Application Security and Development Checklist

Details

Version / Release: V3R9

Published: 2014-10-05

Updated At: 2018-09-23 02:02:36

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-6127r1_rule APP3280 MEDIUM The designer will ensure applications requiring user authentication are PK-enabled and are designed and implemented to support hardware tokens (e.g., CAC for NIPRNet). Non PK-enabled applications can allow unauthorized persons or entities to intercept information. A PK-enabled application gives assurance of the user accessing the application.System AdministratorIATS-1, IATS-2
    SV-6128r1_rule APP3290 MEDIUM The designer and IAO will ensure PK-enabled applications are designed and implemented to use approved credentials authorized under the DoD PKI program. Using unapproved PKI certificates could allow access by non-DoD and unauthorized users.System AdministratorIATS-1, IATS-2
    SV-6129r1_rule APP3305 HIGH The designer will ensure the application using PKI validates certificates for expiration, confirms origin is from a DoD authorized CA, and verifies the certificate has not been revoked by CRL or OCSP, and CRL cache (if used) is updated at least daily. The application should not provide access to users or other entities using expired, revoked or improperly signed certificates because the identity cannot be verified. System AdministratorIATS-1, IATS-2
    SV-6130r1_rule APP3320 MEDIUM The designer will ensure the application has the capability to require account passwords that conform to DoD policy. Weak passwords can be guessed or easily cracked using various methods. This can potentially lead to unauthorized access to the application. System AdministratorIAIA-1
    SV-6131r1_rule APP3380 MEDIUM The designer will ensure the application prevents the creation of duplicate accounts. Duplicate user accounts can create a situation where multiple users will be mapped to a single account. These duplicate user accounts may cause users to assume other users roles and privilege escalation. If user IDs are not unique and individual, user a
    SV-6132r2_rule APP6240 LOW The IAO will ensure all user accounts are disabled which are authorized to have access to the application but have not authenticated within the past 35 days. Disabling inactive userids ensures access and privilege are available to only those who need it.System AdministratorIAAC-1, IAIA-1
    SV-6133r1_rule APP6250 MEDIUM The IAO will ensure unnecessary built-in application accounts are disabled. Default passwords and properties of built-in accounts are often publicly available. Anyone with necessary knowledge, internal or external, can compromise an application using built-in accounts.System AdministratorIAIA-1
    SV-6134r1_rule APP6260 HIGH The IAO will ensure default passwords are changed. Default passwords can easily be compromised by attackers allowing immediate access to the applications.System AdministratorIAIA-1
    SV-6135r1_rule APP3210 MEDIUM The designer will ensure the appropriate cryptography is used to protect stored DoD information if required by the information owner. Application data needs to be properly protected. Content of application data contains not only operationally sensitive data, but also personal data covered by the privacy act that needs to be protected internally and externally. Classifed data could be c
    SV-6136r1_rule APP3250 HIGH The designer will ensure data transmitted through a commercial or wireless network is protected using an appropriate form of cryptography. Unencrypted sensitive application data could be intercepted in transit.System AdministratorECNK-2, ECCT-1, ECNK-1, ECCT-2
    SV-6137r1_rule APP3150 MEDIUM The designer will ensure the application uses the Federal Information Processing Standard (FIPS) 140-2 validated cryptographic modules and random number generator if the application implements encryption, key exchange, digital signature, and hash functionality. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity and DoD data may be compromised due to weak algorithms.If the module is not on the FIPS validated encryption list, this is a C
    SV-6138r1_rule APP3680 MEDIUM The designer will ensure the application design includes audits on all access to need-to-know information and key application events. Properly logged and monitored audit logs not only assist in combating threats, but also play a key role in diagnosis, forensics, and recovery. System AdministratorECAR-3, ECAR-2, ECAR-1
    SV-6139r1_rule APP3650 LOW The designer will ensure the application has a capability to notify an administrator when audit logs are nearing capacity as specified in the system documentation. If an application audit log reaches capacity without warning, it will stop logging important system and security events. It could also open the system up for a type of denial of service attack, if an application halts with a full log.System Administrato
    SV-6140r1_rule APP3690 MEDIUM The designer and IAO will ensure the audit trail is readable only by the application and auditors and protected against modification and deletion by unauthorized individuals. Excessive permissions of audit records allow cover up of intrusion or misuse of the application.System AdministratorECTP-1
    SV-6141r1_rule APP3480 HIGH The designer will ensure access control mechanisms exist to ensure data is accessed and changed only by authorized personnel. If access control mechanisms are not in place, anonymous users could potentially make unauthorized read and modification requests to the application data which is an immediate loss of the integrity of the data. Any vulnerability associated with a DoD Inf
    SV-6142r1_rule APP3240 MEDIUM The designer will ensure all access authorizations to data are revoked prior to initial assignment, allocation or reallocation to an unused state. DoD data may be compromised if applications do not protect residual data in objects when they are allocated to an unused state. Access authorizations to data should be revoked prior to initial assignment, allocation or reallocation to an unused state beca
    SV-6143r1_rule APP3500 MEDIUM The designer will ensure the application executes with no more privileges than necessary for proper operation. An application with unnecessary access privileges can give an attacker access to the underlying operating system.System AdministratorECLP-1
    SV-6144r1_rule APP3410 MEDIUM The designer will ensure the application provides a capability to limit the number of logon sessions per user and per application. If a user account has been compromised, limiting the number of sessions will allow the administrator to detect if the account has been compromised by an indication that the maximum number of sessions has been exceeded. Also, limiting the number of sessio
    SV-6145r1_rule APP2040 MEDIUM If the application contains classified data, the Program Manager will ensure a Security Classification Guide exists containing data elements and their classification. Without a classification guide the marking, storage, and output media of classified material can be inadvertently mixed with unclassified material, leading to its possible loss or compromise. Information Assurance OfficerDCSD-1
    SV-6146r1_rule APP3270 HIGH The designer will ensure the application has the capability to mark sensitive/classified output when required. Failure to properly mark output could result in a disclosure of sensitive or classified data which is an immediate loss in confidentiality. Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk
    SV-6147r1_rule APP5030 MEDIUM The Test Manager will ensure the application does not modify data files outside the scope of the application. Modifying data or files outside the scope of the application could lead to system instability in the event of an application problem. Also, a problem with this application could effect the operation of another application.System AdministratorECRC-1
    SV-6148r1_rule APP3020 MEDIUM The designer will ensure threat models are documented and reviewed for each application release and updated as required by design and functionality changes or new threats are discovered. The lack of threat modeling will potentially leave unidentified threats for attackers to utilize to gain access to the application.System AdministratorDCSQ-1
    SV-6149r1_rule APP3050 MEDIUM The designer will ensure the application does not contain source code that is never invoked during operation, except for software components and libraries from approved third-party products. Unused libraries increase a program size without any benefits. and may expose an enclave to possible malware. They can be used by a worm as program space, and increase the risk of a buffer overflow attack. As code evaluations are performed, to identify
    SV-6150r1_rule APP3060 MEDIUM The Designer will ensure the application does not store configuration and control files in the same directory as user data. Application code and data require two very different security requirements, authentication and authorization (especially in file access). Without proper authentication and authorization there is the potential for existing code to be changed. These chang
    SV-6151r1_rule APP6030 MEDIUM The IAO will ensure unnecessary services are disabled or removed. Unnecessary services and software increases the security risk by increasing the potential attack surface of the application.System AdministratorDCSD-1
    SV-6152r1_rule APP3440 MEDIUM The designer will ensure the application is capable of displaying a customizable click-through banner at logon which prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating "OK.” A logon banner is used to warn users against unauthorized entry and the possibility of legal action for unauthorized users, and advise all users that system use constitutes consent to monitoring, recording, and auditing, and that they have no expectation
    SV-6153r1_rule APP3430 HIGH The designer will ensure the application removes authentication credentials on client computers after a session terminates. Leaving authentication credentials stored at the client level allows potential access to session information that can be used by subsequent users of a shared workstation and could also be exported and used on other workstation providing immediate unauthor
    SV-6154r1_rule APP3470 MEDIUM The designer will ensure the application is organized by functionality and roles to support the assignment of specific roles to specific application functions. Without a least privilege policy, a user can gain access to information that he or she is not entitled to and can compromise confidentiality, integrity, and availability of the system. Also, minimizing privileges reduces the risk associated with hijacked
    SV-6155r1_rule APP3420 MEDIUM The designer will ensure the application provides a capability to terminate a session and log out. If a user cannot log out of the application, subsequent users of a shared system could continue to use the previous user's session to the application.System AdministratorDCSQ-1
    SV-6156r1_rule APP3350 HIGH The designer will ensure the application does not contain embedded authentication data. Authentication data stored in code could potentially be read and used by anonymous users to gain access to a backend database or application server. This could lead to immediate access to a backend server. System AdministratorIAIA-1, IAIA-2
    SV-6157r1_rule APP3080 MEDIUM The designer will ensure the application does not contain invalid URL or path references. Resource information in code can easily advertise available vulnerabilities to unauthorized users. By placing the references into configuration files, the files can be further protected by file permissions and will be separated for ease of updating.Syste
    SV-6158r1_rule APP3740 MEDIUM The designer will ensure the application only embeds mobile code in e-mail which does not execute automatically when the user opens the e-mail body or attachment. The practice of opening e-mails with executable code renders the recipient vulnerable to Internet worms, malicious content, and other threats.System AdministratorDCMC-1
    SV-6159r1_rule APP3700 MEDIUM The designer will ensure unsigned Category 1A mobile code is not used in the application in accordance with DoD policy. Use of un-trusted Level 1 and 2 mobile code technologies can introduce security vulnerabilities and malicious code into the client system. System AdministratorDCMC-1
    SV-6160r1_rule APP3720 MEDIUM The designer will ensure unsigned Category 2 mobile code executing in a constrained environment has no access to local system and network resources. Mobile code cannot conform to traditional installation and configuration safeguards, therefore, the use of local operating system resources and spawning of network connections introduce harmful and uncertain effects.System AdministratorDCMC-1
    SV-6161r1_rule APP3710 MEDIUM The designer will ensure signed Category 1A and Category 2 mobile code signature is validated before executing. Untrusted mobile code may contain malware or malicious code and digital signatures provide a source of the content which is crucial to authentication and trust of the data. System AdministratorDCMC-1
    SV-6162r1_rule APP3730 MEDIUM The designer will ensure uncategorized or emerging mobile code is not used in applications. Mobile code does not require any traditional software acceptance testing or security validation. Mobile code needs to follow sound policy to maintain a reasonable level of trust. Mobile code that does not fall into existing policy cannot be trusted.Syst
    SV-6163r1_rule APP3100 MEDIUM The Designer will ensure the application removes temporary storage of files and cookies when the application is terminated. If the application does not remove temporary data (e.g., authentication data, temporary files containing sensitive data, etc.) this temporary data could be used to re-authenticate the user or allow unauthorized access to sensitive data.System Administrato
    SV-6164r1_rule APP3510 HIGH The designer will ensure the application validates all input. Absence of input validation opens an application to improper manipulation of data. The lack of input validation can lead immediate access of application, denial of service, and corruption of data. System AdministratorDCSQ-1
    SV-6165r2_rule APP3590 HIGH The designer will ensure the application does not have buffer overflows, use functions known to be vulnerable to buffer overflows, and does not use signed values for memory allocation where permitted by the programming language. Buffer overflow attacks occur when improperly validated input is passed to an application overwriting of memory. Usually, buffer overflow errors stop execution of the application causing a minimum of denial of service and possibly a system call to a comma
    SV-6166r1_rule APP3120 MEDIUM The designer will ensure the application is not subject to error handling vulnerabilities. Unhandled exceptions leaves users with no means to properly respond to errors. Mishandled exceptions can transmit information that can be used in future security breaches. Properly handled errors allow applications to follow security procedures and gui
    SV-6167r1_rule APP3140 MEDIUM The designer will ensure application initialization, shutdown, and aborts are designed to keep the application in a secure state. An application could be compromised, providing an attack vector into the enclave if application initialization, shutdown, and aborts are not designed to keep the application in a secure state. If an application fails without closing or shutting down pro
    SV-6168r1_rule APP3300 MEDIUM The designer will ensure applications requiring server authentication are PK-enabled. Applications not using PKI are at risk of containing many password vulnerabilities. PKI is the preferred method of authentication. System AdministratorIATS-2, IATS-1
    SV-6169r1_rule APP2100 MEDIUM The Program Manager and designer will ensure the application design complies with the DoD Ports and Protocols guidance. Failure to comply with DoD Ports, Protocols, and Services (PPS) Vulnerability Analysis and associated PPS mitigations may result in compromise of enclave boundary protections and/or functionality of the application.System AdministratorDCPP-1
    SV-6170r1_rule APP2070 LOW The Program Manager and designer will ensure any IA, or IA enabled, products used by the application are NIAP approved or in the NIAP approval process. IA or IA enabled products that have not been evaluated by NIAP may degrade the security posture of the enclave, if they do not operate as expected, be configured incorrectly, or have hidden security flaws. System AdministratorDCAS-1
    SV-6171r1_rule APP6160 MEDIUM The IAO will ensure recovery procedures and technical system features exist so recovery is performed in a secure and verifiable manner. The IAO will document circumstances inhibiting a trusted recovery. Without a disaster recovery plan, the application is susceptible to interruption in service due to damage within the processing site.System AdministratorCODP-2, CODP-3, CODP-1
    SV-6172r1_rule APP6190 MEDIUM The IAO will ensure data backup is performed at required intervals in accordance with DoD policy. Without proper backups, the application is not protected from the loss of data or the operating environment in the event of hardware or software failure.System AdministratorCODB-1, CODB-3, CODB-2
    SV-6173r1_rule APP6140 MEDIUM The IAO will ensure application audit trails are retained for at least 1 year for applications without SAMI data, and 5 years for applications including SAMI data. Log files are a requirement to trace intruder activity or to audit user activity.System AdministratorECRR-1
    SV-6174r2_rule APP6100 MEDIUM The IAO will ensure production database exports have database administration credentials and sensitive data removed before releasing the export. Production database exports are often used to populate development databases. Test and development environments do not typically have the same rigid security protections that production environments do. When production data is used in test and developmen
    SV-6197r2_rule APP2010 MEDIUM The Program Manager will ensure a System Security Plan (SSP) is established to describe the technical, administrative, and procedural IA program and policies governing the DoD information system, and identifying all IA personnel and specific IA requirements and objectives. If the DAA, IAM, or IAO are not performing assigned functions in accordance with DoD requirements, it could impact the overall security of the facility, personnel, systems, and data, which could lead to degraded security. If the DAA and the IAM/IAO are no
    SV-6198r1_rule APP2160 MEDIUM The Program Manager and IAO will ensure development systems, build systems, test systems, and all components comply with all appropriate DoD STIGs, NSA guides, and all applicable DoD policies. The Test Manager will ensure both client and server machines are STIG compliant. Applications developed on a non STIG compliant platform may not function when deployed to a STIG compliant platform, and therefore cause a potential denial of service to the users and the application, or require lessening security requirements on the clie
    SV-7372r1_rule APP3010 MEDIUM The designer will create and update the Design Document for each release of the application. The detailed functional architecture must be documented to ensure all risks are assessed and mitigated to the maximum extent practical. Failure to do so may result in unexposed risk, and failure to mitigate the risk leading to failure or compromise of the
    SV-17773r1_rule APP2020 MEDIUM The Program Manager will provide an Application Configuration Guide to the application hosting providers to include a list of all potential hosting enclaves and connection rules and requirements. The security posture of the enclave could be degraded if an Application Configuration Guide is not available and followed by application developers. System AdministratorDCID-1, EBCR-1
    SV-17775r1_rule APP2050 MEDIUM The Program Manager will ensure the system has been assigned specific MAC and confidentiality levels. The site security posture and mission completion could be adversely affected if site managed applications and data are not properly assigned with the MAC and confidentiality levels.System AdministratorDCSD-1
    SV-17776r1_rule APP2060 MEDIUM The Program Manager will ensure the development team follows a set of coding standards. Implementing coding standards provides many benefits to the development process. These benefits include readability, consistency, and ease of integration. Code conforming to a standard format is easier to read, especially if someone other than the ori
    SV-17777r1_rule APP2080 MEDIUM The Program Manager will ensure COTS IA and IA enabled products, comply with NIAP/NSA endorsed protection profiles. The security posture of the enclave could be compromised if applications are not at the approved NIAP/NSA protection profile. GOTS, or COTS IA and IA enabled IT products, must be in compliance with NIAP/NSA protection profiles in order to protect classif
    SV-17778r1_rule APP2090 MEDIUM The Program Manager will document and obtain DAA risk acceptance for all public domain, shareware, freeware, and other software products/libraries with both (1) no source code to review, repair, and extend, and (2) limited or no warranty, when such products are required for mission accomplishment. The security posture of the enclave could be compromised if untested or unwarranted software is used due to the risk of software failure, hidden vulnerabilities, or other malware embedded in the application. The Program Manager and IAO must get DAA appro
    SV-17779r1_rule APP2110 MEDIUM The Program Manager and designer will ensure the application is registered with the DoD Ports and Protocols Database. Failure to register the applications usage of ports, protocols, and services with the DoD PPS Database may result in a Denial of Service (DoS) because of enclave boundary protections at other end points within the network.System AdministratorDCPP-1
    SV-17780r1_rule APP2120 MEDIUM The Program Manager will ensure all levels of program management, designers, developers, and testers receive the appropriate security training pertaining to their job function. Well trained IT personnel are the first line of defense against attacks or disruptions to the information system. Lack of sufficient training can lead to security oversights thereby, leading to compromise or failure to take necessary actions to prevent di
    SV-17781r1_rule APP2130 MEDIUM The Program Manager will ensure a vulnerability management process is in place to include ensuring a mechanism is in place to notify users, and users are provided with a means of obtaining security updates for the application. If there is no mechanism (e.g., e-mail list, patch server) to provide updates for an application that is already deployed, security flaws can never be addressed. Also, if there is no comprehensive vulnerability management process or policy for the system
    SV-17782r1_rule APP2140 MEDIUM The Program Manager will ensure a security incident response process for the application is established that defines reportable incidents and outlines a standard operating procedure for incident response to include Information Operations Condition (INFOCON). Without a plan, training, and assistance, users will not know what actions needs to be taken in the event of system attack or system/application compromise. This could result in additional compromise and theft, or degraded system capability.System Adminis
    SV-17783r1_rule APP2150 MEDIUM The Program Manager will ensure procedures are implemented to assure physical handling and storage of information is in accordance with the data’s sensitivity. Failure to have proper workplace security procedures can lead to the loss or compromise of classified or sensitive information.System AdministratorPESP-1
    SV-17784r1_rule APP3070 MEDIUM The designer will ensure the user interface services are physically or logically separated from data storage and management services. If user interface services are compromised, this may lead to the compromise of data storage and management services if they are not logically or physically separated.DCPA-1
    SV-17785r1_rule APP3405 HIGH The designer will ensure the application supports detection and/or prevention of communication session hijacking. Session tokens can be compromised by various methods. Using predictable session tokens can allow an attacker to hijack a session in progress. Session sniffing can be used to capture a valid session token or session id, and the attacker uses this session i
    SV-17786r1_rule APP3110 MEDIUM The designer will ensure the application installs with unnecessary functionality disabled by default. If functionality is enabled that is not required for operation of the application, this functionality may be exploited without knowledge because the functionality is not required by anyone.System AdministratorDCSD-1
    SV-17787r1_rule APP3130 HIGH The designer will ensure the application follows the secure failure design principle. The secure design principle ensures the application follows a secure predictable path in the application code. If all possible code paths are not accounted for, the application may allow access to unauthorized users. Applications should perform checks on
    SV-17788r1_rule APP3170 MEDIUM The designer will ensure the application uses encryption to implement key exchange and authenticate endpoints prior to establishing a communication channel for key exchange. If the application does not use encryption and authenticate endpoints prior to establishing a communication channel and prior to transmitting encryption keys, these keys may be intercepted, and could be used to decrypt the traffic of the current session,
    SV-17789r1_rule APP3180 MEDIUM The designer will ensure private keys are accessible only to administrative users. If private keys are accessible to non-administrative users, these users could potentially read and use the private keys to unencrypt stored or transmitted sensitive data used by the application. System AdministratorECCD-1
    SV-17790r1_rule APP3190 MEDIUM The designer will ensure the application does not connect to a database using administrative credentials or other privileged database accounts. If the application uses administrative credentials or other privileged database accounts to access the database, an attacker that has already compromised the application though another vulnerability can drop, add, and modify the data in the database or th
    SV-17791r1_rule APP3200 LOW The designer will ensure transaction based applications implement transaction rollback and transaction journaling. Transaction based systems must have transaction rollback and transaction journaling, or technical equivalents implemented to ensure the system can recover from an attack or faulty transaction data. Otherwise, a denial of service condition could result. S
    SV-17792r1_rule APP3220 MEDIUM The designer will ensure sensitive data held in memory is cryptographically protected when not in use, if required by the information owner, and classified data held in memory is always cryptographically protected when not in use. Sensitive or classified data in memory must be encrypted to protect data from the possibility of an attacker causing an application crash then analyzing a memory dump of the application for sensitive or classified information.System AdministratorECCR-2, E
    SV-17793r1_rule APP3230 MEDIUM The designer will ensure the application properly clears or overwrites all memory blocks used to process sensitive data, if required by the information owner, and clears or overwrites all memory blocks used for classified data. Sensitive and classified data in memory should be cleared or overwritten to protect data from the possibility of an attacker causing the application to crash and analyzing a memory dump of the application for sensitive information.System AdministratorECCR
    SV-17794r2_rule APP3260 MEDIUM The designer will ensure the application uses mechanisms assuring the integrity of all transmitted information (including labels and security parameters). Data is subject to manipulation and other integrity related attacks whenever that data is transferred across a network. To protect data integrity during transmission, the application must implement mechanisms to ensure the integrity of all transmitted in
    SV-17795r1_rule APP3310 HIGH The designer will ensure the application does not display account passwords as clear text. Passwords being displayed in clear text can be easily seen by casual observers. Password masking should be employed so any casual observers cannot see passwords on the screen as they are being typed.System AdministratorIAIA-1
    SV-17796r1_rule APP3330 HIGH The designer will ensure the application transmits account passwords in an approved encrypted format. Passwords transmitted in clear text or with an unapproved format are vulnerable to network protocol analyzers. These passwords acquired with the network protocol analyzers can be used to immediately access the application.System AdministratorECCT-1
    SV-17797r1_rule APP3340 HIGH The designer will ensure the application stores account passwords in an approved encrypted format. Passwords stored without encryption or with weak, unapproved, encryption can easily be read and unencrypted. These passwords can then be used for immediate access to the application.System AdministratorIAIA-2, IAIA-1
    SV-17798r1_rule APP3360 MEDIUM The designer will ensure the application protects access to authentication data by restricting access to authorized users and services. If authentication is not properly restricted using access controls list, unauthorized users of the server where the authentication data is stored may be able to use the authentication data to access unauthorized servers or services.System AdministratorECC
    SV-17799r1_rule APP3370 MEDIUM The designer will ensure the application installs with unnecessary accounts disabled, or deleted, by default. Unnecessary accounts should be disabled to limit the number of entry points for attackers to gain access to the system. Removing unnecessary accounts also limits the number of users and passwords the system administrator must maintain.System Administrato
    SV-17800r1_rule APP3390 HIGH The designer will ensure users’ accounts are locked after three consecutive unsuccessful logon attempts within one hour. If user accounts are not locked after a set number of unsuccessful logins, attackers can infinitely retry user password combinations providing immediate access to the application.ECLO-1, ECLO-2
    SV-17801r1_rule APP3400 MEDIUM The designer will ensure locked users’ accounts can only be unlocked by the application administrator. User accounts should only be unlocked by the user contacting an administrator, and making a formal request to have the account reset. Accounts that are automatically unlocked after a set time limit, allow potential attackers to retry possible user passwo
    SV-17802r1_rule APP3415 MEDIUM The designer will ensure the application provides a capability to automatically terminate a session and log out after a system defined session idle time limit is exceeded. In the event a user does not log out of the application, the application should automatically terminate the session and log out; otherwise, subsequent users of a shared system could continue to use the previous user's session to the application.System Adm
    SV-17803r1_rule APP3450 MEDIUM The designer and IAO will ensure application resources are protected with permission sets which allow only an application administrator to modify application resource configuration files. If application resources are not protected with permission sets that allow only an application administrator to modify application resource configuration files, unauthorized users can modify configuration files allowing these users to capture data within
    SV-17804r1_rule APP3460 HIGH The designer will ensure the application does not rely solely on a resource name to control access to a resource. Application access control decisions should be based on authentication of users. Resource names alone can be spoofed allowing access control mechanisms to be bypassed giving immediate access to the application. System AdministratorDCSQ-1
    SV-17806r1_rule APP3530 MEDIUM The designer will ensure the web application assigns the character set on all web pages. For web applications, setting the character set on the web page reduces the possibility of receiving unexpected input that uses other character set encodings by the web application.System AdministratorDCSQ-1
    SV-17807r1_rule APP3540 HIGH The designer will ensure the application is not vulnerable to SQL Injection, uses prepared or parameterized statements, does not use concatenation or replacement to build SQL queries, and does not directly access the tables in a database. SQL Injection can be used to bypass user login to gain immediate access to the application and can also be used to elevate privileges with an existing user account.DCSQ-1, ECCD-1
    SV-17808r1_rule APP3550 HIGH The designer will ensure the application is not vulnerable to integer arithmetic issues. Integer overflows occur when an integer has not been properly checked and is used in memory allocation, copying, and concatenation. Also, when incrementing integers past their maximum possible value, it could potentially become a very small or negative n
    SV-17809r1_rule APP3560 HIGH The designer will ensure the application does not contain format string vulnerabilities. Format string vulnerabilities usually occur when unvalidated input is entered and is directly written into the format string used to format data in the print style family of C/C++ functions. If an attacker can manipulate a format string, this may result
    SV-17810r1_rule APP3570 HIGH The designer will ensure the application does not allow command injection. A command injection attack, is an attack on a vulnerable application where improperly validated input is passed to a command shell setup in the application. A command injection allows an attacker to execute their own commands with the same privileges as t
    SV-17811r1_rule APP3580 HIGH The designer will ensure the application does not have cross site scripting (XSS) vulnerabilities. XSS vulnerabilities exist when an attacker uses a trusted website to inject malicious scripts into applications with improperly validated input. System AdministratorDCSQ-1
    SV-17812r1_rule APP3600 MEDIUM The designer will ensure the application has no canonical representation vulnerabilities. Canonical representation issues arise when the name of a resource is used to control resource access. There are multiple methods of representing resource names on a computer system. An application relying solely on a resource name to control access may
    SV-17813r1_rule APP3610 HIGH The designer will ensure the application does not use hidden fields to control user access privileges or as a part of a security mechanism. Using hidden fields to pass data in forms is very common. However, hidden fields can be easily manipulated by users. Hidden fields used to control access decisions can lead to a complete compromise of access control mechanism allowing immediate anonymou
    SV-17814r1_rule APP3620 MEDIUM The designer will ensure the application does not disclose unnecessary information to users. Applications should not disclose information not required for the transaction. (e.g., a web application should not divulge the fact there is a SQL server database and/or its version) This provides attackers additional information which they can use to fi
    SV-17815r1_rule APP3630 MEDIUM The designer will ensure the application is not vulnerable to race conditions. A race condition occurs when an application receives two or more actions on the same resource in an unanticipated order which causes a conflict. Sometimes, the resource is locked by different users or functions within the application creating a deadlock s
    SV-17816r1_rule APP3640 MEDIUM The designer will ensure the application supports the creation of transaction logs for access and changes to the data. Without required logging and access control, security issues related to data changes will not be identified. This could lead to security compromises such as data misuse, unauthorized changes, or unauthorized access.System AdministratorECCD-2
    SV-17817r1_rule APP3660 LOW The designer will ensure the application has a capability to notify the user of important login information. Attempted logons must be controlled to prevent password guessing exploits and unauthorized access attempts. System AdministratorECLO-2
    SV-17818r1_rule APP3670 MEDIUM The designer will ensure the application has a capability to display the user’s time and date of the last change in data content. Without access control mechanisms in place, the data is not secure. The time and date display of data content change provides an indication that the data may have been accessed by unauthorized persons, and It may have been compromised, misused, or changed
    SV-17819r1_rule APP3750 MEDIUM The designer will ensure development of new mobile code includes measures to mitigate the risks identified. New mobile code types may introduce unknown vulnerabilities if a risk assessment is not completed prior to the use of mobile code. System AdministratorDCMC-1
    SV-17820r1_rule APP4010 LOW The Release Manager will ensure the access privileges to the configuration management (CM) repository are reviewed every 3 months. Incorrect access privileges to the CM repository can lead to malicious code or unintentional code being introduced into the application.System AdministratorECPC-1, ECPC-2
    SV-17822r1_rule APP4030 MEDIUM The Release Manager will develop an SCM plan describing the configuration control and change management process of objects developed and the roles and responsibilities of the organization. Software Configuration Management (SCM) is very important in tracking code releases, baselines, and managing access to the configuration management repository. The SCM plan identifies what should be under configuration management control. Without an SCM p
    SV-17823r1_rule APP4040 MEDIUM The Release Manager will establish a Configuration Control Board (CCB), that meets at least every release cycle, for managing the CM process. Software Configuration Management (SCM) is very important in tracking code releases, baselines, and managing access to the configuration management repository. The SCM plan identifies what should be under configuration management control. Without an SCM p
    SV-17824r1_rule APP5010 LOW The Test Manager will ensure at least one tester is designated to test for security flaws in addition to functional testing. If there is no person designated to test for security flaws, vulnerabilities can potentially be missed during testing.Information Assurance ManagerDCSQ-1
    SV-17825r1_rule APP5040 MEDIUM The Test Manager will ensure the changes to the application are assessed for IA and accreditation impact prior to implementation. IA assessment of proposed changes is necessary to ensure security integrity is maintained within the application.DCII-1
    SV-17826r1_rule APP5050 MEDIUM The Test Manager will ensure tests plans and procedures are created and executed prior to each release of the application or updates to system patches. Without test plans and procedures for application releases or updates, unexpected results may occur which could lead to a denial of service to the application or components.System AdministratorDCCT-1
    SV-17827r1_rule APP5060 MEDIUM The Test Manager will ensure test procedures are created and at least annually executed to ensure system initialization, shutdown, and aborts are configured to ensure the system remains in a secure state. Secure state assurance cannot be accomplished without testing the system state at least annually to ensure the system remains in a secure state upon intialization, shutdown and abort.System AdministratorDCSS-2
    SV-17828r1_rule APP5070 LOW The Test Manager will ensure code coverage statistics are maintained for each release of the application. Code coverage statistics describes the how much of the source code has been executed based on the test procedures. System AdministratorDCSQ-1
    SV-53700r1_rule APP5080 MEDIUM The Test Manager will ensure a code review is performed before the application is released. A code review is a systematic evaluation of computer source code conducted for the purposes of identifying and remediating security flaws. Examples of security flaws include but are not limited to format string exploits, memory leaks, buffer overflows or
    SV-17830r1_rule APP5090 MEDIUM The Test Manager will ensure flaws found during a code review are tracked in a defect tracking system. If flaws are not tracked they may possibly be forgotten to be included in a release. Tracking flaws in the configuration management repository will help identify code elements to be changed, as well as the requested change. System AdministratorDCSQ-1
    SV-55789r2_rule APP5100 MEDIUM The IAO will ensure active vulnerability testing is performed. Use of automated scanning tools accompanied with manual testing/validation which confirms or expands on the automated test results is an accepted best practice when performing application security testing. Automated scanning tools expedite and help to st
    SV-17832r1_rule APP5110 MEDIUM The Test Manager will ensure security flaws are fixed or addressed in the project plan. If security flaws are not tracked, they may possibly be forgotten to be included in a release. Tracking flaws in the project plan will help identify code elements to be changed as well as the requested change. System AdministratorDCSQ-1
    SV-17833r1_rule APP6010 MEDIUM The IAO will ensure if an application is designated critical, the application is not hosted on a general purpose machine. Critical applications should not be hosted on a multi-purpose server with other applications. Applications that share resources are susceptible to the other shared application security defects. Even if the critical application is designed and deployed se
    SV-17834r1_rule APP6020 MEDIUM The IAO shall ensure if a DoD STIG or NSA guide is not available, a third-party product will be configured by the following in descending order as available: 1) commercially accepted practices, (2) independent testing results, or (3) vendor literature. Not all COTS products are covered by a STIG. Those products not covered by a STIG, should be minimally configured to vendors recommendation guidelines. System AdministratorDCCS-1
    SV-17835r1_rule APP6040 MEDIUM The IAO will ensure at least one application administrator has registered to receive update notifications, or security alerts, when automated alerts are available. Administrators should register for updates to all COTS and custom developed software, so when security flaws are identified, they can be tracked for testing and updates of the application can be applied. DCCT-1
    SV-17836r1_rule APP6050 MEDIUM The IAO will ensure the system and installed applications have current patches, security updates, and configuration settings. Due to viruses, worms, Trojans, and other malicious software, in addition to inevitable weaknesses in code, the necessity to patch critical vulnerabilities is paramount. As part of the general practice of performing application or system administration, i
    SV-55087r1_rule APP6060 HIGH The IAO will ensure the application is decommissioned when maintenance or support is no longer available. When maintenance no longer exists for an application, there are no individuals responsible for providing security updates. The application is no longer supported, and should be decommissioned. System AdministratorECSC-1, DCSD-1
    SV-17838r1_rule APP6070 LOW Procedures are not in place to notify users when an application is decommissioned. When maintenance no longer exists for an application, there are no individuals responsible for making security updates. The application should maintain procedures for decommissioning. System AdministratorDCSD-1
    SV-17839r1_rule APP6080 MEDIUM The IAO will ensure protections against DoS attacks are implemented. Known threats documented in the threat model should be mitigated, to prevent DoS type attacks. System AdministratorDCSQ-1
    SV-17840r1_rule APP6090 LOW The IAO will ensure the system alerts an administrator when low resource conditions are encountered. In order to prevent DoS type attacks, applications should be monitored when resource conditions reach a predefined threshold indicating there may be attack occurring.System AdministratorECAT-2
    SV-17841r1_rule APP6110 LOW The IAO will review audit trails periodically based on system documentation recommendations or immediately upon system security events. Without access control the data is not secure. It can be compromised, misused, or changed by unauthorized access at any time.ECCD-2
    SV-17842r1_rule APP6120 MEDIUM The IAO will report all suspected violations of IA policies in accordance with DoD information system IA procedures. All potential sources are monitored for suspected violations of IA policies. If there are not policies regarding the reporting of IA violations, some IA violations may not be tracked or dealt with in a proper manner. System AdministratorECAT-2
    SV-17843r1_rule APP6130 LOW The IAO will ensure, for classified systems, application audit trails are continuously and automatically monitored, and alerts are provided immediately when unusual or inappropriate activity is detected. For critical and classified systems, an automated, continuous on-line monitoring and audit trail creation capability must be deployed with the capability to immediately alert personnel of any unusual or inappropriate activity with potential IA implication
    SV-17844r1_rule APP6170 MEDIUM The IAO will ensure back-up copies of the application software are stored in a fire-rated container and not collocated with operational software. Inadequate back-up software or improper storage of back-up software can result in extended outages of the information system in the event of a fire or other situation that results in destruction of the operating copy.System AdministratorCOSW-1
    SV-17845r1_rule APP6180 MEDIUM The IAO will ensure procedures are in place to assure the appropriate physical and technical protection of the backup and restoration of the application. Protection of backup and restoration assets is essential for the successful restore of operations after a catastrophic failure or damage to the system or data files. Failure to follow proper procedures may result in the permanent loss of system data and/o
    SV-17846r1_rule APP6200 MEDIUM The IAO will ensure a disaster recovery plan exists in accordance with DoD policy based on the Mission Assurance Category (MAC). Well thought out recovery plans are essential for system recovery and/or business restoration in the event of catastrophic failure or disaster.System AdministratorCODP-3, CODB-2, CODB-1
    SV-17847r1_rule APP6210 MEDIUM The IAO will ensure an account management process is implemented, verifying only authorized users can gain access to the application, and individual accounts designated as inactive, suspended, or terminated are promptly removed. A comprehensive account management process will ensure that only authorized users can gain access to applications and that individual accounts designated as inactive, suspended, or terminated are promptly deactivated. Such a process greatly reduces the ri
    SV-17848r1_rule APP6220 HIGH The IAO will ensure passwords generated for users are not predictable and comply with the organization's password policy. Predictable passwords may allow an attacker to gain immediate access to new user accounts which would result in a loss of integrity. Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor
    SV-17849r1_rule APP6230 MEDIUM The IAO will ensure the application's users do not use shared accounts. Group or shared accounts for application access may be used only in conjunction with an individual authenticator. Group accounts do not allow for proper auditing of who is accessing the application and security incidents cannot be attributed to specific i
    SV-17850r1_rule APP6270 MEDIUM The IAO will ensure connections between the DoD enclave and the Internet or other public or commercial wide area networks require a DMZ. In order to protect DoD data and systems, all remote access to DoD information systems must be mediated through a managed access control point, such as a remote access server in a DMZ. System AdministratorEBPW-1
    SV-21828r1_rule APP6280 HIGH The IAO will ensure web servers are on logically separate network segments from the application and database servers if it is a tiered application. Web servers should be on logically separated network segments from the application and database servers in order to provide different levels and types of defenses for each type of server. Failure to comply would result in an immediate loss of confidentia
    SV-21829r1_rule APP6290 HIGH The designer and the IAO will ensure physical operating system separation and physical application separation is employed between servers of different data types in the web tier of Increment 1/Phase 1 deployment of the DoD DMZ for Internet-facing applications. Restricted and unrestricted data residing on the same server may allow unauthorized access which would result in a loss of integrity and possibly the availability of the data. This requirement to this STIG was added at the request of the DoD DMZ PM. Th
    SV-21830r1_rule APP3760 MEDIUM The designer will ensure web services are designed and implemented to recognize and react to the attack patterns associated with application-level DoS attacks. Because of potential denial of service, web services should be designed to recognize potential attack patterns. DCSQ-1
    SV-21831r2_rule APP3770 MEDIUM The designer will ensure the web service design includes redundancy of critical functions. Because of potential denial of service, web services should be designed to be redundant. DCSQ-1
    SV-21832r1_rule APP3780 MEDIUM The designer will ensure web service design of critical functions is implemented using different algorithms to prevent similar attacks from forming a complete application level DoS. Denial of service attacks could occur if web services use the same algorithm for all critical features. An algorithm is defined as: an effective method expressed as a finite list of well-defined instructions. Combining a large array of varying, unrelated
    SV-21833r1_rule APP3790 MEDIUM The designer will ensure web services are designed to prioritize requests to increase availability of the system. Because of potential denial of service, web services should be designed to prioritize web service requests. DCSQ-1
    SV-21834r1_rule APP3800 MEDIUM The designer will ensure execution flow diagrams are created and used to mitigate deadlock and recursion issues. To prevent web services from becoming deadlocked, an execution flow diagram should be documented. DCSQ-1
    SV-21835r1_rule APP6300 MEDIUM The IAO will ensure an XML firewall is deployed to protect web services. Web Services are vulnerable to many types of attacks. XML based firewalls can be used to prevent common attacks. DCSQ-1
    SV-21836r1_rule APP3820 HIGH The designer will ensure web services provide a mechanism for detecting resubmitted SOAP messages. SOAP messages should be designed so duplicate messages are detected. Replay attacks may lead to a loss of confidentiality and potentially a loss of availability Any vulnerability associated with a DoD Information system or system enclave, the exploitati
    SV-21837r1_rule APP3830 MEDIUM The designer and IAO will ensure digital signatures exist on UDDI registry entries to verify the publisher. UDDI registries must provide digital signatures for verification of integrity of the publisher of each web service contained within the registry. Users publishing to the UDDI repository could potentially setup multiple fraudulent web services without a d
    SV-21838r1_rule APP3840 MEDIUM The designer and IAO will ensure UDDI versions are used supporting digital signatures of registry entries. UDDI repositories must provide the capability to support digital signatures. Without the capability to support digital signatures, web service users cannot verify the integrity of the UDDI registry. DCSQ-1
    SV-21839r1_rule APP3850 MEDIUM The designer and IAO will ensure UDDI publishing is restricted to authenticated users. Ficticious or false entries could result if someone other than an authenticated user is able to create or modify the UDDI registry. The data integrity would be questionable if anonymous users are able to write to the repository.DCSQ-1
    SV-21840r1_rule APP6310 MEDIUM The IAO will ensure web service inquiries to UDDI provide read-only access to the registry to anonymous users. If modification of UDDI registries are allowed by anonymous users, UDDI registries can be corrupted, or potentially be hijacked. ECLP-1
    SV-21841r1_rule APP6320 MEDIUM The IAO will ensure if the UDDI registry contains sensitive information and read access to the UDDI registry is granted only to authenticated users. If a UDDI registry contains sensitive data, the repository should require authentication to read the UDDI data repository. If the repository does not require authentication, the UDDI data repository will be accessed by anonymous users. ECCR-2, ECCR-1
    SV-21842r1_rule APP3860 MEDIUM The designer will ensure SOAP messages requiring integrity, sign the following message elements: -Message ID -Service Request -Timestamp -SAML Assertion (optionally included in messages) Digitally signed SOAP messages provide message integrity and authenticity of the signer of the message independent of the transport layer. Service requests may be intercepted and changed in transit and the data integrity may be at risk if the SOAP message
    SV-55089r1_rule APP3870 HIGH The designer will ensure when using WS-Security, messages use timestamps with creation and expiration times. The lack of timestamps could lead to the eventual replay of the message, leaving the application susceptible to replay events which may result in an immediate loss of confidentiality. Any vulnerability associated with a DoD Information system or system
    SV-21844r1_rule APP3880 HIGH The designer will ensure validity periods are verified on all messages using WS-Security or SAML assertions. When using WS-Security in SOAP messages, the application should check the validity of the timestamps with creation and expiration times. Unvalidated timestamps may lead to a replay event and provide immediate unauthorized access of the application. Unaut
    SV-21845r1_rule APP3890 MEDIUM The designer shall ensure each unique asserting party provides unique assertion ID references for each SAML assertion. SAML assertion identifiers should be unique across a server implementation. Duplicate SAML assertion identifiers could lead to unauthorized access to a web service. IAIA-2
    SV-21846r1_rule APP3900 MEDIUM The designer shall ensure encrypted assertions, or equivalent confidentiality protections, when assertion data is passed through an intermediary, and confidentiality of the assertion data is required to pass through the intermediary. The confidentially of the data in a message as the message is passed through an intermediary web service may be required to be restricted by the intermediary web service. The intermediary web service may leak or distribute the data contained in a message
    SV-21847r1_rule APP3960 MEDIUM The designer will ensure the application is compliant with all DoD IT Standards Registry (DISR) IPv6 profiles. If the application has not been upgraded to execute on an IPv6-only network, there is a possibility the application will not execute properly, and as a result, a denial of service could occur. DCSQ-1
    SV-21848r1_rule APP3970 MEDIUM The designer will ensure supporting application services and interfaces have been designed, or upgraded for, IPv6 transport. If the application's supporting services (e.g., software update, security update, driver updating, and automatic patching services) have not been updated to retrieve updates over a IPv6 network connection, there is a possibility the application will not
    SV-21849r1_rule APP3980 MEDIUM The designer will ensure the application is compliant with IPv6 multicast addressing and features an IPv6 network configuration options as defined in RFC 4038. If the application has not been updated to IPv6 multicast features, there is a possibility the application will not execute properly and as a result, a denial of service could occur. DCSQ-1
    SV-21850r1_rule APP3990 MEDIUM The designer will ensure the application is compliant with the IPv6 addressing scheme as defined in RFC 1884. If the application is not compliant with the IPv6 addressing scheme, the entry of IPv6 formats that are 128 bits long or hexadecimal notation including colons, could result in buffer overflows compromising the application and creating additional attack v
    SV-23682r1_rule APP3810 HIGH The designer will ensure the application is not vulnerable to XML Injection. XML injection results in an immediate loss of “integrity” of the data. Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor, will directly and immediately result in loss of Confiden
    SV-23685r1_rule APP3585 MEDIUM The designer will ensure the application does not have CSRF vulnerabilities. Cross Site Request Forgery (CSRF) is an attack where an end user is previously authenticated to a specific website and the user through social engineering (e.g., e-mail or chat) launches a hyperlink which executes unwanted actions on a website. A CSRF att
    SV-23731r1_rule APP2135 HIGH The Program Manager will ensure all products are supported by the vendor or the development team. Unsupported software products should not be used because of the unknown potential vulnerabilities. Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor, will directly and immediately re
    SV-55088r1_rule APP3910 HIGH The designer shall use the NotOnOrAfter condition when using the SubjectConfirmation element in a SAML assertion. When a SAML assertion is used with a element, a begin and end time for the should be set to prevent reuse of the message at a later time. Not setting a specific time period for the , may grant immediate access to an attacker and results in an immediate
    SV-25355r1_rule APP3920 HIGH The designer shall use both the <NotBefore> and <NotOnOrAfter> elements or <OneTimeUse> element when using the <Conditions> element in a SAML assertion. When a SAML assertion is used with a element, a begin and end time for the element should be set to prevent reuse of the message at a later time. Not setting a specific time period for the element, the possibility exists of granting immediate access or
    SV-25356r1_rule APP3940 MEDIUM The designer will ensure the asserting party uses FIPS approved random numbers in the generation of SessionIndex in the SAML element AuthnStatement. A predictable SessionIndex could lead to an attacker computing a future SessionIndex, thereby, possibly compromising the application.System AdministratorDCSQ-1
    SV-25357r1_rule APP3950 MEDIUM The designer shall ensure messages are encrypted when the SessionIndex is tied to privacy data. When the SessionIndex is tied to privacy data (e.g., attributes containing privacy data) the message should be encrypted. If the message is not encrypted there is the possibility of compromise of privacy data.System AdministratorECNK-1
    SV-25358r1_rule APP3930 MEDIUM The designer shall ensure if a OneTimeUse element is used in an assertion, there is only one used in the Conditions element portion of an assertion. Multiple OneTimeUse elements used in a SAML assertion can lead to elevation of privileges, if the application does not process SAML assertions correctly.System AdministratorDCSQ-1
    SV-60029r1_rule APP4050 MEDIUM The release manager must ensure application files are cryptographically hashed prior to deploying to DoD operational networks. When application code and binaries are transferred from one environment to another, there is the potential for malware to be introduced into either the application code or even the application binaries themselves. Care must be taken to ensure that applic