/NSA protection profile. GOTS, or COTS IA and IA enabled IT products, must be in compliance with NIAP/NSA protection profiles in order to protect classified information when the information transits networks which are at a lower classification level than the information being transported.System AdministratorDCSR-1, DCSR-2, DCSR-3
Checks: C-17754r1_chk

The Program Manager will ensure COTS IA, and IA enabled products, are used to protect sensitive information when the information transits non DoD owned networks, or the system handling the information is accessible by individuals who are not authorized to access the information on the system, comply with NIAP/NSA approved protection profiles. The Program Manager will ensure COTS IA, and IA enabled products, are used to protect classified information when the information transits networks, which are at a lower classification level than the information being transported, comply with NIAP/NSA approved protection profiles. Interview the application representative and determine the IA, and IA enabled COTS products, used in the application. Also, review the confidentiality level for the application. Public releasable data requires a NIAP/NSA approved protection profile for IA, and IA enabled, COTS products. Sensitive data requires a NIAP/NSA approved protection profile for IA, and IA enabled, COTS products. Classified information, when the information transits networks which are at a lower classification level than the information being transported, requires NIAP/NSA approved protection profiles for IA, and IA enabled, COTS products. The accreditation documentation should list the products that are used. A list of validated products and protection profiles is available on the common criteria website: http://www.niap-ccevs.org/cc-scheme/pp/index.cfm 1) Compare that list against the approved products. If any of the third party products are not listed or are below the NIAP/NSA approved protection profiles required by the application, it is a finding.

Fix: F-16975r1_fix

Use products with suitable NIAP/NSA protection profiles.

b
The Program Manager will document and obtain DAA risk acceptance for all public domain, shareware, freeware, and other software products/libraries with both (1) no source code to review, repair, and extend, and (2) limited or no warranty, when such products are required for mission accomplishment.
Medium - V-16778 - SV-17778r1_rule
RMF Control
Severity
Medium
CCI
Version
APP2090
Vuln IDs
  • V-16778
Rule IDs
  • SV-17778r1_rule
The security posture of the enclave could be compromised if untested or unwarranted software is used due to the risk of software failure, hidden vulnerabilities, or other malware embedded in the application. The Program Manager and IAO must get DAA approval prior to using this type of software for risk acceptance. Public domain software is shareware. There cannot be any assurance the products integrity or security mechanisms exist without conducting a code review or vulnerability analysis. Failure to properly authorize shareware, before it is installed or used, on corporate AISs could result in the compromise of sensitive corporate resources.System AdministratorDCPD-1
Checks: C-17755r1_chk

Policy: The Program Manager will obtain DAA approval for all open source, public domain, shareware, freeware, and other software products/libraries with limited or no warranty but are required for mission accomplishment. The designer will document all open source, public domain, shareware, freeware, and other software products/libraries that have limited or no warranty, but which are required for mission accomplishment. Software products and libraries with limited or no warranty will not be used in DoD information systems unless they are necessary for mission accomplishment, and there are no alternative IT solutions available. If these products are required, they must be assessed for information assurance impacts, and must be approved for use by the DAA. Review the DoD policy regarding Open Source Software products: http://www.defenselink.mil/cio-nii/docs/OpenSourceInDoD.pdf Open Source Software: Copyrighted software distributed under a license that provides everyone the right to use, modify, and redistribute the source code of software. Public Domain Software: Software not protected by any copyright laws providing the right to use, modify, and redistribute without permission or payment to the author. Shareware: Copyrighted software distributed under a license that provides a trial right to use and redistribute the binaries. For continued usage, users are required to pay a fee. Freeware: Copyrighted software distributed under a license that provides a right to use and redistribute the binaries. Unlike shareware, there is no charge for continued use. Commercial Software: Copyrighted software sold for profit by businesses, also referred to as COTS software. 1) If software products (e.g., Open Source Software, Public Domain Software, Shareware and Freeware) and libraries with limited or no warranty are used in DoD information systems except when they are necessary for mission accomplishment and there are no alternative IT solutions available, it is a finding.

Fix: F-16976r1_fix

Document and obtain the DAA's acknowledgment and acceptance of risk and approval for all binary or machine executable public domain software products such as freeware/shareware and other software products with no warranty and no source code review capability. Implement policy and procedures to ensure the organization is in compliance with software licensing agreements. Implement policy and procedures to ensure the organization is in compliance with software usage restrictions.

b
The Program Manager and designer will ensure the application is registered with the DoD Ports and Protocols Database.
Medium - V-16779 - SV-17779r1_rule
RMF Control
Severity
Medium
CCI
Version
APP2110
Vuln IDs
  • V-16779
Rule IDs
  • SV-17779r1_rule
Failure to register the applications usage of ports, protocols, and services with the DoD PPS Database may result in a Denial of Service (DoS) because of enclave boundary protections at other end points within the network.System AdministratorDCPP-1
Checks: C-17756r1_chk

Verify registration of the application and ports in the Ports and Protocols Database for a production site. 1) If the application requires registration, and is not registered or all ports used have not been identified in the database this is a finding.

Fix: F-16978r1_fix

Register the application and ports in the Ports and Protocols Database.

b
The Program Manager will ensure all levels of program management, designers, developers, and testers receive the appropriate security training pertaining to their job function.
Medium - V-16780 - SV-17780r1_rule
RMF Control
Severity
Medium
CCI
Version
APP2120
Vuln IDs
  • V-16780
Rule IDs
  • SV-17780r1_rule
Well trained IT personnel are the first line of defense against attacks or disruptions to the information system. Lack of sufficient training can lead to security oversights thereby, leading to compromise or failure to take necessary actions to prevent disruptions to operations.Information Assurance OfficerPRTN-1
Checks: C-17757r1_chk

Detailed Policy requirements: The Program Manager will ensure all levels of program management receive security training regarding the necessity, impact, and benefits of integrating secure development practices into the development lifecycle. The Program Manager will ensure designers are provided training on secure design principles for the entire SDLC and newly discovered vulnerability types on, at least, an annual basis. The Program Manager will ensure developers are provided with training on secure design and coding practices on, at least, an annual basis. The Program Manager will ensure testers are provided training on at least an annual basis. If the application is a COTS/GOTS product or is composed of only COTS/GOTS products with no custom code, this check does not apply unless the application is being reviewed by or in conjunction with the COTS/GOTS vendor in which case this check is applicable. Interview the application representative and ask for evidence of security training for application managers, designers, developers, and testers. Examples of evidence include course completion certificates and a class roster. At a minimum, security training should include Security Awareness Training. 1) If there is no evidence of security training, it is a finding.

Fix: F-16977r1_fix

Provide security training for managers, designers, developers, and testers.

b
The Program Manager will ensure a vulnerability management process is in place to include ensuring a mechanism is in place to notify users, and users are provided with a means of obtaining security updates for the application.
Medium - V-16781 - SV-17781r1_rule
RMF Control
Severity
Medium
CCI
Version
APP2130
Vuln IDs
  • V-16781
Rule IDs
  • SV-17781r1_rule
If there is no mechanism (e.g., e-mail list, patch server) to provide updates for an application that is already deployed, security flaws can never be addressed. Also, if there is no comprehensive vulnerability management process or policy for the systematic identification and mitigation of software vulnerabilities, security vulnerabilities may go unnoticed, unreported, or unmitigated. Information Assurance OfficerDCCT-1, VIVM-1
Checks: C-17873r1_chk

The Program Manager will: - Ensure users are provided with a means of obtaining updates for the application. - Ensure a mechanism is in place to notify users of security flaws, and to provide users with the availability of patches. - Ensure a comprehensive vulnerability management process, including systematic identification and mitigation of software vulnerabilities, is in place. Interview the application representative to determine if users are provided with a means of obtaining updates for the application. 1) If users are not provided with a means of obtaining updates for the application, it is a finding. 2) If updates are transmitted over a LAN, and is not IPv6 capable, it is a finding. Interview the application representative to determine if users are provided a mechanism to be notified of security flaws and the availability of patches. 3) If users are not provided security flaw and patch notifications for the application, it is a finding. 4) If security flaws and patch notifications are transmitted over a LAN, and is not IPv6 capable, it is a finding. Interview the application representative and determine if a vulnerability management process exists. 5) If no vulnerability management process or policy exists, it is a finding. Interview the application representative to determine maintenance is available for production applications. 6) If maintenance is not available for an application, it is a finding.

Fix: F-16979r1_fix

Provide a distribution mechanism for obtaining updates to the application.

b
The Program Manager will ensure a security incident response process for the application is established that defines reportable incidents and outlines a standard operating procedure for incident response to include Information Operations Condition (INFOCON).
Medium - V-16782 - SV-17782r1_rule
RMF Control
Severity
Medium
CCI
Version
APP2140
Vuln IDs
  • V-16782
Rule IDs
  • SV-17782r1_rule
Without a plan, training, and assistance, users will not know what actions needs to be taken in the event of system attack or system/application compromise. This could result in additional compromise and theft, or degraded system capability.System AdministratorVIIR-1, VIIR-2
Checks: C-17758r1_chk

Verify that the organization provides or uses an incident support resource that offers advice and assistance to users of the information system for the handling and reporting of security incidents. The support resource must be an integral part of the organization’s incident response capability. This capability is addressed by the DOD CNDSP Program but participation at the organization level must be verified. Interview the application representative to determine if a security incident response process for the application is established. 1) If a security incident response process for the application is not documented, it is a finding. Interview the application representative to determine if a security incident response process contains the following: Identified CNDSP. Reportable incidents are defined. INFCON outlined in the incident response standard operating procedures. A provision exists for user training and annual refresher training. Establishment of an incident response team. Procedure for the plan to be exercised annually. 2) If a security incident response process is not adequate, it is a finding. Interview the application representative to determine if a security incident response process for the application is followed. 3) If a security incident response process for the application is not followed, it is a finding.

Fix: F-16980r1_fix

Fully participate in the DOD CNDSP Program as described in DoD Instruction 8530.2 or develop an Incident response Plan. Exercise the Incident Response Plan annually. Provide for user incident response training. Provide an incident support resource that offers advice and assistance to users for the handling and reporting of security incidents. The support resource must be an integral part of the organization's incident response capability.

b
The Program Manager will ensure procedures are implemented to assure physical handling and storage of information is in accordance with the data’s sensitivity.
Medium - V-16783 - SV-17783r1_rule
RMF Control
Severity
Medium
CCI
Version
APP2150
Vuln IDs
  • V-16783
Rule IDs
  • SV-17783r1_rule
Failure to have proper workplace security procedures can lead to the loss or compromise of classified or sensitive information.System AdministratorPESP-1
Checks: C-17759r1_chk

Determine the sensitivity of the data of the application by reviewing the confidentiality levels for which the system was designed. If a traditional review is being conducted at the same time as the application review, this check is not applicable. For sensitive data, the following security guidelines must be followed: • Verify the existence of policy and procedures to ensure the proper handling and storage of information at the site. • Verify system media (e.g., tapes, printouts, etc.) is controlled and the pickup, delivery, receipt, and transfer of system media is restricted to authorized personnel (NIST MP-5). • Verify there is a policy that addresses output handling and retention (NIST SI-12). • Verify policy that addresses output handling and retention is being followed (NIST SI-12). 1) If sensitive data security guidelines do not exist or not followed, it is a finding. For classified data, the following security guidelines must be followed: • Verify the existence of policy and procedures to ensure the proper handling and storage of information at the site. (e.g., end-of-day, security checks, unannounced security checks, and, where appropriate, the imposition of a two-person rule). • Verify the existence of a system of security checks at the close of each working day to ensure that the area is secure. • An SF 701: Activity Security Checklist, is required to record such checks. • An SF 702: Security Container Check Sheet, is requires to record the use of all vaults, secure rooms, and containers used for the storage of classified material. • Verify system media (e.g. tapes, printouts, etc.) is controlled and the pickup, delivery, receipt and transfer of system media is restricted to authorized personnel (NIST MP-5). • Verify there is a policy that addresses output handling and retention (NIST SI-12). • Verify policy that addresses output handling and retention is being followed (NIST SI-12). 2) If classified data security guidelines do not exist or are not followed, it is a finding.

Fix: F-16981r1_fix

Implement policy and procedures to ensure the proper handling and storage of information, such as end-of-day security checks, unannounced security checks, and, where appropriate, the imposition of a two-person rule within the computing facility. Establish a system of security checks at the close of each working day to ensure that the area is secure. An SF 701: Activity Security Checklist shall be used to record such checks. This form may be modified to suit the individual security (or safety) needs of the organization i.e., entries for STU-III CIK secured or coffee pot turned off. An SF 702: Security Container Check Sheet shall be used to record the use of all vaults, secure rooms, and containers used for the storage of classified material.

b
The designer will ensure the user interface services are physically or logically separated from data storage and management services.
Medium - V-16784 - SV-17784r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3070
Vuln IDs
  • V-16784
Rule IDs
  • SV-17784r1_rule
If user interface services are compromised, this may lead to the compromise of data storage and management services if they are not logically or physically separated.DCPA-1
Checks: C-17768r1_chk

Interview the application representative to determine if logical separation exists between application components within the application. Review locations of the components of the application such as web server, database server, and application server. A separate machine is not required but is recommended. Separation may be accomplished through the use of different computers, different CPUs, different instances of the operating system, different network addresses, and combinations of these methods, or other methods, as appropriate. 1) If the application components are not separated in the application, this is a finding.

Fix: F-16989r1_fix

Separate interface services from data storage and management services.

c
The designer will ensure the application supports detection and/or prevention of communication session hijacking.
High - V-16785 - SV-17785r1_rule
RMF Control
Severity
High
CCI
Version
APP3405
Vuln IDs
  • V-16785
Rule IDs
  • SV-17785r1_rule
Session tokens can be compromised by various methods. Using predictable session tokens can allow an attacker to hijack a session in progress. Session sniffing can be used to capture a valid session token or session id, and the attacker uses this session information to gain immediate unauthorized access to the server which is a loss of confidentially and potentially a loss of integrity. Also, the Man-in-the-Middle (MITM) attack can be accomplished over an TLS connection with a session in progress. Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor, will directly and immediately result in loss of Confidentiality, Availability or Integrity of the system associated data. System AdministratorECTM-2
Checks: C-17769r1_chk

Ask the application representative for the threat model. Review the threat model for threats regarding session hijacking. Review the threat model for common session hijacking attacks. Examples of session hijacking vulnerabilities can be obtained from the OWASP website. - Predictable session token - Session sniffing - Client-side attacks addressed in APP3580 - MITM attack - Man-in-the-browser attack 1) If the threat model documentation does not address predictable session tokens and provide details regarding the countermeasures taken within the application to mitigate this risk, or if the application representative cannot demonstrate how this risk is mitigated within the application itself, this is a CAT I finding. - Application should utilize a random method of generating session tokens so as to avoid predictable patterns or sequential numbering of session token values. Session identifiers should also utilize the largest character set available to assist randomization. - Application should expire and destroy session identifiers upon logout. - Session identifiers should never be logged. 2) If the threat model documentation does not address session sniffing and provide details regarding the countermeasures taken within the application to mitigate this risk, or if the application representative cannot demonstrate how the risk is mitigated within the application itself, this is a CAT I finding. - Application should set the secure flag when generating cookies that store or transmit session identifiers to ensure values are transmitted via SSL. If the application utilizes URLs with embedded session ids, these URLs can be forwarded in e-mails and e-mail recipients gain access to a system without authentication. Example URL with embedded session id: https://10.10.10.10:443/login.do;jsessionid=F2EE8C97B24635C9995A9D08E69D7B44 3) If URLs containing embedded session ids can be forwarded and used to gain access to the application without authentication, this is a CAT I finding. 4) If the threat model documentation does not address MITM attack, this is a CAT II finding.

Fix: F-16991r1_fix

Use TLS encryption to protect session information. Do not use predicable session tokens. Implement protection from client side attacks.

b
The designer will ensure the application installs with unnecessary functionality disabled by default.
Medium - V-16786 - SV-17786r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3110
Vuln IDs
  • V-16786
Rule IDs
  • SV-17786r1_rule
If functionality is enabled that is not required for operation of the application, this functionality may be exploited without knowledge because the functionality is not required by anyone.System AdministratorDCSD-1
Checks: C-17771r1_chk

Ask the application representative to review the installation guide to determine what functionality is installed and enabled by default on installation of the application. Examples may include the following: Functions that send information back to the vendor. E-mail functions enabled when not required for functionality. 1) If the application installs with functionality which is unnecessary and enabled by default, it is a finding.

Fix: F-16993r1_fix

Remove or disable unnecessary functionality.

c
The designer will ensure the application follows the secure failure design principle.
High - V-16787 - SV-17787r1_rule
RMF Control
Severity
High
CCI
Version
APP3130
Vuln IDs
  • V-16787
Rule IDs
  • SV-17787r1_rule
The secure design principle ensures the application follows a secure predictable path in the application code. If all possible code paths are not accounted for, the application may allow access to unauthorized users. Applications should perform checks on the validity of data, user permissions, and resource existence before performing a function. Secure failure is defined if a check fails for any reason, the application remains in a secure state. System AdministratorDCSQ-1
Checks: C-17772r1_chk

Ask the application representative for code review results from the entire application or the documented code review process. If the application is a COTS/GOTS product or is composed of only COTS/GOTS products with no custom code, this check does not apply unless the application is being reviewed by or in conjunction with the COTS/GOTS vendor in which case this check is applicable. If the results are provided from a manual code review, the application representative will need to demonstrate how secure design principle vulnerabilities are identified during code reviews. 1) If the results are not provided or the application representative cannot demonstrate how manual code reviews are performed to identify secure design principle vulnerabilities, this is a CAT I finding. 2) If code analysis tools are used to perform a code review and errors have not been fixed, this is a CAT II finding.

Fix: F-16995r1_fix

Design and code the application so the secure design principle is followed.

b
The designer will ensure the application uses encryption to implement key exchange and authenticate endpoints prior to establishing a communication channel for key exchange.
Medium - V-16788 - SV-17788r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3170
Vuln IDs
  • V-16788
Rule IDs
  • SV-17788r1_rule
If the application does not use encryption and authenticate endpoints prior to establishing a communication channel and prior to transmitting encryption keys, these keys may be intercepted, and could be used to decrypt the traffic of the current session, leading to potential loss or compromise of DoD data.System AdministratorDCNR-1
Checks: C-17773r1_chk

If the application does not implement key exchange, this check is not applicable. Identify all application or supporting infrastructure features using key exchange. Verify the application is using FIPS-140 validated cryptographic modules for encryption of key exchange algorithms. 1) If the application does not implement encryption for key exchange, it is a finding.

Fix: F-17004r1_fix

Use encryption for key exchange.

b
The designer will ensure private keys are accessible only to administrative users.
Medium - V-16789 - SV-17789r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3180
Vuln IDs
  • V-16789
Rule IDs
  • SV-17789r1_rule
If private keys are accessible to non-administrative users, these users could potentially read and use the private keys to unencrypt stored or transmitted sensitive data used by the application. System AdministratorECCD-1
Checks: C-17775r1_chk

Interview the application representative and determine the keys resident on application servers (including X.509 certificates). For the purposes of this checklist, no more than 20 keys need to be examined. Based on the number of keys in the inventory, determine if all of the keys will be examined, or just a sample. If a sample will be selected, choose keys of a variety of types (certificate of a certificate authority, certificate of a user, private key of a user, etc.). No user or process should be able to write to any file containing keys. If keys need to be replaced or added, permissions can be changed temporarily for those events. 1) If any privileged or non-privileged user or application process has write permissions to a file containing cryptographic keys, it is a finding. Determine if when keys are read, that transaction occurs under the security context of a user account, or of the application process (which would perform the transaction on behalf of the user). Ensure that read permissions are granted only to the account(s) that must know the key to make the application function. If any user groups are granted read permissions, check that the members of these groups contain only the users that require knowledge of the key. 2) If any user accounts have read (or greater) permissions to a private or secret key, which do not require such permissions, it is a finding. 3) If any group with read permissions contains a user that does not require such permissions, it is a finding.

Fix: F-17005r1_fix

Remove excessive permissions on private keys.

b
The designer will ensure the application does not connect to a database using administrative credentials or other privileged database accounts.
Medium - V-16790 - SV-17790r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3190
Vuln IDs
  • V-16790
Rule IDs
  • SV-17790r1_rule
If the application uses administrative credentials or other privileged database accounts to access the database, an attacker that has already compromised the application though another vulnerability can drop, add, and modify the data in the database or the database structure.System AdministratorECLP-1
Checks: C-17777r1_chk

If the application does not use a database, this check is not applicable. Ask the application representative how the application authenticates to the database. 1) If the application authenticates to the database by using a database account that has database administrator access, it is a finding.

Fix: F-17007r1_fix

Modify the application and the database account used for the application so administrative credentials are not required to access the database.

a
The designer will ensure transaction based applications implement transaction rollback and transaction journaling.
Low - V-16791 - SV-17791r1_rule
RMF Control
Severity
Low
CCI
Version
APP3200
Vuln IDs
  • V-16791
Rule IDs
  • SV-17791r1_rule
Transaction based systems must have transaction rollback and transaction journaling, or technical equivalents implemented to ensure the system can recover from an attack or faulty transaction data. Otherwise, a denial of service condition could result. System AdministratorECDC-1
Checks: C-17779r1_chk

If the application is not a transaction based application that stores and retrieves data, this check is not applicable. Ask the application representative if the application uses a database to store information. If the application utilizes Oracle, SYBASE, or Microsoft SQL Server, then support for journaling and rollback is already present in the tools. Note: Microsoft Access does not support journaling and rollback. If Microsoft Access is used, ask the application representative to demonstrate the rollback and journaling features of the application. 1) If the application representative cannot demonstrate support for journaling and rollback, it is a finding.

Fix: F-17008r1_fix

Implement rollback and journaling features in the application or incorporate products with rollback and journaling features.

b
The designer will ensure sensitive data held in memory is cryptographically protected when not in use, if required by the information owner, and classified data held in memory is always cryptographically protected when not in use.
Medium - V-16792 - SV-17792r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3220
Vuln IDs
  • V-16792
Rule IDs
  • SV-17792r1_rule
Sensitive or classified data in memory must be encrypted to protect data from the possibility of an attacker causing an application crash then analyzing a memory dump of the application for sensitive or classified information.System AdministratorECCR-1, ECCR-2, ECCR-3
Checks: C-17780r1_chk

If the application does not contain sensitive or classified information this check does not apply. If the application is a COTS/GOTS product or is composed of only COTS/GOTS products with no custom code, this check does not apply unless the application is being reviewed by or in conjunction with the COTS/GOTS vendor in which case this check is applicable.. Ask the application representative to review global variables for the application. If the global variables contain sensitive information, ask the application representative if they are required to be encrypted by the data owner. If the data is required to be encrypted by the data owner, ask the application representative to demonstrate they are encrypted. Note: The .Net Framework 2.0 and higher provides a SecureString class which can encrypt sensitive string values. 1) If sensitive or classified information is required to be encrypted by the data owner and global variables containing sensitive information are not encrypted, it is a finding.

Fix: F-17010r1_fix

Encrypt sensitive and classified data in memory when not in use.

b
The designer will ensure the application properly clears or overwrites all memory blocks used to process sensitive data, if required by the information owner, and clears or overwrites all memory blocks used for classified data.
Medium - V-16793 - SV-17793r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3230
Vuln IDs
  • V-16793
Rule IDs
  • SV-17793r1_rule
Sensitive and classified data in memory should be cleared or overwritten to protect data from the possibility of an attacker causing the application to crash and analyzing a memory dump of the application for sensitive information.System AdministratorECCR-1, ECCR-2, ECCR-3
Checks: C-17781r1_chk

If the application does not contain sensitive or classified information this check is not applicable. If the application is a COTS/GOTS product or is composed of only COTS/GOTS products with no custom code, this check does not apply unless the application is being reviewed by or in conjunction with the COTS/GOTS vendor in which case this check is applicable. Ask the application representative to demonstrate how the application clears and releases memory blocks. Microsoft Visual C++ provides SecureZeroMemory that will not be optimized out of code for clearing sensitive and classified data. 1) If the application releases objects before clearing them, it is a finding.

Fix: F-17011r1_fix

Clear memory blocks used for storing sensitive and classified data, before release.

b
The designer will ensure the application uses mechanisms assuring the integrity of all transmitted information (including labels and security parameters).
Medium - V-16794 - SV-17794r2_rule
RMF Control
Severity
Medium
CCI
Version
APP3260
Vuln IDs
  • V-16794
Rule IDs
  • SV-17794r2_rule
Data is subject to manipulation and other integrity related attacks whenever that data is transferred across a network. To protect data integrity during transmission, the application must implement mechanisms to ensure the integrity of all transmitted information. All transmitted information means that the protections are not restricted to just the data itself. Protection mechanisms must be extended to include data labels, security parameters or metadata if data protection requirements specify. Modern web application data transfer methods can be complex and are not necessarily just point to point in nature. Service Oriented Architecture (SOA) and RESTFUL web services allow for XML based application data to be transmitted in a manner similar to network traffic wherein the application data is transmitted along multiple servers hops. In such cases, point to point protection methods like TLS or SSL may not be the best choice for ensuring data integrity and alternative data integrity protection methods like XML Integrity Signature protections where the XML payload itself is signed may be required as part of the application design. Overall application design and architecture must always be taken into account when establishing data integrity protection mechanisms. Custom-developed solutions that provide a file transfer capability should implement data integrity checks for incoming and outgoing files. Transmitted information requires mechanisms to ensure the data integrity (e.g. digital signatures, SSL, TLS or cryptographic hashing). System AdministratorECTM-1, ECTM-2
Checks: C-17782r2_chk

Ask the application representative to demonstrate the application support mechanisms assuring the integrity of all transmitted information to include labels and security parameters. Ask the application representative to login and demonstrate the application support integrity mechanisms for transmission of both incoming and outgoing files and any transmitted data. For example, hashing/digital signature and cyclic redundancy checks (CRCs) can be used to confirm integrity on data streams and transmitted files. 1) If the application does not support integrity mechanisms for any transmitted data, this is a finding. 2) If the application does not support integrity mechanisms for file transmission, this is a finding. *Note: These checks apply to all data transmitted by REST-styled or SOAP-based Web Services.

Fix: F-17015r1_fix

Implement integrity mechanisms for transmission of both incoming and outgoing data.

c
The designer will ensure the application does not display account passwords as clear text.
High - V-16795 - SV-17795r1_rule
RMF Control
Severity
High
CCI
Version
APP3310
Vuln IDs
  • V-16795
Rule IDs
  • SV-17795r1_rule
Passwords being displayed in clear text can be easily seen by casual observers. Password masking should be employed so any casual observers cannot see passwords on the screen as they are being typed.System AdministratorIAIA-1
Checks: C-17790r1_chk

Ask the application representative to login to the application. If the application uses password authentication, the password should not be displayed as clear text. 1) If the password is displayed as clear text, this is a finding.

Fix: F-17022r1_fix

Use password masking to prevent display of clear text password.

c
The designer will ensure the application transmits account passwords in an approved encrypted format.
High - V-16796 - SV-17796r1_rule
RMF Control
Severity
High
CCI
Version
APP3330
Vuln IDs
  • V-16796
Rule IDs
  • SV-17796r1_rule
Passwords transmitted in clear text or with an unapproved format are vulnerable to network protocol analyzers. These passwords acquired with the network protocol analyzers can be used to immediately access the application.System AdministratorECCT-1
Checks: C-17792r1_chk

Ask the application representative to demonstrate that passwords are encrypted before they are transmitted. 1) If the application does not use passwords for identification and authentication, this check is not applicable. 2) If the application does not encrypt passwords before transmitting them, it is a finding.

Fix: F-17023r1_fix

Modify the application to encrypt all transmitted passwords.

c
The designer will ensure the application stores account passwords in an approved encrypted format.
High - V-16797 - SV-17797r1_rule
RMF Control
Severity
High
CCI
Version
APP3340
Vuln IDs
  • V-16797
Rule IDs
  • SV-17797r1_rule
Passwords stored without encryption or with weak, unapproved, encryption can easily be read and unencrypted. These passwords can then be used for immediate access to the application.System AdministratorIAIA-1, IAIA-2
Checks: C-17793r1_chk

With respect to identification and authentication information, only administrators and the application or OS process that access the information should have any permissions to these files. In many cases, local backups of the accounts database exist so these must be included in the scope of the review. Authentication credentials such as passwords are required to be encrypted. Check the configuration of the application software to determine if encryption settings have been activated for the relevant data. 1) If these encryption settings have not been turned on, this is a CAT II finding. If the data encryption functionality is not configurable and the identification and authentication information is stored in ASCII or another readable format, examine the actual data to determine if they are in clear text. 2) If the authentication data is readable, this is a CAT I finding. Record findings, regardless of whether or not the vulnerability has been captured in another SRR. For example, any weakness in OS authentication scheme that the application leverages applies both to the OS and the application.

Fix: F-17024r1_fix

Store passwords in an approved encrypted format.

b
The designer will ensure the application protects access to authentication data by restricting access to authorized users and services.
Medium - V-16798 - SV-17798r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3360
Vuln IDs
  • V-16798
Rule IDs
  • SV-17798r1_rule
If authentication is not properly restricted using access controls list, unauthorized users of the server where the authentication data is stored may be able to use the authentication data to access unauthorized servers or services.System AdministratorECCD-1
Checks: C-17794r1_chk

Identification and authentication information must be protected by appropriate file permissions. Only administrators and the application or OS process that access the information should have any permissions to access identification and authentication information. In many cases, local backups of the accounts database exist so these must be included in the scope of the review. 1) If non-privileged users have the permission to read or write password files, other than resetting their own password, this is a CAT II finding. 2) If non-privileged users can read user information (e.g., list users but not passwords), this is a CAT III finding.

Fix: F-17027r1_fix

Restrict access to authentication data.

b
The designer will ensure the application installs with unnecessary accounts disabled, or deleted, by default.
Medium - V-16799 - SV-17799r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3370
Vuln IDs
  • V-16799
Rule IDs
  • SV-17799r1_rule
Unnecessary accounts should be disabled to limit the number of entry points for attackers to gain access to the system. Removing unnecessary accounts also limits the number of users and passwords the system administrator must maintain.System AdministratorIAIA-1
Checks: C-17795r1_chk

Ask the application representative what system accounts are installed/created and/or enabled by default upon installation of the application. 1) If the application installs/creates/enables accounts that are not needed in order for the application to operate, it is a finding.

Fix: F-17028r1_fix

Remove or disable unneeded accounts.

c
The designer will ensure users’ accounts are locked after three consecutive unsuccessful logon attempts within one hour.
High - V-16800 - SV-17800r1_rule
RMF Control
Severity
High
CCI
Version
APP3390
Vuln IDs
  • V-16800
Rule IDs
  • SV-17800r1_rule
If user accounts are not locked after a set number of unsuccessful logins, attackers can infinitely retry user password combinations providing immediate access to the application.ECLO-1, ECLO-2
Checks: C-17796r1_chk

Ask the application representative to demonstrate the application locks a user account if a user enters a password incorrectly more than three times in a 60 minute period. 1) If the account is not disabled, it is a finding.

Fix: F-17069r1_fix

Lock user accounts after three consecutive unsuccessful logon attempts within one hour.

b
The designer will ensure locked users’ accounts can only be unlocked by the application administrator.
Medium - V-16801 - SV-17801r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3400
Vuln IDs
  • V-16801
Rule IDs
  • SV-17801r1_rule
User accounts should only be unlocked by the user contacting an administrator, and making a formal request to have the account reset. Accounts that are automatically unlocked after a set time limit, allow potential attackers to retry possible user password combinations without knowledge of the user or the administrator.System AdministratorECLO-1
Checks: C-17797r1_chk

Ask the application representative to demonstrate that only the administrator can unlock locked accounts. 1) If the application allows non-administrator to unlock accounts, it is a finding.

Fix: F-17070r1_fix

Allow only the administrator to unlock locked accounts.

b
The designer will ensure the application provides a capability to automatically terminate a session and log out after a system defined session idle time limit is exceeded.
Medium - V-16802 - SV-17802r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3415
Vuln IDs
  • V-16802
Rule IDs
  • SV-17802r1_rule
In the event a user does not log out of the application, the application should automatically terminate the session and log out; otherwise, subsequent users of a shared system could continue to use the previous user's session to the application.System AdministratorECLO-1
Checks: C-17798r1_chk

Interview application representative to identify the length of time a user can be idle before the application will time out and terminate the session and require reauthentication. 1) If the application representative states that one or all of the limits are absent for one or more session types, it is a finding. In many cases, session configuration parameters can be examined. If configuration parameters are embedded within the application they may not be available for review. Any configuration settings that are not configurable should be manually tested. The preferred method depends on the application environment. Manually validate session limits by empirical testing (logon on multiple times and leaving sessions idle). In some cases, testing session limits is not feasible because they may be set too high to properly simulate them during the review. Even if the application does not provide time limits for idle sessions, such limits may exist at the transport layer (e.g., TCP timeouts). Consider all possible ways in which limits might be enforced before documenting a finding. 2) If there is no evidence of a required session timeout, it is a finding.

Fix: F-17074r1_fix

Implement session timeouts and automatic logout in the application.

b
The designer and IAO will ensure application resources are protected with permission sets which allow only an application administrator to modify application resource configuration files.
Medium - V-16803 - SV-17803r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3450
Vuln IDs
  • V-16803
Rule IDs
  • SV-17803r1_rule
If application resources are not protected with permission sets that allow only an application administrator to modify application resource configuration files, unauthorized users can modify configuration files allowing these users to capture data within the application, or turn off encryption, or change any configurable option in the application.ECCD-1
Checks: C-17801r1_chk

Ask the application representative to demonstrate the application resources have appropriate access permissions. 1) If the application representative cannot demonstrate all application resources have appropriate access permissions, it is a finding. Review the locations of all configuration files used by the application. Ask the application representative to demonstrate configuration files used by the application are restricted to authorized users. 2) If access permissions to configuration files are not restricted to application administrators, it is a finding.

Fix: F-17084r1_fix

Correct access permissions restricting the modification of application resources.

c
The designer will ensure the application does not rely solely on a resource name to control access to a resource.
High - V-16804 - SV-17804r1_rule
RMF Control
Severity
High
CCI
Version
APP3460
Vuln IDs
  • V-16804
Rule IDs
  • SV-17804r1_rule
Application access control decisions should be based on authentication of users. Resource names alone can be spoofed allowing access control mechanisms to be bypassed giving immediate access to the application. System AdministratorDCSQ-1
Checks: C-17802r1_chk

Verify the application does not grant access solely based on a resource name (e.g., username, IP address, machine name). Also, verify a username with a blank password does not grant access to the application. 1) If authentication is granted based on a resource name only, it is a finding.

Fix: F-17087r1_fix

Implement authentication on systems requiring access control.

b
The designer will ensure the web application assigns the character set on all web pages.
Medium - V-16806 - SV-17806r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3530
Vuln IDs
  • V-16806
Rule IDs
  • SV-17806r1_rule
For web applications, setting the character set on the web page reduces the possibility of receiving unexpected input that uses other character set encodings by the web application.System AdministratorDCSQ-1
Checks: C-17804r1_chk

Ask the application representative to review web pages, and determine if the application sets the character set. Perl After the last header look for print "Content-Type: text/html; charset=utf-8\n\n"; PHP. Look for the header() function before any content is generated header('Content-type: text/html; charset=utf-8'); Java Servlets. Look for the setContentType method on the ServletResponse object Objectname.setContentType ("text/html;charset=utf-8"); JSP. Look for a page directives <%@ page contentType="text/html; charset=UTF-8" %> ASP Look for Response.charset <%Response.charset="utf-8"%> ASP.Net Look for Response.ContentEncoding Response.ContentEncoding = Encoding.UTF8; 1) If the application representative cannot demonstrate the above, it is a finding.

Fix: F-17095r1_fix

Set the character set on all web pages.

c
The designer will ensure the application is not vulnerable to SQL Injection, uses prepared or parameterized statements, does not use concatenation or replacement to build SQL queries, and does not directly access the tables in a database.
High - V-16807 - SV-17807r1_rule
RMF Control
Severity
High
CCI
Version
APP3540
Vuln IDs
  • V-16807
Rule IDs
  • SV-17807r1_rule
SQL Injection can be used to bypass user login to gain immediate access to the application and can also be used to elevate privileges with an existing user account.DCSQ-1, ECCD-1
Checks: C-17805r1_chk

SQL Injections attacks can be used to bypass the login to the application or to provide authenticated user access to data that should not normally be provided by the application. Test applications using Oracle, Microsoft SQL Server, and other backend databases by putting a single ' in any of the fields used to login. Submit the form and check for a server error 400. If the error occurs, the application is not properly validating input fields. If an invalid user or password message is returned upon submitting the web form, the application is at least minimally protected. Fill in login fields with potentially valid user names (e.g., admin, system, root, administrator) with a comment field to ignore the rest of the SQL query. Fill in the password fields with any values and submit the form. username' -- username' # username'/* 1) If the application bypasses user authentication with these inputs, this is a CAT I finding. Try to append the "or" operator with a true value "1=1" and comment field. This will test if a SQL query could be passed into the application for execution. Fill in the login and password fields one at a time with the inputs below and submit the form. ' or 1=1-- ' or 1=1# ' or 1=1/* ') or 1=1-- ') or 1=1# ') or 1=1/* 2) If the application bypasses user authentication with these inputs, this is a CAT I finding. Also other fields not associated with the login fields should be tested. Fill in the each of the inputs one at a time with the inputs below, and submit the form. ' or 1=1-- ' or 1=1# ' or 1=1/* ') or 1=1-- ') or 1=1# ') or 1=1/* 3) If the application provides an authenticated user access or elevated access to the application to data, this is a CAT I finding. Ask the application representative for code review or scan results from the entire application. This can be provided as results from an automated code review or a vulnerability scanning tool. See section 5.4 of the Application Security and Development STIG for additional details. If the application representative cannot provide results from a code review, then ask the application representative to demonstrate how the application meets the requirements below. Identify from the code review results or the application representative demonstration how the application: - Uses prepared statements for SQL queries - Does not provide direct access to tables (e.g. access is provided by views and stored procedures) - Does not use concatenation or use replacement to build SQL queries 4) If the results are not provided from a manual code review or automated tool or the application representative cannot demonstrate the application uses prepared statements for SQL queries, this is a CAT II finding. 5) If the results are not provided from a manual code review or automated vulnerability scanning tool, or the application representative cannot demonstrate the application does not use concatenation or use replacement to build SQL queries, this is a CAT II finding. 6) If the results are not provided from a manual code review or automated vulnerability scanning tool, or the application representative cannot demonstrate the application does not directly accesses tables in a database, this is a CAT II finding. 7) If APP3500 is a finding due to the application account being a member of the Administrators group (Windows), has a UID of 0 (i.e., is equivalent to root in UNIX), is a member of the SYSAdmin fixed server role in SQL Server, or has DDL privileges, the finding should be upgraded to a CAT I. *Note Web services are subject to the same coding practices of other web application code (e.g., SQL Injection).

Fix: F-17099r1_fix

Modify the application and remove SQL injection vulnerabilities.

c
The designer will ensure the application is not vulnerable to integer arithmetic issues.
High - V-16808 - SV-17808r1_rule
RMF Control
Severity
High
CCI
Version
APP3550
Vuln IDs
  • V-16808
Rule IDs
  • SV-17808r1_rule
Integer overflows occur when an integer has not been properly checked and is used in memory allocation, copying, and concatenation. Also, when incrementing integers past their maximum possible value, it could potentially become a very small or negative number. Integer overflows can lead to infinite looping when loop index variables are compromised and cause a denial of service. If the integer is used in data references, the data can become corrupt. Also, using the integer in memory allocation can cause buffer overflows, and a denial of service. Integers used in access control mechanisms can potentially trigger buffer overflows, which can be used to execute arbitrary code. DCSQ-1
Checks: C-17806r1_chk

Ask the application representative for code review results from the entire application. This can be provided as results from an automated code review tool or use static analysis tools that are known to find this class of vulnerability with few false positives. See section 5.4 of the Application Security and Development STIG for additional details. If the results are provided from a manual code review, the application representative will need to demonstrate how integer overflow vulnerabilities are identified during code reviews. 1) If the results are not provided or the application representative cannot demonstrate how manual code reviews are performed to identify integer overflow vulnerabilities, it is a finding. Examples of integer overflow vulnerabilities can be obtained from the OWASP website.

Fix: F-17101r1_fix

Modify the application and protect against integer overflow attacks.

c
The designer will ensure the application does not contain format string vulnerabilities.
High - V-16809 - SV-17809r1_rule
RMF Control
Severity
High
CCI
Version
APP3560
Vuln IDs
  • V-16809
Rule IDs
  • SV-17809r1_rule
Format string vulnerabilities usually occur when unvalidated input is entered and is directly written into the format string used to format data in the print style family of C/C++ functions. If an attacker can manipulate a format string, this may result in a buffer overflow causing a denial of service for the application. Format string vulnerabilities may lead to information disclosure vulnerabilities. Format string vulnerabilities may be used to execute arbitrary code. System AdministratorDCSQ-1
Checks: C-17807r1_chk

Ask the application representative for code review or scan results from the entire application. This can be provided as results from an automated code review or a vulnerability scanning tool. See section 5.4 of the Application Security and Development STIG for additional details. If the results are provided from a manual code review, the application representative will need to demonstrate how format string vulnerabilities are identified during code reviews. 1) If the results are not provided or the application representative cannot demonstrate how manual code reviews are performed to identify format string vulnerabilities, it is a finding. Examples of format string vulnerabilities can be obtained from the OWASP website.

Fix: F-17100r1_fix

Modify the application to protect against format string attacks.

c
The designer will ensure the application does not allow command injection.
High - V-16810 - SV-17810r1_rule
RMF Control
Severity
High
CCI
Version
APP3570
Vuln IDs
  • V-16810
Rule IDs
  • SV-17810r1_rule
A command injection attack, is an attack on a vulnerable application where improperly validated input is passed to a command shell setup in the application. A command injection allows an attacker to execute their own commands with the same privileges as the application executing. Command injection allows immediate access to the system where the application is executing. System AdministratorDCSQ-1
Checks: C-17808r1_chk

Ask the application representative for code review or scan results from the entire application. This can be provided as results from an automated code review or a vulnerability scanning tool. See section 5.4 of the Application Security and Development STIG for additional details. If the results are provided from a manual code review, the application representative will need to demonstrate how command injection vulnerabilities are identified during code reviews. 1) If the results are not provided or the application representative cannot demonstrate how manual code reviews are performed to identify command injection vulnerabilities, it is a finding. Examples of Command Injection vulnerabilities can be obtained from the OWASP website. *Note: Web services are subject to the same coding practices of other web application code (e.g., command injection).

Fix: F-17103r1_fix

Modify the application to protect against command injection attacks.

c
The designer will ensure the application does not have cross site scripting (XSS) vulnerabilities.
High - V-16811 - SV-17811r1_rule
RMF Control
Severity
High
CCI
Version
APP3580
Vuln IDs
  • V-16811
Rule IDs
  • SV-17811r1_rule
XSS vulnerabilities exist when an attacker uses a trusted website to inject malicious scripts into applications with improperly validated input. System AdministratorDCSQ-1
Checks: C-17809r1_chk

Ask the application representative for code review or scan results from the entire application. This can be provided as results from an automated code review or a vulnerability scanning tool. See section 5.4 of the Application Security and Development STIG for additional details. If the results are provided from a manual code review, the application representative will need to demonstrate how XSS vulnerabilities are identified during code reviews. 1) If the results are not provided or the application representative cannot demonstrate how manual code reviews are performed to identify cross site scripting vulnerabilities, this is a CAT I finding. Perform query string manipulation testing to determine if the user bypasses access control functions to gain data that should be restricted based on the user's security level or role. For example, if a query string, such as www.testweb.mil/apppage.asp?xyz=113&asd=185, gives the user access to data for data identifier number 185. Try to resubmit the query string with another three digit number (e.g., 186) to see if that data is displayed. If this data can be displayed through reports or other access points in the application, this would not be considered a finding. 2) If data displayed in the query manipulation testing is above the user's security level or role, this is a CAT II finding. For script tag embedding, select a text field of the application that accepts at least 15 characters. Try to input a script tag (script) into the field. If the data is accepted without an error, access the data entered via the application (this process will vary depending upon the application). 3) If the script tag in its entirety is displayed within the application, this is a CAT II finding. Mitigate XSS vulnerabilities by using HTTP-only cookies. Examine any cookies used while the application is being executed. Verify the HttpOnly flag has been set for all cookies. 4) If the HttpOnly flag has not been set for all cookies, this is a CAT II finding. HttpOnly cookies are explained further at the Microsoft website: http://msdn.microsoft.com/en-us/library/ms533046.aspx Examples of XSS vulnerabilities can be obtained from the OWASP website.

Fix: F-17104r1_fix

Modify the application to protect against cross site scripting attacks.

b
The designer will ensure the application has no canonical representation vulnerabilities.
Medium - V-16812 - SV-17812r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3600
Vuln IDs
  • V-16812
Rule IDs
  • SV-17812r1_rule
Canonical representation issues arise when the name of a resource is used to control resource access. There are multiple methods of representing resource names on a computer system. An application relying solely on a resource name to control access may incorrectly make an access control decision if the name is specified in an unrecognized format.System AdministratorDCSQ-1
Checks: C-17810r1_chk

Ask the application representative for code review or scan results from the entire application. This can be provided as results from an automated code review or a vulnerability scanning tool. See section 5.4 of the Application Security and Development STIG for additional details. If the results are provided from a manual code review, the application representative will need to demonstrate how canonical representation vulnerabilities are identified during code reviews. 1) If the results are not provided or the application representative cannot demonstrate how manual code reviews are performed to identify canonical representation vulnerabilities this is a finding. Examples of Canonical Representation vulnerabilities can be obtained from the OWASP website.

Fix: F-17111r1_fix

Protect against canonical representation attacks.

c
The designer will ensure the application does not use hidden fields to control user access privileges or as a part of a security mechanism.
High - V-16813 - SV-17813r1_rule
RMF Control
Severity
High
CCI
Version
APP3610
Vuln IDs
  • V-16813
Rule IDs
  • SV-17813r1_rule
Using hidden fields to pass data in forms is very common. However, hidden fields can be easily manipulated by users. Hidden fields used to control access decisions can lead to a complete compromise of access control mechanism allowing immediate anonymous user access. System AdministratorDCSQ-1
Checks: C-17812r1_chk

Ask the application representative for code review or scan results from the entire application. This can be provided as results from an automated code review or a vulnerability scanning tool. See section 5.4 of the Application Security and Development STIG for additional details. If the results are provided from a manual code review, the application representative will need to demonstrate how hidden field vulnerabilities are identified during code reviews. Hidden fields or input parameters that utilize randomly generated token values used to address Cross Site Request Forgery (CSRF) attacks and are not used for access control are not applicable. 1) If the results are not provided or the application representative cannot demonstrate how manual code reviews are performed to identify hidden field vulnerabilities, this is a CAT I finding. 2) If the code review results are provided and hidden field vulnerabilities exist for user authentication, this is a CAT I finding. 3) If the code review results are provided and hidden field vulnerabilities exist allowing users to access unauthorized information, this is a CAT II finding.

Fix: F-17112r1_fix

Do not use Hidden fields to control access privileges.

b
The designer will ensure the application does not disclose unnecessary information to users.
Medium - V-16814 - SV-17814r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3620
Vuln IDs
  • V-16814
Rule IDs
  • SV-17814r1_rule
Applications should not disclose information not required for the transaction. (e.g., a web application should not divulge the fact there is a SQL server database and/or its version) This provides attackers additional information which they can use to find other attack avenues, or tailor specific attacks, on the application.System AdministratorECCD-1
Checks: C-17813r1_chk

Ask the application representative to demonstrate the application does not disclose any information about the application which could be used by an attacker to gain access to the application. UDDI registries should also not provide any information about the application which could be used by an attacker to gain access to the web service. WSDL should not provide unnecessary information (especially debugging features). Ask the application representative to login as a non-privileged user and review all screens of the application to identify any potential data that should not be disclosed to the user. 1) If the application displays any data that should not be disclosed, this is a finding.

Fix: F-17231r1_fix

Remove unnecessary information displayed by the application.

b
The designer will ensure the application is not vulnerable to race conditions.
Medium - V-16815 - SV-17815r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3630
Vuln IDs
  • V-16815
Rule IDs
  • SV-17815r1_rule
A race condition occurs when an application receives two or more actions on the same resource in an unanticipated order which causes a conflict. Sometimes, the resource is locked by different users or functions within the application creating a deadlock situation. System AdministratorDCSQ-1
Checks: C-17814r1_chk

Policy: The designer will ensure the application is not vulnerable to race conditions. The designer will ensure the application does not use global variables when local variables could be used. The designer will ensure a multi-threaded application uses thread safe functions when threads are accessing the same object or data. The Designer will ensure global resources are locked before being accessed by the application. Check: If the application is a COTS/GOTS product or is composed of only COTS/GOTS products with no custom code, this check does not apply unless the application is being reviewed by or in conjunction with the COTS/GOTS vendor in which case this check is applicable. Ask the application representative for code review results from the entire application. This can be provided as results from an automated code review tool. The review results should include all web services used in the application. If the results are provided from a manual code review, the application representative will need to demonstrate how the following vulnerabilities are identified during code reviews: • Race conditions • Using global variables when local variables could be used • Multi-threaded application uses thread safe functions • Global resources are locked before being accessed by the application 1) If the results are not provided or the application representative cannot demonstrate how manual code reviews are performed to identify these vulnerabilities, it is a finding. Examples of race conditions vulnerabilities can be obtained from the OWASP website.

Fix: F-17113r1_fix

Protect against race condition vulnerabilities

b
The designer will ensure the application supports the creation of transaction logs for access and changes to the data.
Medium - V-16816 - SV-17816r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3640
Vuln IDs
  • V-16816
Rule IDs
  • SV-17816r1_rule
Without required logging and access control, security issues related to data changes will not be identified. This could lead to security compromises such as data misuse, unauthorized changes, or unauthorized access.System AdministratorECCD-2
Checks: C-17815r1_chk

Ask the application representative to login as an unprivileged user and demonstrate the application creates transaction logs for access and changes to the data. Verify transaction logs exist and the log records access and changes to the data. This check is in addition to the ECAR auditing requirements. 1) If the application representative cannot demonstrate the above, it is a finding.

Fix: F-17115r1_fix

Implement transaction logs which records access, and changes, to the data.

a
The designer will ensure the application has a capability to notify the user of important login information.
Low - V-16817 - SV-17817r1_rule
RMF Control
Severity
Low
CCI
Version
APP3660
Vuln IDs
  • V-16817
Rule IDs
  • SV-17817r1_rule
Attempted logons must be controlled to prevent password guessing exploits and unauthorized access attempts. System AdministratorECLO-2
Checks: C-17816r1_chk

Policy: The designer will ensure the application has a capability to notify the user on logon of date and time of the user's last unsuccessful logon, IP address of the user’s last unsuccessful logon, date and time of the user's last successful logon, IP address of the user’s last successful logon, and number of unsuccessful logon attempts since the last successful logon. Check: If the application uses password authentication, try to logon to the system using an incorrect password. Restart the application and logon again using the correct password. After a successful logon to the application, logout of the application and note the date and times for the last success and unsuccessful logons. Again, logon to the application and determine whether the application correctly displays the following information immediately at logon: Unsuccessful Logon Date Time IP Address Successful Logon Date Time IP Address If the application does not correctly display the last unsuccessful and successful logon information immediately at login, it is a finding For CAC and NSA approved token authentication logons, remove the CAC or mistype the PIN to simulate an unsuccessful login.

Fix: F-17117r1_fix

Display last login information.

b
The designer will ensure the application has a capability to display the user’s time and date of the last change in data content.
Medium - V-16818 - SV-17818r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3670
Vuln IDs
  • V-16818
Rule IDs
  • SV-17818r1_rule
Without access control mechanisms in place, the data is not secure. The time and date display of data content change provides an indication that the data may have been accessed by unauthorized persons, and It may have been compromised, misused, or changed.System AdministratorECCD-2
Checks: C-17817r1_chk

Ask the application representative to demonstrate how the application provides the users of time and date of the last change in data content. This may be demonstrated in application logs, audit logs, or database tables and logs. 1) If the application representative cannot demonstrate the above, this is a finding.

Fix: F-17230r1_fix

Implement transaction logs recording access and changes to the data.

b
The designer will ensure development of new mobile code includes measures to mitigate the risks identified.
Medium - V-16819 - SV-17819r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3750
Vuln IDs
  • V-16819
Rule IDs
  • SV-17819r1_rule
New mobile code types may introduce unknown vulnerabilities if a risk assessment is not completed prior to the use of mobile code. System AdministratorDCMC-1
Checks: C-17818r1_chk

Interview the designer and determine if new mobile code is in development. If no new mobile code is in development, this check is not applicable. 1) If new code is being developed determine and a risk assessment has not been performed, it is a finding.

Fix: F-17127r1_fix

Remove mobile code or perform a risk assessment on mobile code.

a
The Release Manager will ensure the access privileges to the configuration management (CM) repository are reviewed every 3 months.
Low - V-16820 - SV-17820r1_rule
RMF Control
Severity
Low
CCI
Version
APP4010
Vuln IDs
  • V-16820
Rule IDs
  • SV-17820r1_rule
Incorrect access privileges to the CM repository can lead to malicious code or unintentional code being introduced into the application.System AdministratorECPC-1, ECPC-2
Checks: C-17819r1_chk

The CM repository access permissions are not reviewed at least every three months. If the application is a COTS/GOTS product or is composed of only COTS/GOTS products with no custom code, this check does not apply unless the application is being reviewed by or in conjunction with the COTS/GOTS vendor in which case this check is applicable. Ask the application representative when the last time the access privileges were reviewed. 1) If access privileges were reviewed within the last three months, this is not a finding.

Fix: F-17129r1_fix

Review access privileges to the CM repository at least every three months.

b
The Release Manager will develop an SCM plan describing the configuration control and change management process of objects developed and the roles and responsibilities of the organization.
Medium - V-16822 - SV-17822r1_rule
RMF Control
Severity
Medium
CCI
Version
APP4030
Vuln IDs
  • V-16822
Rule IDs
  • SV-17822r1_rule
Software Configuration Management (SCM) is very important in tracking code releases, baselines, and managing access to the configuration management repository. The SCM plan identifies what should be under configuration management control. Without an SCM plan, code releases can be tracked and vulnerabilities can be inserted intentionally or unintentionally into the code base of the application. System AdministratorDCPR-1, DCSW-1
Checks: C-17821r1_chk

The Release Manager will ensure the SCM plan identifies all objects created during the development process subject to configuration control. The Release Manager will ensure the SCM plan maintains procedures for identifying individual application components, as well as, entire application releases during all phases of the software development lifecycle. The Release Manager will ensure the SCM plan identifies and tracks all actions and changes resulting from a change request from initiation to release. The Release Manager will ensure the SCM plan contains procedures to identify, document, review, and authorize any change requests to the application. The Release Manager will ensure the SCM plan defines the responsibilities, the actions to be performed, the tools, techniques and methodologies, and defines an initial set of baselined software components. The Release Manager will ensure the SCM plan objects have security classifications labels. The Release Manager will ensure the SCM plan identifies tools and version numbers used in the software development lifecycle. The Release Manager will ensure the SCM plan identifies mechanisms for controlled access of simultaneous individuals updating the same application component. The Release Manager will ensure the SCM plan assures only authorized changes by authorized persons are possible. The Release Manager will ensure the SCM plan identifies mechanisms to control access and audit changes between different versions of objects subject to configuration control. The Release Manager will ensure the SCM plan identifies mechanisms to track and audit all modifications of objects under configuration control. Audits will include the originator and date and time of the modification. If the application is a COTS/GOTS product or is composed of only COTS/GOTS products with no custom code, this check does not apply unless the application is being reviewed by or in conjunction with the COTS/GOTS vendor in which case this check is applicable. Ask the application representative to review the applications SCM plan. The SCM plan should contain the following: • Description of the configuration control and change management process • Types of objects developed • Roles and responsibilities of the organization 1) If the SCM plan does not include the above, this is a CAT II finding. The SCM plan should also contain the following: • Defined responsibilities • Actions to be performed • Tools used in the process • Techniques and methodologies • Initial set of baselined software components 2) If the SCM plan does not include the above, this is a CAT III finding. The SCM plan should identify all objects that are under configuration management control. Ask the application representative to provide access to the configuration management repository and to identify the objects shown in the SCM plan. 3) If the application representative cannot display all types of objects under CM control, this is a CAT III finding. The SCM plan should identify third party tools and respective version numbers. 4) If the SCM plan does not identify third party tools, this is a CAT II finding. The SCM plan should identify mechanisms for controlled access of individuals simultaneously updating the same application component. 5) If the SCM plan does not identify mechanisms for controlled access, this is a CAT III finding. The SCM plan assures only authorized changes by authorized persons are allowed. 6) If the SCM plan does not assure only authorized changes are made, this is a CAT II finding. The SCM plan should identify mechanisms to control access and audit changes between different versions of objects subject to configuration control. 7) If the SCM plan does not identify mechanisms to control access and to audit changes between different versions of objects subject to configuration control, this is a CAT III finding. The SCM plan should have procedures for label versions of application components and application builds under configuration management control. Ask the application representative demonstrate the configuration management repository and contains versions and releases of the application. Ask the application representative to create a build or demonstrate a current release of the application can be recreated. 8) If the application representative cannot display releases and application component versions, this is a CAT II finding. The configuration management repository should track change requests from beginning to end. Ask the application representative to display a completed or in-process change request. 9) If the configuration management repository cannot tracks change requests, this is a CAT III finding. If the application has just completed its first release, there may not be any change requests logged in the configuration management repository. In this case, this finding is not applicable. The configuration management repository should authorize change requests to the application. Ask the application representative to display an authorized change request and identify who is responsible for authorizing change requests. 10) If the configuration management repository does not track authorized change requests, this is a CAT III finding. If the application has just completed its first release, there may not be any change requests logged in the configuration management repository. In this case, this finding is not applicable. The configuration management repository should contain security classification labels for code and documentation in the repository. Classification labels are not applicable to unclassified systems. 11) If there are no classification labels of code and documentation in the configuration management repository, this is a CAT III finding. The configuration management repository should monitor all objects under CM control for auditing. 12) If the configuration management repository does not audit for modifications, this is a CAT II finding. The SCM plan should identify all components required to be IPV6 capable. 13) If the SCM plan does not identify application components as IPV6 capable, this is a CAT III finding.

Fix: F-17132r1_fix

Update SCM plan to include missing items.

b
The Release Manager will establish a Configuration Control Board (CCB), that meets at least every release cycle, for managing the CM process.
Medium - V-16823 - SV-17823r1_rule
RMF Control
Severity
Medium
CCI
Version
APP4040
Vuln IDs
  • V-16823
Rule IDs
  • SV-17823r1_rule
Software Configuration Management (SCM) is very important in tracking code releases, baselines, and managing access to the configuration management repository. The SCM plan identifies what should be under configuration management control. Without an SCM plan code, and a CCB, releases can be tracked and vulnerabilities can be inserted intentionally or unintentionally into the code base of the application. System AdministratorDCCB-1, DCCB-2
Checks: C-17822r1_chk

Interview the application representative and determine if a CCB exists. Ask about the membership of the CCB, and identify the primary members. Ask if there is a CCB charter documentation. If the application is a COTS/GOTS product or is composed of only COTS/GOTS products with no custom code, this check does not apply unless the application is being reviewed by or in conjunction with the COTS/GOTS vendor in which case this check is applicable. 1) If there is no evidence of CCB, it is a CAT II finding. 2) If the IAM is not part of the CCB, it is a CAT II finding. Interview the application representative and determine how often the CCB meets. Ask if there is CCB charter documentation. The CCB charter documentation should indicate how often the CCB meets. If there is no charter documentation, ask when the last time the CCB met and when was the last release of the application. CCB's do not have to physically meet, and the CCB chair may authorize a release based on phone and/or e-mail conversations. 3) If there is not evidence of a CCB meeting during every release cycle, this a CAT III finding.

Fix: F-17134r1_fix

Setup and maintain a configuration control board.

a
The Test Manager will ensure at least one tester is designated to test for security flaws in addition to functional testing.
Low - V-16824 - SV-17824r1_rule
RMF Control
Severity
Low
CCI
Version
APP5010
Vuln IDs
  • V-16824
Rule IDs
  • SV-17824r1_rule
If there is no person designated to test for security flaws, vulnerabilities can potentially be missed during testing.Information Assurance ManagerDCSQ-1
Checks: C-17823r1_chk

Ask the application representative if an individual has been designated to test for security flaws. 1) If no individual has been designated to test for security flaws, it is a finding.

Fix: F-17139r1_fix

Designate testers for security flaws.

b
The Test Manager will ensure the changes to the application are assessed for IA and accreditation impact prior to implementation.
Medium - V-16825 - SV-17825r1_rule
RMF Control
Severity
Medium
CCI
Version
APP5040
Vuln IDs
  • V-16825
Rule IDs
  • SV-17825r1_rule
IA assessment of proposed changes is necessary to ensure security integrity is maintained within the application.DCII-1
Checks: C-17824r1_chk

Interview the application representative and determine if changes to the application are assessed for IA impact prior to implementation. Review the CCB process documentation to ensure potential changes to the application are evaluated to determine impact. An informal group may be tasked with impact assessment of upcoming version changes. 1) If impact analysis is not performed, it is a finding.

Fix: F-17141r1_fix

Assess changes to the application for IA impact prior to implementation.

b
The Test Manager will ensure tests plans and procedures are created and executed prior to each release of the application or updates to system patches.
Medium - V-16826 - SV-17826r1_rule
RMF Control
Severity
Medium
CCI
Version
APP5050
Vuln IDs
  • V-16826
Rule IDs
  • SV-17826r1_rule
Without test plans and procedures for application releases or updates, unexpected results may occur which could lead to a denial of service to the application or components.System AdministratorDCCT-1
Checks: C-17825r1_chk

Ask the application representative to provide tests plans, procedures, and results to ensure they are updated for each application release or updates to system patches. If the application is a COTS/GOTS product or is composed of only COTS/GOTS products with no custom code, this check does not apply unless the application is being reviewed by or in conjunction with the COTS/GOTS vendor in which case this check is applicable. 1) If test plans, procedures, and results do not exist or are not updated for each application release or updates to system patches, this is a finding.

Fix: F-17143r1_fix

Executed tests plans prior to release or patch update.

b
The Test Manager will ensure test procedures are created and at least annually executed to ensure system initialization, shutdown, and aborts are configured to ensure the system remains in a secure state.
Medium - V-16827 - SV-17827r1_rule
RMF Control
Severity
Medium
CCI
Version
APP5060
Vuln IDs
  • V-16827
Rule IDs
  • SV-17827r1_rule
Secure state assurance cannot be accomplished without testing the system state at least annually to ensure the system remains in a secure state upon intialization, shutdown and abort.System AdministratorDCSS-2
Checks: C-17826r1_chk

Ask the application representative to provide tests plans, procedures and results to ensure system initialization, shutdown, and aborts keep the system in a secure state. If the application is a COTS/GOTS product or is composed of only COTS/GOTS products with no custom code, this check does not apply unless the application is being reviewed by or in conjunction with the COTS/GOTS vendor in which case this check is applicable. 1) If test plans, procedures, and results do not exist ,or at least executed annually, it is a finding.

Fix: F-17144r1_fix

Correct errors in initialization, shutdown, and aborts leaving the system in an unsecure state.

a
The Test Manager will ensure code coverage statistics are maintained for each release of the application.
Low - V-16828 - SV-17828r1_rule
RMF Control
Severity
Low
CCI
Version
APP5070
Vuln IDs
  • V-16828
Rule IDs
  • SV-17828r1_rule
Code coverage statistics describes the how much of the source code has been executed based on the test procedures. System AdministratorDCSQ-1
Checks: C-17827r1_chk

Ask the application representative to provide code coverage statistics maintained for the application. If the application is a COTS/GOTS product or is composed of only COTS/GOTS products with no custom code, this check does not apply unless the application is being reviewed by or in conjunction with the COTS/GOTS vendor in which case this check is applicable. 1) If these code coverage statistics do not exist, it is a finding.

Fix: F-17145r1_fix

Create and maintain code coverage statistics for the application.

b
The Test Manager will ensure a code review is performed before the application is released.
Medium - V-16829 - SV-53700r1_rule
RMF Control
Severity
Medium
CCI
Version
APP5080
Vuln IDs
  • V-16829
Rule IDs
  • SV-53700r1_rule
A code review is a systematic evaluation of computer source code conducted for the purposes of identifying and remediating security flaws. Examples of security flaws include but are not limited to format string exploits, memory leaks, buffer overflows or race conditions. The code review is usually conducted during the application development phase, this allows discovered security issues to be corrected prior to release. A code review can also be performed after the development phase, however, in all instances identified errors must go back to development for correction so conducting the code review during development is the logical and preferred action. Automated code review tools are to be used whenever reviewing application source code. These tools are often incorporated into many Integrated Development Environments (IDE) so code reviews can be conducted during all stages of the development life cycle. Periodically reviewing code during the development phase makes transition to a production environment easier as flaws are continually identified and addressed during the development phase rather than en masse at the end of the development effort. Code review processes and the tools used to conduct the code review analysis will vary depending upon application architecture and the development languages utilized. In addition to automated testing, manual code reviews may also be used to validate or augment automated code review results. Larger projects will have a large code base and will require the use of automated code review tools in order to achieve complete code review coverage. A manual code review may consist of a peer review wherein other programmers on the team manually examine source code and automated code review results for known flaws that introduce security bugs into the application. As with any testing, there is no single best approach and the tests must be tailored to the application architecture. Use of automated tools along with manual review of code and testing results is considered a best practice when conducting code reviews. This method is the most likely way to ensure the maximum number of errors are caught and addressed prior to implementing the application in a production environment. For a list of tools that can be used for source code review, please reference http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html. Please note that reference to these tools does not imply that they have been tested and approved for use by DISA. System AdministratorSystems ProgrammerDCSQ-1
Checks: C-17828r3_chk

Ask the application representative to provide evidence of automated code reviews. This will be in the form of a test plan or methodology which identifies application architecture and components as well as a formal report provided by the automated code review tool plus manual testing results. This requirement requires access to the application source code, if the application is a COTS/GOTS product or is composed of only COTS/GOTS products with no custom code, this check does not apply unless the application is being reviewed by or in conjunction with the COTS/GOTS vendor in which case this check is applicable. 1) If an automated application code review is not performed, this is a finding. 2) If analysis of code review results is not performed, this is a finding. 3) If all application code is not being reviewed, this is a finding. 4) If the code review report includes coding errors that have not been fixed, this is a finding. If identified coding errors have been fixed, this is not a finding. 5) If the code reviews indicate the existence of hard-coded IPv4 or IPV6 addresses, it is a finding.

Fix: F-17146r3_fix

Use automated code review tools, perform manual code reviews to validate and augment automated code review results. Fix identified coding errors and issues prior to releasing application for production use.

b
The Test Manager will ensure flaws found during a code review are tracked in a defect tracking system.
Medium - V-16830 - SV-17830r1_rule
RMF Control
Severity
Medium
CCI
Version
APP5090
Vuln IDs
  • V-16830
Rule IDs
  • SV-17830r1_rule
If flaws are not tracked they may possibly be forgotten to be included in a release. Tracking flaws in the configuration management repository will help identify code elements to be changed, as well as the requested change. System AdministratorDCSQ-1
Checks: C-17829r1_chk

Ask the application representative to demonstrate that the configuration management repository captures flaws in the code review process. The configuration management repository may consist of a separate application for capturing code defects. If the application is a COTS/GOTS product or is composed of only COTS/GOTS products with no custom code, this check does not apply unless the application is being reviewed by or in conjunction with the COTS/GOTS vendor in which case this check is applicable. 1) If there is no configuration management repository or the code review flaws are not captured in the configuration management repository, it is a finding.

Fix: F-17147r1_fix

Track flaws found during a code review.

b
The IAO will ensure active vulnerability testing is performed.
Medium - V-16831 - SV-55789r2_rule
RMF Control
Severity
Medium
CCI
Version
APP5100
Vuln IDs
  • V-16831
Rule IDs
  • SV-55789r2_rule
Use of automated scanning tools accompanied with manual testing/validation which confirms or expands on the automated test results is an accepted best practice when performing application security testing. Automated scanning tools expedite and help to standardize security testing, they can incorporate known attack methods and procedures, test for libraries and other software modules known to be vulnerable to attack and utilize a test method known as "fuzz testing". Fuzz testing is a testing process where the application is provided invalid, unexpected, or random data. Poorly designed and coded applications will become unstable or crash. Properly designed and coded applications will reject improper and unexpected data input from application clients and remain stable. Many vulnerability scanning tools provide automated fuzz testing capabilities for the testing of web applications. All of these tools help to identify a wide range of application vulnerabilities including, but not limited to; buffer overflows, cross-site scripting flaws, denial of service format bugs and SQL injection, all of which can lead to a successful compromise of the system or result in a denial of service. Due to changes in the production environment, it is a good practice to schedule periodic active testing of production web applications. Ideally, this will occur prior to deployment and after updates or changes to the application production environment. It is imperative that automated scanning tools are configured properly to ensure that all of the application components that can be tested are tested. In the case of web applications, some of the application code base may be accessible on the web site and could potentially be corrected by a knowledgeable system administrator. Active testing is different from code review testing in that active testing does not require access to the application source code base. A code review requires complete code base access and is normally performed by the development team. If vulnerability testing is not conducted, there is the distinct potential that security vulnerabilities could be unknowingly introduced into the application environment. The following website provides an overview of fuzz testing and examples: http://www.owasp.org/index.php/Fuzzing The following website provides information on web application vulnerability scanner tools. Reference the “Related Links” section at the bottom of the page for a list of available commercial and open source tools. http://samate.nist.gov/index.php/Web_Application_Vulnerability_Scanners.html Please note that reference to these tools does not imply that they have been tested and approved for use by DISA. System AdministratorInformation Assurance OfficerDCSQ-1
Checks: C-17830r2_chk

Ask the application representative to provide vulnerability test procedures and vulnerability test results. Ask the application representative to provide the settings that were used to conduct the vulnerability testing. Verify the automated vulnerability scanning tool was appropriately configured to assure as complete a test as possible of the application architecture components. E.g. if the application includes a web server, web server tests must be included. 1) If the application test procedures and test results do not include active vulnerability and fuzz testing this is a finding. 2) If the vulnerability scan results include critical vulnerabilities, this is a finding. 3) If the vulnerability scanning tests are not relevant to the architecture of the application, it is a finding. 4) If the vulnerability scan report includes informational and/or non-critical results this is not a finding. 5) If previously identified vulnerabilities have subsequently been resolved, this is not a finding.

Fix: F-17148r3_fix

Perform active vulnerability and fuzz testing of the application. Ensure the vulnerability scanning tool is configured to test all application components and functionality. Address discovered vulnerabilities.

b
The Test Manager will ensure security flaws are fixed or addressed in the project plan.
Medium - V-16832 - SV-17832r1_rule
RMF Control
Severity
Medium
CCI
Version
APP5110
Vuln IDs
  • V-16832
Rule IDs
  • SV-17832r1_rule
If security flaws are not tracked, they may possibly be forgotten to be included in a release. Tracking flaws in the project plan will help identify code elements to be changed as well as the requested change. System AdministratorDCSQ-1
Checks: C-17831r1_chk

Ask the application representative to demonstrate how security flaws are integrated into the project plan. If the application is a COTS/GOTS product or is composed of only COTS/GOTS products with no custom code, this check does not apply unless the application is being reviewed by or in conjunction with the COTS/GOTS vendor in which case this check is applicable. 1) If security flaws are not addressed in the project plan or there is no process to introduce security flaws into the project plan, it is a finding.

Fix: F-17149r1_fix

Address security flaws in the project plan.

b
The IAO will ensure if an application is designated critical, the application is not hosted on a general purpose machine.
Medium - V-16833 - SV-17833r1_rule
RMF Control
Severity
Medium
CCI
Version
APP6010
Vuln IDs
  • V-16833
Rule IDs
  • SV-17833r1_rule
Critical applications should not be hosted on a multi-purpose server with other applications. Applications that share resources are susceptible to the other shared application security defects. Even if the critical application is designed and deployed securely, an application that is not designed and deployed securely, can cause resource issues and possibly crash effecting the critical application. System AdministratorDCSQ-1
Checks: C-17839r1_chk

Ask the application representative to review the servers where the application is deployed. Also, ask what other applications are deployed on those servers. 1) If a mission critical (MAC I) application is deployed on the same server as other applications, it is a finding.

Fix: F-17150r1_fix

Deploy mission critical (MAC I) applications on servers that are not shared by other applications.

b
The IAO shall ensure if a DoD STIG or NSA guide is not available, a third-party product will be configured by the following in descending order as available: 1) commercially accepted practices, (2) independent testing results, or (3) vendor literature.
Medium - V-16834 - SV-17834r1_rule
RMF Control
Severity
Medium
CCI
Version
APP6020
Vuln IDs
  • V-16834
Rule IDs
  • SV-17834r1_rule
Not all COTS products are covered by a STIG. Those products not covered by a STIG, should be minimally configured to vendors recommendation guidelines. System AdministratorDCCS-1
Checks: C-17840r1_chk

If a DoD STIG or NSA guide is not available, application and application components will be configured by the following in descending order as available: (1) commercially accepted practices, (2) independent testing results, or (3) vendor literature. 1) If the application and application components do not have DoD STIG or NSA guidance available and not configured by (1) commercially accepted practices, (2) independent testing results, or (3) vendor literature, it is a finding.

Fix: F-17151r1_fix

If a DoD STIG or NSA guide is not available, configured the application using the following in descending order as available: (1) commercially accepted practices, (2) independent testing results, or (3) vendor literature.

b
The IAO will ensure at least one application administrator has registered to receive update notifications, or security alerts, when automated alerts are available.
Medium - V-16835 - SV-17835r1_rule
RMF Control
Severity
Medium
CCI
Version
APP6040
Vuln IDs
  • V-16835
Rule IDs
  • SV-17835r1_rule
Administrators should register for updates to all COTS and custom developed software, so when security flaws are identified, they can be tracked for testing and updates of the application can be applied. DCCT-1
Checks: C-17841r1_chk

Review the components of the application. Deployment personnel should be registered to receive updates to all components of the application, such as Web Server, Application Servers, and Database Servers. Also, if update notifications are provided to any custom developed software, deployment personnel should also register for these updates. Ask the application representative to demonstrate deployment personnel are registered to receive notifications for updates to all the application components including and custom developed software. 1) If the application provides automated alerts for update notifications, and no deployment personnel are registered to receive the alerts, it is a finding.

Fix: F-17153r1_fix

Register administrator to receive updates.

b
The IAO will ensure the system and installed applications have current patches, security updates, and configuration settings.
Medium - V-16836 - SV-17836r1_rule
RMF Control
Severity
Medium
CCI
Version
APP6050
Vuln IDs
  • V-16836
Rule IDs
  • SV-17836r1_rule
Due to viruses, worms, Trojans, and other malicious software, in addition to inevitable weaknesses in code, the necessity to patch critical vulnerabilities is paramount. As part of the general practice of performing application or system administration, it is imperative that security vulnerabilities from the vendor are monitored and patches are tested and applied.System AdministratorDCCT-1
Checks: C-17842r1_chk

Ask the application representative to review the Configuration Management Plan. Ensure procedures exist addressing the test and implementation process for all patches, upgrades, and application deployments. Verify all IPv6 applicable patches have been applied. Verify all vendor provided IPv6 related patches been installed. 1) If required patches are missing, it is a finding. 2) If procedures do not exist or are deficient, it is a finding.

Fix: F-17154r1_fix

Install current patches and update configurations.

c
The IAO will ensure the application is decommissioned when maintenance or support is no longer available.
High - V-16837 - SV-17837r1_rule
RMF Control
Severity
High
CCI
Version
APP6060
Vuln IDs
  • V-16837
Rule IDs
  • SV-17837r1_rule
When maintenance no longer exists for an application, there are no individuals responsible for providing security updates. The application is no longer supported, and should be decommissioned. System AdministratorDCSD-1, ECSC-1
Checks: C-17843r1_chk

Interview the application representative and determine if all the application components are under maintenance. The entire application may be covered by a single maintenance agreement. The application should be decommissioned if maintenance or security support is no longer being provided by the vendor or by the development staff of a custom developed application. 1) If the application or any of the application components are not being maintained, it is a finding.

Fix: F-17157r1_fix

Ensure there is maintenance for the application.

a
Procedures are not in place to notify users when an application is decommissioned.
Low - V-16838 - SV-17838r1_rule
RMF Control
Severity
Low
CCI
Version
APP6070
Vuln IDs
  • V-16838
Rule IDs
  • SV-17838r1_rule
When maintenance no longer exists for an application, there are no individuals responsible for making security updates. The application should maintain procedures for decommissioning. System AdministratorDCSD-1
Checks: C-17844r1_chk

Interview the application representative to determine if provisions are in place to notify users when an application is decommissioned. 1) If provisions are not in place to notify users when an application is decommissioned, it is a finding.

Fix: F-17158r1_fix

Create and establish procedures to notify users when an application is decommissioned.

b
The IAO will ensure protections against DoS attacks are implemented.
Medium - V-16839 - SV-17839r1_rule
RMF Control
Severity
Medium
CCI
Version
APP6080
Vuln IDs
  • V-16839
Rule IDs
  • SV-17839r1_rule
Known threats documented in the threat model should be mitigated, to prevent DoS type attacks. System AdministratorDCSQ-1
Checks: C-17845r1_chk

Ask the application representative to review the threat model for DoS attacks. Verify the mitigation for DoS attacks are implemented from the threat model. If the application is a COTS/GOTS product or is composed of only COTS/GOTS products with no custom code, this check does not apply unless the application is being reviewed by or in conjunction with the COTS/GOTS vendor in which case this check is applicable. 1) If the mitigation from the threat model for DoS attacks are not implemented, it is a finding.

Fix: F-17159r1_fix

Implement mitigations from the threat model for DOS attacks.

a
The IAO will ensure the system alerts an administrator when low resource conditions are encountered.
Low - V-16840 - SV-17840r1_rule
RMF Control
Severity
Low
CCI
Version
APP6090
Vuln IDs
  • V-16840
Rule IDs
  • SV-17840r1_rule
In order to prevent DoS type attacks, applications should be monitored when resource conditions reach a predefined threshold indicating there may be attack occurring.System AdministratorECAT-2
Checks: C-17846r1_chk

Examine the system to determine if an automated, continuous on-line monitoring and audit trail creation capability is present with the capability to immediately alert personnel of any unusual or inappropriate activity with potential IA implications, and with a user configurable capability to automatically disable the system if serious IA violations are detected. 1) If this monitoring capability does not exist, it is a finding.

Fix: F-17161r1_fix

Implement mechanisms to alert system administrators about a low resource condition.

a
The IAO will review audit trails periodically based on system documentation recommendations or immediately upon system security events.
Low - V-16841 - SV-17841r1_rule
RMF Control
Severity
Low
CCI
Version
APP6110
Vuln IDs
  • V-16841
Rule IDs
  • SV-17841r1_rule
Without access control the data is not secure. It can be compromised, misused, or changed by unauthorized access at any time.ECCD-2
Checks: C-17848r1_chk

Interview application representative and ask for the system documentation that states how often audit logs are reviewed. Also, determine when the audit logs were last reviewed. 1) If the application representative cannot provide system documentation identifying how often the auditing logs are reviewed, or has not audited within the last time period stated in the system documentation, it is a finding.

Fix: F-17162r1_fix

Review audit logs on a periodic basis.

b
The IAO will report all suspected violations of IA policies in accordance with DoD information system IA procedures.
Medium - V-16842 - SV-17842r1_rule
RMF Control
Severity
Medium
CCI
Version
APP6120
Vuln IDs
  • V-16842
Rule IDs
  • SV-17842r1_rule
All potential sources are monitored for suspected violations of IA policies. If there are not policies regarding the reporting of IA violations, some IA violations may not be tracked or dealt with in a proper manner. System AdministratorECAT-2
Checks: C-17849r1_chk

Interview the application representative and review the SOPs to ensure that violations of IA policies are analyzed and reported. 1) If there is no policy reporting IA violations, it is a finding.

Fix: F-17164r1_fix

Establish an IA policy for reporting violations.

a
The IAO will ensure, for classified systems, application audit trails are continuously and automatically monitored, and alerts are provided immediately when unusual or inappropriate activity is detected.
Low - V-16843 - SV-17843r1_rule
RMF Control
Severity
Low
CCI
Version
APP6130
Vuln IDs
  • V-16843
Rule IDs
  • SV-17843r1_rule
For critical and classified systems, an automated, continuous on-line monitoring and audit trail creation capability must be deployed with the capability to immediately alert personnel of any unusual or inappropriate activity with potential IA implications, and with a user configurable capability to automatically disable the system if serious IA violations are detected. This protects the system from serious data compromises. ECAT-2
Checks: C-17850r1_chk

Interview the application representative and determine if any logs are being automatically monitored and if alerts are sent out on any activities. 1) If there are no automated alerts, this is a finding.

Fix: F-17165r1_fix

Modify the application to implement automatic monitoring and alerts.

b
The IAO will ensure back-up copies of the application software are stored in a fire-rated container and not collocated with operational software.
Medium - V-16844 - SV-17844r1_rule
RMF Control
Severity
Medium
CCI
Version
APP6170
Vuln IDs
  • V-16844
Rule IDs
  • SV-17844r1_rule
Inadequate back-up software or improper storage of back-up software can result in extended outages of the information system in the event of a fire or other situation that results in destruction of the operating copy.System AdministratorCOSW-1
Checks: C-17853r1_chk

Verify that a licensed copy of the operating system software and other critical software is in a fire rated container or stored separately (offsite) from the operational software. 1) If operating system software and other critical software is not in a fire rated container, or stored offsite, it is a finding.

Fix: F-17166r1_fix

Store a licensed copy of the application software in a fire rated container or store it separately (off-site) from the operational software.

b
The IAO will ensure procedures are in place to assure the appropriate physical and technical protection of the backup and restoration of the application.
Medium - V-16845 - SV-17845r1_rule
RMF Control
Severity
Medium
CCI
Version
APP6180
Vuln IDs
  • V-16845
Rule IDs
  • SV-17845r1_rule
Protection of backup and restoration assets is essential for the successful restore of operations after a catastrophic failure or damage to the system or data files. Failure to follow proper procedures may result in the permanent loss of system data and/or the loss of system capability resulting in failure of the customers mission.System AdministratorCOBR-1
Checks: C-17856r1_chk

Validate that backup and recovery procedures incorporate protection of the backup and restoration assets. Verify assets housing the backup data (e.g., SANS, tapes, backup directories, software) and the assets used for restoration (e.g., equipment and system software) are included in the backup and recovery procedures. 1) If backup and restoration devices are not included in the recovery procedures, it is a finding.

Fix: F-17167r1_fix

Develop and implement procedures to insure that backup and restoral assets are properly protected and stored in an area/location where it is unlike they would be affected by an event that would affect the primary assets.

b
The IAO will ensure a disaster recovery plan exists in accordance with DoD policy based on the Mission Assurance Category (MAC).
Medium - V-16846 - SV-17846r1_rule
RMF Control
Severity
Medium
CCI
Version
APP6200
Vuln IDs
  • V-16846
Rule IDs
  • SV-17846r1_rule
Well thought out recovery plans are essential for system recovery and/or business restoration in the event of catastrophic failure or disaster.System AdministratorCODB-1, CODB-2, CODP-3
Checks: C-17858r1_chk

All applications should document disaster recovery procedures to include business recovery plans, system contingency plans, facility disaster recovery plans, and plan acceptance. Ask the application representative to review these plans. For MAC 1 applications, verify the disaster plan exists and provides for the smooth transfer of all mission or business essential functions to an alternate site for the duration of an event with little or no loss of operational continuity. For MAC 2 applications, verify the disaster plan exists and provides for the resumption of mission or business essential functions within 24 hours activation. For MAC 3 applications, verify the disaster plan exists and provides for the partial resumption of mission or business essential functions within 5 days of activation. 1) If the disaster plan does not exist or does not meet the MAC level requirements, this is a finding.

Fix: F-17168r1_fix

Create and maintain the disaster recovery plan.

b
The IAO will ensure an account management process is implemented, verifying only authorized users can gain access to the application, and individual accounts designated as inactive, suspended, or terminated are promptly removed.
Medium - V-16847 - SV-17847r1_rule
RMF Control
Severity
Medium
CCI
Version
APP6210
Vuln IDs
  • V-16847
Rule IDs
  • SV-17847r1_rule
A comprehensive account management process will ensure that only authorized users can gain access to applications and that individual accounts designated as inactive, suspended, or terminated are promptly deactivated. Such a process greatly reduces the risk that accounts will be misused, hijacked, or data compromised.System AdministratorIAAC-1
Checks: C-17860r1_chk

Interview the application representative to verify that a documented process exists for user and system account creation, termination, and expiration. Obtain a list of recently departed personnel and verify that their accounts were removed or deactivated on all systems in a timely manner (e.g., less than two days). 1) If a documented account management process does not exist or unauthorized users have active accounts, it is a finding.

Fix: F-17169r1_fix

Establish an account management process.

c
The IAO will ensure passwords generated for users are not predictable and comply with the organization's password policy.
High - V-16848 - SV-17848r1_rule
RMF Control
Severity
High
CCI
Version
APP6220
Vuln IDs
  • V-16848
Rule IDs
  • SV-17848r1_rule
Predictable passwords may allow an attacker to gain immediate access to new user accounts which would result in a loss of integrity. Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor, will directly and immediately result in loss of Confidentiality, Availability or Integrity of the system associated data. System AdministratorIAIA-1, IAIA-2
Checks: C-17861r1_chk

Ask the application representative to examine the organization's password policy. 1) If non-human/service accounts are used and are not included in the password policy, it is a finding. 2) If non-human/service accounts policy does not require these accounts to change yearly or when someone with access to the password leaves the duty assignment, it is a finding. The configuration interface may not reveal information related to all the required elements. If this is the case, attempt to violate each element to determine if the policy is enforced. For example, attempt to change a password to one that does not meet the requirements. 3) If there are any shortcomings in the password policy or the configured behavior of any user account, it is a finding. The finding details should note which user accounts are impacted, which of the password parameters are deficient, the current values of these parameters, and the relevant required values. Also, ask the application representative to generate two user account passwords. 4) If there is a recognizable pattern in password generation, it is a finding.

Fix: F-17170r1_fix

Generate passwords to comply with the organization's password policy.

b
The IAO will ensure the application's users do not use shared accounts.
Medium - V-16849 - SV-17849r1_rule
RMF Control
Severity
Medium
CCI
Version
APP6230
Vuln IDs
  • V-16849
Rule IDs
  • SV-17849r1_rule
Group or shared accounts for application access may be used only in conjunction with an individual authenticator. Group accounts do not allow for proper auditing of who is accessing the application and security incidents cannot be attributed to specific individuals. System AdministratorIAGA-1
Checks: C-17862r1_chk

Ask the application representative if a group of users share login information to the system. 1) If an account that belongs to a group that can login to the system, this is a finding. 2) If there is a login shared by more than one user, this is a finding.

Fix: F-17171r1_fix

Remove group or shared accounts.

b
The IAO will ensure connections between the DoD enclave and the Internet or other public or commercial wide area networks require a DMZ.
Medium - V-16850 - SV-17850r1_rule
RMF Control
Severity
Medium
CCI
Version
APP6270
Vuln IDs
  • V-16850
Rule IDs
  • SV-17850r1_rule
In order to protect DoD data and systems, all remote access to DoD information systems must be mediated through a managed access control point, such as a remote access server in a DMZ. System AdministratorEBPW-1
Checks: C-17866r1_chk

Interview the application representative and determine if the application is publicly accessible. 1) If the application is publicly accessible and traffic is not being routed through a DMZ, it is a finding.

Fix: F-17172r1_fix

Setup DMZ between DoD and public networks.

c
The IAO will ensure web servers are on logically separate network segments from the application and database servers if it is a tiered application.
High - V-19687 - SV-21828r1_rule
RMF Control
Severity
High
CCI
Version
APP6280
Vuln IDs
  • V-19687
Rule IDs
  • SV-21828r1_rule
Web servers should be on logically separated network segments from the application and database servers in order to provide different levels and types of defenses for each type of server. Failure to comply would result in an immediate loss of confidentiality. This requirement to this STIG was added at the request of the DoD DMZ PM. The goal is to ensure this requirement is addressed as the application is being developed. This requirement and severity was previously approved by the DSAWG in the Internet-NIPRNet DoD DMZ Inrecrement 1, Phase 1 STIG. Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor, will directly and immediately result in loss of Confidentiality, Availability or Integrity of the system associated data. DCPA-1
Checks: C-24084r1_chk

Ask the application representative for a network diagram. Review the network diagram for web servers/web services, web application servers, and database servers. If the application is a tiered web application located in the DoD DMZ and is available to the Internet, verify web servers are on logically separate network segments from the application and database servers. If the application is a tiered web application containing different data types, the application must have physically separate network connections, operating systems and application instances for each data type in the web tier when the application is available to the Internet. This check does not apply to SIPRNet DMZs or applications that are not available to the Internet. 1) In a tiered DMZ web application with similar data types, if the web server is not on a logically separate network segment from the application and database servers and the application is available to the Internet it is a finding. *Note: Physically separate networks require distinct physical network devices for connections. (e.g. two separate switches or two separate routers)

Fix: F-23101r1_fix

Seperate web server and place it on logically seperate network segment apart from the application and database servers.

c
The designer and the IAO will ensure physical operating system separation and physical application separation is employed between servers of different data types in the web tier of Increment 1/Phase 1 deployment of the DoD DMZ for Internet-facing applications.
High - V-19688 - SV-21829r1_rule
RMF Control
Severity
High
CCI
Version
APP6290
Vuln IDs
  • V-19688
Rule IDs
  • SV-21829r1_rule
Restricted and unrestricted data residing on the same server may allow unauthorized access which would result in a loss of integrity and possibly the availability of the data. This requirement to this STIG was added at the request of the DoD DMZ PM. The goal is to ensure this requirement is addressed as the application is being developed. This requirement and severity was previously approved by the DSAWG in the Internet-NIPRNet DoD DMZ Increment 1, Phase 1 STIG. *This requirement does not apply to SIPRNet DMZs. DCPA-1
Checks: C-24085r1_chk

Ask the application representative for a network diagram. Review the network diagram for web servers/web services or any server in the web tier of the DoD DMZ. Verify restricted and unrestricted servers are installed on separate VLANS. 1) If restricted and unrestricted servers in the Web Tier of the DoD DMZ are not installed on separate VLANS, it is a finding. *Note: This check does not apply to SIPRNet DMZs.

Fix: F-23071r1_fix

Move restricted and unrestricted data to different servers.

b
The designer will ensure web services are designed and implemented to recognize and react to the attack patterns associated with application-level DoS attacks.
Medium - V-19689 - SV-21830r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3760
Vuln IDs
  • V-19689
Rule IDs
  • SV-21830r1_rule
Because of potential denial of service, web services should be designed to recognize potential attack patterns. DCSQ-1
Checks: C-24086r1_chk

Ask the application representative for design documentation, review the design documentation and ensure the application employs methods for XML schema validation and disables use of inline XML Document Type Definition (DTD) schemas in XML parsing objects. Managing DTD parsing behavior is a key to preventing the invocation of XML bombs. DTD parsing is controlled within the .Net application framework in .NET applications. 1) If the design document does not exist or address the specified web service, it is a finding. 2) If the Application does not employ any method of schema validation, it is a finding. 3) If the Application does not disable the use of inline XML Document Type Definition (DTD) schemas it is a finding.

Fix: F-23043r1_fix

Design Web services to recognize attacks.

b
The designer will ensure the web service design includes redundancy of critical functions.
Medium - V-19690 - SV-21831r2_rule
RMF Control
Severity
Medium
CCI
Version
APP3770
Vuln IDs
  • V-19690
Rule IDs
  • SV-21831r2_rule
Because of potential denial of service, web services should be designed to be redundant. DCSQ-1
Checks: C-24087r2_chk

Ask the application representative for the design document. Review the design document for web services. Review the design and verify there is redundancy for web services. Redundancy may be accomplished by deploying the same web service over multiple network devices. For MAC I systems: 1) If the design document does not exist or does not indicate the existence of redundant web services or the application representative is not able to demonstrate redundant web services, it is a finding. 2) For MAC II and MAC III systems if the design document does not exist, it is a finding. The requirement for redundant web services is NA for MAC II and MAC III

Fix: F-23096r1_fix

Setup multiple instances of the web service with different URLs.

b
The designer will ensure web service design of critical functions is implemented using different algorithms to prevent similar attacks from forming a complete application level DoS.
Medium - V-19691 - SV-21832r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3780
Vuln IDs
  • V-19691
Rule IDs
  • SV-21832r1_rule
Denial of service attacks could occur if web services use the same algorithm for all critical features. An algorithm is defined as: an effective method expressed as a finite list of well-defined instructions. Combining a large array of varying, unrelated functionality into a single web service increases the chances that the service may become susceptible to a DoS attack which could affect not only the individual service, but the entire application as well. DCSQ-1
Checks: C-24088r1_chk

Ask the application representative for the design document. Review the design document for web services. Review the design and verify web services have been implemented differently to prevent similar attacks from a complete DoS. For MAC I and MAC II systems: 1) If the design document does not exist or does not indicate web services have been implemented with different algorithms, this is a finding. For MAC III systems: 2) If the design document does not exist this is a finding.

Fix: F-23044r1_fix

Implement web service critical functions using different algorithms to prevent similar attacks from a complete application level DoS.

b
The designer will ensure web services are designed to prioritize requests to increase availability of the system.
Medium - V-19692 - SV-21833r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3790
Vuln IDs
  • V-19692
Rule IDs
  • SV-21833r1_rule
Because of potential denial of service, web services should be designed to prioritize web service requests. DCSQ-1
Checks: C-24089r1_chk

Ask the application representative for the design document. Review the design document for web services. Review the design and verify all web services can prioritize requests. Techniques used to prioritize web services include but are not limited to using Quality of Service (QoS) or some other means of reliable messaging such as WS_Reliability or WS_ReliableMessaging 1) For MAC I and MAC II systems; If the design document does not exist or does not indicate all web services can prioritize requests, this is a finding. 2) If the system is a MAC III system this requirement is NA

Fix: F-23045r1_fix

Implement priority based web services requests.

b
The designer will ensure execution flow diagrams are created and used to mitigate deadlock and recursion issues.
Medium - V-19693 - SV-21834r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3800
Vuln IDs
  • V-19693
Rule IDs
  • SV-21834r1_rule
To prevent web services from becoming deadlocked, an execution flow diagram should be documented. DCSQ-1
Checks: C-24090r1_chk

Ask the application representative for execution flow diagrams. Review the execution flow diagrams and determine if all web services are covered in the flow diagrams. 1) If execution flow diagrams do not exist or are not complete, this is a finding.

Fix: F-23046r1_fix

Create and maintain web service execution flow diagrams.

b
The IAO will ensure an XML firewall is deployed to protect web services.
Medium - V-19694 - SV-21835r1_rule
RMF Control
Severity
Medium
CCI
Version
APP6300
Vuln IDs
  • V-19694
Rule IDs
  • SV-21835r1_rule
Web Services are vulnerable to many types of attacks. XML based firewalls can be used to prevent common attacks. DCSQ-1
Checks: C-24091r1_chk

Ask the application representative to verify whether XML based web services are used within the application. If no XML based web services are used in the application, this check is not applicable. If XML based web services are used within the application, ask the application representative for a network diagram identifying the XML firewall placement. Review the network diagrams and determine if all web services are protected by the XML firewall. 1) If network diagrams do not exist or all web services are not protected by the XML firewall, it is a finding.

Fix: F-23072r1_fix

Deploy XML Firewall to protect web services.

c
The designer will ensure web services provide a mechanism for detecting resubmitted SOAP messages.
High - V-19695 - SV-21836r1_rule
RMF Control
Severity
High
CCI
Version
APP3820
Vuln IDs
  • V-19695
Rule IDs
  • SV-21836r1_rule
SOAP messages should be designed so duplicate messages are detected. Replay attacks may lead to a loss of confidentiality and potentially a loss of availability Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor, will directly and immediately result in loss of Confidentiality, Availability or Integrity of the system associated data. DCSQ-1
Checks: C-24092r1_chk

Ask the application representative for the design document. Review the design document for all web services. Review the design and verify all web services are able to detect resubmitted SOAP message requests. Look for the use of WS_Reliability or WS_ReliableMessaging standards. WS_Reliability or WS_ReliableMessaging syntax includes the use of "At-Most" semantics which guarantees that a duplicate message will not be delivered or "Exactly-Once" which guarantees a message will be delivered without duplication. If the application developer uses other reliable messaging standards to detect re-submitted messages, the developer should provide information as to how those standards meet this requirement. 1) If the design document does not indicate all web services are able to detect resubmitted SOAP message requests, this is a finding.

Fix: F-23097r1_fix

Design web services with the functionality to detect resubmitted SOAP messages.

b
The designer and IAO will ensure digital signatures exist on UDDI registry entries to verify the publisher.
Medium - V-19696 - SV-21837r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3830
Vuln IDs
  • V-19696
Rule IDs
  • SV-21837r1_rule
UDDI registries must provide digital signatures for verification of integrity of the publisher of each web service contained within the registry. Users publishing to the UDDI repository could potentially setup multiple fraudulent web services without a digital signature associated with each web service. DCSQ-1
Checks: C-24093r1_chk

If the application does not utilize UDDI registries or if the application utilizes the DISA PEO-GES managed UDDI registry and the DISA PEO-GES registry employs processes/procedures that control user access for publishing to the UDDI registry, this check is not applicable. Ask the application representative for the URL for the WSDL for all web services used in the application. Download each WSDL entry using a web browser and verify each entry has been signed by a publisher certificate. 1) If all WSDL entries have not been signed, it is a finding.

Fix: F-23049r1_fix

Add digital signatures to UDDI registries.

b
The designer and IAO will ensure UDDI versions are used supporting digital signatures of registry entries.
Medium - V-19697 - SV-21838r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3840
Vuln IDs
  • V-19697
Rule IDs
  • SV-21838r1_rule
UDDI repositories must provide the capability to support digital signatures. Without the capability to support digital signatures, web service users cannot verify the integrity of the UDDI registry. DCSQ-1
Checks: C-24094r1_chk

If the application does not utilize UDDI registries, this check is not applicable. Ask the application representative for design document and verify the version of the UDDI registry used. UDDI Version 3.0 and above repositories supports digital signatures for web services. 1) If the UDDI registry is not Version 3 or above, this is a finding.

Fix: F-23051r1_fix

UDDI repository does not support digital signature.

b
The designer and IAO will ensure UDDI publishing is restricted to authenticated users.
Medium - V-19698 - SV-21839r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3850
Vuln IDs
  • V-19698
Rule IDs
  • SV-21839r1_rule
Ficticious or false entries could result if someone other than an authenticated user is able to create or modify the UDDI registry. The data integrity would be questionable if anonymous users are able to write to the repository.DCSQ-1
Checks: C-24095r1_chk

If the application does not utilize UDDI registries, this check is not applicable. Ask the application representative to demonstrate UDDI publishing is restricted to authenticated users. 1) If application representative is unable to demonstrate UDDI publishing is restricted to authenticated users, it is a finding.

Fix: F-23052r1_fix

Restrict UDDI publishing only to authenticated users.

b
The IAO will ensure web service inquiries to UDDI provide read-only access to the registry to anonymous users.
Medium - V-19699 - SV-21840r1_rule
RMF Control
Severity
Medium
CCI
Version
APP6310
Vuln IDs
  • V-19699
Rule IDs
  • SV-21840r1_rule
If modification of UDDI registries are allowed by anonymous users, UDDI registries can be corrupted, or potentially be hijacked. ECLP-1
Checks: C-24096r1_chk

If the application does not utilize UDDI registries, this check is not applicable. Ask the application representative to demonstrate web service inquiries to UDDI provide read-only access to the registry for anonymous users. 1) If application representative is unable to demonstrate web service inquiries to UDDI provide read-only access to the registry for anonymous users, it is a finding.

Fix: F-23073r1_fix

Place access control mechanisms on UDDI registries.

b
The IAO will ensure if the UDDI registry contains sensitive information and read access to the UDDI registry is granted only to authenticated users.
Medium - V-19700 - SV-21841r1_rule
RMF Control
Severity
Medium
CCI
Version
APP6320
Vuln IDs
  • V-19700
Rule IDs
  • SV-21841r1_rule
If a UDDI registry contains sensitive data, the repository should require authentication to read the UDDI data repository. If the repository does not require authentication, the UDDI data repository will be accessed by anonymous users. ECCR-1, ECCR-2
Checks: C-24097r1_chk

If the application does not utilize UDDI registries, this check is not applicable. Ask the application representative to demonstrate authentication is required when UDDI registry contains sensitive information. 1) If the application representative is unable to demonstrate authentication is required when UDDI registry contains sensitive information, it is a finding.

Fix: F-23074r1_fix

Add access control mechanism for access to sensitive UDDI XML.

b
The designer will ensure SOAP messages requiring integrity, sign the following message elements: -Message ID -Service Request -Timestamp -SAML Assertion (optionally included in messages)
Medium - V-19701 - SV-21842r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3860
Vuln IDs
  • V-19701
Rule IDs
  • SV-21842r1_rule
Digitally signed SOAP messages provide message integrity and authenticity of the signer of the message independent of the transport layer. Service requests may be intercepted and changed in transit and the data integrity may be at risk if the SOAP message is not digitally signed. ECTM-1
Checks: C-24098r1_chk

If the application does not utilize SOAP messages, this check is not applicable. Ask the application representative for the design document. Review the design document for web services using SOAP messages. Review the design document and verify the message elements Message ID, Service Request, Timestamp and SAML Assertion are signed. 1) If the design document does not exists or does not indicate the entire SOAP messages requiring integrity do not have the appropriate fields, it is a finding.

Fix: F-23098r1_fix

Sign the following message elements for SOAP messages requiring integrity: -Message ID -Service Request -Timestamp -SAML Assertion.

c
The designer will ensure when using WS-Security, messages use timestamps with creation and expiration times.
High - V-19702 - SV-55089r1_rule
RMF Control
Severity
High
CCI
Version
APP3870
Vuln IDs
  • V-19702
Rule IDs
  • SV-55089r1_rule
The lack of timestamps could lead to the eventual replay of the message, leaving the application susceptible to replay events which may result in an immediate loss of confidentiality. Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor, will directly and immediately result in loss of Confidentiality, Availability or Integrity of the system associated data. ECTM-2, IAIA-2
Checks: C-24099r1_chk

Examine the contents of a SOAP message using WS Security, all messages should contain timestamps, sequence numbers, and expiration. 1) If messages using WS Security do not contain timestamps, sequence numbers, and an expiration, it is a finding.

Fix: F-23058r1_fix

Design application using WS-Security messages to use timestamps with creation and expiration times.

c
The designer will ensure validity periods are verified on all messages using WS-Security or SAML assertions.
High - V-19703 - SV-21844r1_rule
RMF Control
Severity
High
CCI
Version
APP3880
Vuln IDs
  • V-19703
Rule IDs
  • SV-21844r1_rule
When using WS-Security in SOAP messages, the application should check the validity of the timestamps with creation and expiration times. Unvalidated timestamps may lead to a replay event and provide immediate unauthorized access of the application. Unauthorized access results in an immediate loss of confidentiality. Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor, will directly and immediately result in loss of Confidentiality, Availability or Integrity of the system associated data. IAIA-2
Checks: C-24100r1_chk

Ask the application representative for the design document. Review the design document for web services. Review the design document and verify validity periods are checked on all messages using WS-Security or SAML assertions. 1) If the design document does not exist, or does not indicate validity periods are checked on messages using WS-Security or SAML assertions, it is a finding.

Fix: F-23059r1_fix

Design the application to use validity periods are verified on all WS-Security token profiles and SAML Assertions

b
The designer shall ensure each unique asserting party provides unique assertion ID references for each SAML assertion.
Medium - V-19704 - SV-21845r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3890
Vuln IDs
  • V-19704
Rule IDs
  • SV-21845r1_rule
SAML assertion identifiers should be unique across a server implementation. Duplicate SAML assertion identifiers could lead to unauthorized access to a web service. IAIA-2
Checks: C-24101r1_chk

If the application does not utilize SAML, this check is not applicable. Ask the application representative for the design document. Review the design document for web services using SAML assertions. Review the design document and verify SAML assertion identifiers are not reused by a single asserting party. 1) If the design document does exist, or does not indicate SAML assertion identifiers which are unique for each asserting party, it is a finding.

Fix: F-23060r1_fix

Design each SAML asserting authority to use unique assertion identifiers.

b
The designer shall ensure encrypted assertions, or equivalent confidentiality protections, when assertion data is passed through an intermediary, and confidentiality of the assertion data is required to pass through the intermediary.
Medium - V-19705 - SV-21846r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3900
Vuln IDs
  • V-19705
Rule IDs
  • SV-21846r1_rule
The confidentially of the data in a message as the message is passed through an intermediary web service may be required to be restricted by the intermediary web service. The intermediary web service may leak or distribute the data contained in a message if not encrypted or protected. IAIA-2
Checks: C-24102r1_chk

If the application does not utilize WS-Security tokens, this check is not applicable. Ask the application representative for the design document. Review the design document for web services using WS-Security tokens. Review the design document and verify all WS-Security tokens are only transmitted after both receiving and sending services have been mutually PKI authenticated. 1) If the design document does not exist, or does not indicate all WS-Security tokens are only transmitted after both receiving and sending services have been mutually PKI authenticated, it is a finding.

Fix: F-23061r1_fix

Encrypt assertions or use equivalent confidentiality when sensitive assertion data is passed through an intermediary.

b
The designer will ensure the application is compliant with all DoD IT Standards Registry (DISR) IPv6 profiles.
Medium - V-19706 - SV-21847r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3960
Vuln IDs
  • V-19706
Rule IDs
  • SV-21847r1_rule
If the application has not been upgraded to execute on an IPv6-only network, there is a possibility the application will not execute properly, and as a result, a denial of service could occur. DCSQ-1
Checks: C-24103r1_chk

Verify the application environment is compliant with all DoD IPv6 Standards Profile for IPv6 Capable Products guidance for servers. 1) If the application environment is not compliant with all DoD IPv6 Standards Profile for IPv6 Capable Products guidance for servers, this is a finding.

Fix: F-23063r1_fix

Design application to be compliant with all DISR IPv6 profiles.

b
The designer will ensure supporting application services and interfaces have been designed, or upgraded for, IPv6 transport.
Medium - V-19707 - SV-21848r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3970
Vuln IDs
  • V-19707
Rule IDs
  • SV-21848r1_rule
If the application's supporting services (e.g., software update, security update, driver updating, and automatic patching services) have not been updated to retrieve updates over a IPv6 network connection, there is a possibility the application will not execute properly, and as a result, a denial of service could occur. DCSQ-1
Checks: C-24104r1_chk

Ask the application representative for the design document. Review the design document for application services supporting IPv6. Verify supporting application layer services (such as, File Transfer Protocol (FTP), Network File system (NFS), Hyper Text Transfer Protocol (HTTP)) have been upgraded and tested for IPv6. 1) If the supporting application layer services have not been upgraded and tested for IPv6, it is a finding. Verify security functions have been updated for IPv6 addressing and network services. 2) If security functions have not been updated for IPv6 addressing and network services, it is a finding. Verify all software update, security update, driver updating, and automatic patching services which retrieve updates over a network connection have been updated to run over IPv6 transport. 3) If all software update, security update, driver updating, and automatic patching have not been updated to run over IPv6 transport, it is a finding. Verify all client-facing server interfaces have been upgraded for IPv6. 4) If all client-facing server interfaces have not been upgraded for IPv6, it is a finding.

Fix: F-23064r1_fix

Upgrade supporting application services and interfaces for IPv6 transport.

b
The designer will ensure the application is compliant with IPv6 multicast addressing and features an IPv6 network configuration options as defined in RFC 4038.
Medium - V-19708 - SV-21849r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3980
Vuln IDs
  • V-19708
Rule IDs
  • SV-21849r1_rule
If the application has not been updated to IPv6 multicast features, there is a possibility the application will not execute properly and as a result, a denial of service could occur. DCSQ-1
Checks: C-24105r1_chk

Ask the application representative for the design document. Review the design document for application services supporting IPv6. Verify configuration options for the application for IPv6 addresses. 1) If the application has not been upgraded to support IPv6 addresses, it is a finding. Verify configuration options for the application for IPv6 multicasting. 2) If the application has not been upgraded to support IPv6 multicasting, it is a finding.

Fix: F-23066r1_fix

Design the application to be compliant with IPv6 multicast addressing and features an IPv6 network configuration options as defined in RFC 4038.

b
The designer will ensure the application is compliant with the IPv6 addressing scheme as defined in RFC 1884.
Medium - V-19709 - SV-21850r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3990
Vuln IDs
  • V-19709
Rule IDs
  • SV-21850r1_rule
If the application is not compliant with the IPv6 addressing scheme, the entry of IPv6 formats that are 128 bits long or hexadecimal notation including colons, could result in buffer overflows compromising the application and creating additional attack vectors. DCSQ-1
Checks: C-24106r1_chk

Ask the application representative for the design document. Review the design document for application services supporting IPv6. Verify user interfaces, graphic user interface (GUI), and system management interfaces have been updated to support IPv6 addressing and functions. 1) If the application interfaces have not been upgraded to support IPv6 addressing and functions, it is a finding.

Fix: F-23067r1_fix

Design the application to be compliant with the IPv6 addressing scheme as defined in with RFC 1884.

c
The designer will ensure the application is not vulnerable to XML Injection.
High - V-21498 - SV-23682r1_rule
RMF Control
Severity
High
CCI
Version
APP3810
Vuln IDs
  • V-21498
Rule IDs
  • SV-23682r1_rule
XML injection results in an immediate loss of “integrity” of the data. Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor, will directly and immediately result in loss of Confidentiality, Availability or Integrity of the system associated data. System AdministratorDCSQ-1
Checks: C-25721r1_chk

Ask the application representative for code review results from the entire application. This can be provided as results from an automated code review tool. If the results are provided from a manual code review, the application representative will need to demonstrate how XML injection vulnerabilities are identified during code reviews. Using XML Schema Definition (XSD) Restrictions and XML Schema Regular Expressions can minimize XML injection attacks. 1) If the results are not provided or the application representative cannot demonstrate how manual code reviews are performed to identify XML injection vulnerabilities, it is a finding. Examples of XML Injection vulnerabilities can be obtained from the OWASP website.

Fix: F-23047r1_fix

Correct XML Injection flaws.

b
The designer will ensure the application does not have CSRF vulnerabilities.
Medium - V-21500 - SV-23685r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3585
Vuln IDs
  • V-21500
Rule IDs
  • SV-23685r1_rule
Cross Site Request Forgery (CSRF) is an attack where an end user is previously authenticated to a specific website and the user through social engineering (e.g., e-mail or chat) launches a hyperlink which executes unwanted actions on a website. A CSRF attack may execute any web site request on behalf of the user leading to compromise of the user’s data.System AdministratorDCSQ-1
Checks: C-25722r1_chk

Ask the application representative for code review results from the entire application. This can be provided as results from an automated code review tool. If the results are provided from a manual code review, the application representative will need to demonstrate how CSRF vulnerabilities are identified during code reviews. 1) If the results are not provided or the application representative cannot demonstrate how manual code reviews are performed to identify CSRF, it is a finding.

Fix: F-22999r1_fix

Add a nonce to web forms every time the URL is requested. The nonce is in addition to the standard session identifier.

c
The Program Manager will ensure all products are supported by the vendor or the development team.
High - V-21519 - SV-23731r1_rule
RMF Control
Severity
High
CCI
Version
APP2135
Vuln IDs
  • V-21519
Rule IDs
  • SV-23731r1_rule
Unsupported software products should not be used because of the unknown potential vulnerabilities. Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor, will directly and immediately result in loss of Confidentiality, Availability or Integrity of the system associated data. Unsupported software where there is no documented acceptance of DAA risk. System AdministratorDCSQ-1
Checks: C-27014r1_chk

Ask the application representative for the design document. Review the design document for all software components. Ask the application representative for proof that the application and all of its components are supported. Examples of proof may include: design documentation that includes support information, support specific contract documentation, successful creation of vendor support tickets, web site toll free support phone numbers etcetera." If any of the software components are not supported by a vendor, it is a finding.

Fix: F-23084r1_fix

Remove or decommission all unsupported software products in the application.

c
The designer shall use the NotOnOrAfter condition when using the SubjectConfirmation element in a SAML assertion.
High - V-22028 - SV-55088r1_rule
RMF Control
Severity
High
CCI
Version
APP3910
Vuln IDs
  • V-22028
Rule IDs
  • SV-55088r1_rule
When a SAML assertion is used with a element, a begin and end time for the should be set to prevent reuse of the message at a later time. Not setting a specific time period for the , may grant immediate access to an attacker and results in an immediate loss of confidentiality. Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor, will directly and immediately result in loss of Confidentiality, Availability or Integrity of the system associated data. Information Assurance OfficerDCSQ-1
Checks: C-27024r2_chk

Examine the contents of a SOAP message using the SubjectConfirmation element. All messages should contain the NotOnOrAfter element. This can be accomplished with a protocol analyzer like Wireshark. 1) If SOAP messages do not contain NotOnOrAfter elements, it is a finding

Fix: F-23093r2_fix

Use the NotOnOrAfter condition when using the SubjectConfirmation element in a SAML assertion.

c
The designer shall use both the <NotBefore> and <NotOnOrAfter> elements or <OneTimeUse> element when using the <Conditions> element in a SAML assertion.
High - V-22029 - SV-25355r1_rule
RMF Control
Severity
High
CCI
Version
APP3920
Vuln IDs
  • V-22029
Rule IDs
  • SV-25355r1_rule
When a SAML assertion is used with a element, a begin and end time for the element should be set to prevent reuse of the message at a later time. Not setting a specific time period for the element, the possibility exists of granting immediate access or elevated privileges to an attacker which result in an immediate loss of confidentiality. Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor, will directly and immediately result in loss of Confidentiality, Availability or Integrity of the system associated data. Information Assurance OfficerDCSQ-1
Checks: C-27025r1_chk

Examine the contents of a SOAP message using the &lt;Conditions&gt; element, all messages should contain the NotBefore and NotOnOrAfter or OneTimeUse element when in a SAML Assertion. This can be accomplished using a protocol analyzer such as WireShark 1) If SOAP using the &lt;Conditions&gt; element do not contain NotBefore and NotOnOrAfter or OneTimeUse elements, it is a finding.

Fix: F-23099r1_fix

Implement the use of the NotBefore and NotOnOrAfter or OneTimeUse when using the Conditions element in a SAML assertion.

b
The designer will ensure the asserting party uses FIPS approved random numbers in the generation of SessionIndex in the SAML element AuthnStatement.
Medium - V-22030 - SV-25356r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3940
Vuln IDs
  • V-22030
Rule IDs
  • SV-25356r1_rule
A predictable SessionIndex could lead to an attacker computing a future SessionIndex, thereby, possibly compromising the application.System AdministratorDCSQ-1
Checks: C-27028r1_chk

Ask the application representative for the Design Document. Verify in the Design Document asserting parties for SAML assertions use FIPS approved random numbers in the generation of SessionIndex in the Element AuthnStatement. If the application is a COTS/GOTS product or is composed of only COTS/GOTS products with no custom code, this check does not apply unless the application is being reviewed by or in conjunction with the COTS/GOTS vendor in which case this check is applicable. 1) If FIPS approved random numbers are not used in the generation of SessionIndex (in the Element AuthnStatement), it is a finding.

Fix: F-23094r1_fix

Use FIPS approved random numbers in the generation of SessionIndex in the SAML element AuthnStatement.

b
The designer shall ensure messages are encrypted when the SessionIndex is tied to privacy data.
Medium - V-22031 - SV-25357r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3950
Vuln IDs
  • V-22031
Rule IDs
  • SV-25357r1_rule
When the SessionIndex is tied to privacy data (e.g., attributes containing privacy data) the message should be encrypted. If the message is not encrypted there is the possibility of compromise of privacy data.System AdministratorECNK-1
Checks: C-27029r1_chk

Examine the contents of a SOAP message using a SessionIndex in the SAML element AuthnStatement. Verify the information which is tied to the SessionIndex. If the SessionIndex is tied to privacy information, and it is not encrypted, it is a finding.

Fix: F-23095r1_fix

Encrypt messages when the SessionIndex is tied to privacy data.

b
The designer shall ensure if a OneTimeUse element is used in an assertion, there is only one used in the Conditions element portion of an assertion.
Medium - V-22032 - SV-25358r1_rule
RMF Control
Severity
Medium
CCI
Version
APP3930
Vuln IDs
  • V-22032
Rule IDs
  • SV-25358r1_rule
Multiple OneTimeUse elements used in a SAML assertion can lead to elevation of privileges, if the application does not process SAML assertions correctly.System AdministratorDCSQ-1
Checks: C-27027r1_chk

Examine the contents of a SOAP message using the OneTimeUse element, all messages should contain only one instance of a OneTimeUse element in a SAML assertion. This can be accomplished using a protocol analyzer such as WireShark 1) If SOAP message uses more than one, OneTimeUse element in a SAML assertion, it is a finding.

Fix: F-23100r1_fix

When using OneTimeUse elements in a SAML assertion only allow one, OneTimeUse element to be used in the Conditions element of a SAML assertion.

b
The release manager must ensure application files are cryptographically hashed prior to deploying to DoD operational networks.
Medium - V-47163 - SV-60029r1_rule
RMF Control
Severity
Medium
CCI
Version
APP4050
Vuln IDs
  • V-47163
Rule IDs
  • SV-60029r1_rule
When application code and binaries are transferred from one environment to another, there is the potential for malware to be introduced into either the application code or even the application binaries themselves. Care must be taken to ensure that application code and binaries are validated for integrity prior to deployment into a production environment. To ensure file integrity, application files and/or application packages are cryptographically hashed using a strong hashing algorithm. Comparing hashes after transferring the files makes it possible to detect changes in files that could indicate potential integrity issues with the application. Currently, SHA256 is the DoD approved standard for cryptographic hash functions. DoD application developers must use SHA256 when creating cryptographic hashes, however, some non-DoD vendors might still use MD5 or SHA1 when generating a checksum hash for their application packages. It is important to use the same algorithms when validating the hash. If a non DoD vendor uses SHA1 when hashing their files, you must use SHA1 to validate the hash. Otherwise, the hashes will not match and a false positive indication of tampering will result. Prior to release of the application receiving an ATO/IATO for deployment into a DoD operational network, the application must be validated for integrity to ensure no tampering of source code or binaries has occurred. Failure to validate the integrity of application code and/or application binaries prior to deploying an application into a production environment may compromise the operational network.System AdministratorDCSQ-1
Checks: C-49993r1_chk

Ask the application representative to demonstrate their cryptographic hash validation process or provide process documentation. The validation process will vary based upon the operating system used as there are numerous clients available that will display a file's cryptographic hash for validation purposes. Linux operating systems include the "sha256sum" utility. For Linux systems using sha256sum command syntax is: sha256sum [OPTION]... [FILE]... Windows does not natively provide a SHA256 checksum validation tool; however, there are utilities available that provide this capability. A validation process involves obtaining the application files’ cryptographic hash value from the programs author or other authoritative source such as the application's web site. A utility like the "sha256sum" utility is then run using the downloaded application file name as the argument. The output is the files' hash value. The two hash values are compared and if they match, then file integrity is ensured. If the application being reviewed is a COTS product and the vendor used a SHA1 or MD5 algorithm to generate a hash value, this is not a finding. If the application being reviewed is a COTS product and the vendor did not provide a hash value for validating the package, this is not a finding. If the integrity of the application files/code is not validated prior to deployment to DoD operational networks, this is a finding.

Fix: F-50871r1_fix

1. Developers/release managers create cryptographic hash values of application files and/or application packages prior to transitioning the application from test to a production environment. They protect cryptographic hash information so it cannot be altered and make a read copy of the hash information available to application Admins so they can validate application packages and files after they download the files. 2. Application Admins validate cryptographic hashes prior to deploying the application to production.