Application security and development stig

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. Review the application components and the application requirements to determine if the application is capable of generating cryptographic hashes. Review the application documentation and interview the application developer or administrator to identify the cryptographic modules used by the application.

If hashing of application components has been identified in the application security is plan as not being designed required to and generate if cryptographic a documented acceptance of risk is provided hashes , this requirement is not a finding applicable. Have the application admin or the developer demonstrate how the application generates hashes and what hashing algorithms are used when generating a hash value.

If FIPS-validated the application is designed to generate cryptographic modules hash are values and the application is not used configured when to generating use hashes SHA1, SHA2, or if the application is configured to use the MD5 or SHA1 hashing algorithm, this is a finding. Application management includes the ability to control the number of users and user sessions that utilize an application. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to DoS attacks. This requirement may be met via the application or by utilizing information system session control provided by a web server or other underlying solution that provides specialized session management capabilities.

If it has been specified that this requirement will be handled by the application, the capability to limit the maximum number of concurrent single user sessions must be designed and built into the application. This requirement addresses concurrent sessions for individual system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system. Design and configure the application to specify the number of logon sessions that are allowed per user.

For production environments; Review the system documentation, identify the number of application user logon sessions allowed per user, identify the methods utilized for user session management or have application administrator describe how the application implements user session management. Utilize the management interface that is used to set the user session values, or examine configuration files in order to review user session configuration settings. Ensure the number of sessions allowed per user is specified in accordance with the organizational requirements.

For development environments; have the developer provide design documentation or demonstrate how the application is designed to limit the number of simultaneous user logon sessions. If the application is not configured to limit the number of logon sessions per user as defined by the organization, this is a finding. Use web or application server session management capabilities to limit the number of user application sessions or build session management capabilities into the application. Persistent cookies are a primary means by which a web application will store application state and user information.

Since HTTP is a stateless protocol, this persistence allows the web application developer to provide a robust and customizable user experience. However, if a web application stores user authentication information within a persistent cookie or other temporary storage mechanism, this information can be stolen and used to compromise the users account. Likewise, HTML 5 provides the developer with a client storage capability where application data larger than the 4K cookie size limit can be stored on the local client.

While this can be beneficial to the developer, this is considered insecure storage and should not be used for storing sensitive session or security tokens. A cross site scripting attack can put this data at risk.

Application Security and Development Security Technical Implementation Guide

Web applications must clear sensitive data from files and storage areas on the client when the session is terminated. Design and configure the application to clear sensitive data from cookies and local storage when the user logs out of the application. Review application design documentation and interview application administrator to identify how the application makes use of temporary client storage and cookies.

Identify cookie and web storage locations on the client. Clear all browser cookies and web cache. Log on to the application and perform several standard operations, noting if the application ever prompts the user to accept a cookie. If prompted by the browser to save the user ID and password decline to save the user ID and password , this is a finding. Log out of the application and close the browser.

Reopen the browser and examine the stored cookies. The cookies displayed should be related to the application website. The procedure to view cookies will vary according to the browser used. Open the cookies related to the application website and search for any identification or authentication information. If the web application prompts the user to save their password, or if a username or password value exists within a cookie or within local storage locations, even if hashed, this is a finding.

The application may use means other than cookies to store user information. If the reviewer detects an alternative mechanism for storing information locally, examine the data storage to ensure no authentication or other sensitive information is present. Session termination terminates an individual user's logical application session after 15 minutes of application inactivity at which time the user must re-authenticate and a new session must be established if the user desires to continue work in the application.

Design and configure the application to terminate the non-privileged users session after 15 minutes of inactivity. Ask the application representative to demonstrate the configuration setting where the idle time out value is defined. Alternatively, logon with a regular application user account and let the session sit idle for 15 minutes.

Attempt to access the application after 15 minutes of inactivity. If the configuration setting is not set to time out user sessions after 15 minutes of inactivity, or if the regular user session used for testing does not time out after 15 minutes of inactivity, this is a finding.

Application Security and Development (STIG)

Leaving an admin user's application session established for an indefinite period of time increases the risk of session hijacking. Session termination terminates an individual user's logical application session after 10 minutes of application inactivity at which time the user must re-authenticate and a new session must be established if the user desires to continue work in the application. Design and configure the application to terminate the admin users session after 10 minutes of inactivity.

Ask the application representative to demonstrate the application configuration setting where the idle time out value is defined for admin users. Alternatively, logon with an admin user account and let the session sit idle for 10 minutes. Attempt to access the application after 10 minutes of inactivity. If the configuration setting is not set to time out admin user sessions after 10 minutes of inactivity, or if the session used for testing does not time out after 10 minutes of inactivity, this is a finding.

If a user cannot explicitly end an application session, the session may remain open and be exploited by an attacker. Applications providing user access must provide the ability for users to manually terminate their sessions and log off. Design and configure the application to provide all users with the capability to manually terminate their application session. If the application does not provide an interface for interactive user access, this is not applicable. Log on to the application with a valid user account.

Examine the user interface. Identify the command or link that provides the logoff function. Activate the user logoff function. Observe user interface and attempt to interact with the application. Confirm user interaction with the application is no longer possible. If the user session is not terminated or if the logoff function does not exist, this is a finding.

If a user is not explicitly notified that their application session has been terminated, they cannot be certain that their session did not remain open. Applications with a user access interface must provide an explicit logoff message to the user upon successful termination of the user session. Design and configure the application to provide an explicit logoff message to users indicating a successful logoff has occurred upon user session termination. If the application does not provide an explicit logoff message indicating the user session has been terminated, this is a finding.

Without the association of security attributes to information, there is no basis for the application to make security related access-control decisions. Security attributes are abstractions representing the basic properties or characteristics of an entity e. These attributes are typically associated with internal data structures e. One example includes marking data as classified or FOUO. These security attributes may be assigned manually or during data processing but either way, it is imperative these assignments are maintained while the data is in storage.

If the security attributes are lost when the data is stored, there is the risk of a data compromise. Classify the system hosting the application with default classification. Treat all unmarked data at the highest classification as the overall hosting system is classified. If there is no classification, mark system high. Design and configure the application to assign data marking and ensure the marking is retained when the data is stored.

Review the application documentation and interview the application administrator. Determine if the application processes classified, FOUO, or other data that is required to be marked and identify if the application requirements specify data markings of any other types of data. If the application does not contain classified, FOUO, or other data that is required to be marked, this requirement is not applicable.

Review the database or other storage mechanism and have the application administrator identify and demonstrate how the application assigns and maintains data markings while the data is in storage. Typical methods for marking data include utilizing a table or data base field that contains the marking information and associating the marking information with the data.

If application data required to be marked is not marked and does not retain its marking while it is being stored, this is a finding. Create POAM documentation and plan to create and retain data markings within application. These security attributes may be assigned manually or during data processing but either way, it is imperative these assignments are maintained while the data is in process.

If the security attributes are lost when the data is being processed, there is the risk of a data compromise. Identify if the application requirements include data marking. Also determine if the application processes classified, FOUO or other data that is required to be marked.

If the application does not contain classified, FOUO or have data marking requirements, this requirement is not applicable. Access the user interface for the application and navigate through the application. Perform several application actions that will manipulate data contained within the application. For example, create a test record and assign a data marking to the data element.

Save the test record, close the data entry fields and navigate to display the test record. Perform an edit action on the test data that does not edit the marking itself or perform any other form of data processing such as assigning the data to another users work queue for review or printing the data, ensure the data marking is retained throughout the data processing actions.

If application data required to be marked does not retain its marking while it is being processed by the application, this is a finding. These security attributes may be assigned manually or during data processing but either way, it is imperative these assignments are maintained while the data is in transmission. If the security attributes are lost when the data is being transmitted, there is the risk of a data compromise.

Identify if the application requirements include data marking also determine if the application processes classified, FOUO or other data that is required to be marked. Perform an application action that will transmit marked data that is contained within the application. If the application does not contain classified, FOUO or have data marking requirements, or if the application does not transmit data, this requirement is not applicable. Initiate the application processes to transmit data.

Access remote system or have person with access to remote system verify the data marking is retained after the data transmission. If application data required to be marked does not retain its marking when it is being transmitted by the application, this is a finding. Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information systems by an authorized user or an information system communicating through an external, non-organization-controlled network.

Remote access methods include, for example, dial-up, broadband, and wireless. Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection thereby providing a degree of confidentiality. The encryption strength of mechanism is selected based on the security categorization of the information. Design and configure applications to use TLS encryption to protect the confidentiality of remote access sessions.

Review the application documentation and interview the system administrator.


  • DISA Application Security and Development STIG V3R9 report.
  • free download nokia n8 games and applications.
  • mobile phone call listening device?

Identify the application encryption capabilities and methods for implementing encryption protection. For web based applications; open the web browser and access the website URL. Use the browser and determine if the session is protected via TLS. A secure connection is usually indicated in the upper left hand corner of the URL by a padlock icon. Click on the padlock icon and examine the connection information. Determine if TLS encryption is used to secure the session.

Review application configuration settings to ensure encryption is specified and via TLS. If the connection is not secured with TLS, this is a finding. Without integrity protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection. Without integrity protection mechanisms, unauthorized individuals may be able to insert inauthentic content into a remote session. Design and configure applications to use TLS encryption to protect the integrity of remote access sessions.

Digitally signed SOAP messages provide message integrity and authenticity of the signer of the message independent of the transport layer. Service requests may be intercepted and changed in transit and the data integrity may be at risk if the SOAP message is not digitally signed. Functional architecture aspects of the application security plan identify the application data elements that require data integrity protection.

Design and configure the application to sign the following message elements for SOAP messages requiring integrity: Review the application documentation, system security plan, application architecture diagrams and interview the application administrator. Review the design document for web services using SOAP messages. If the application does not utilize SOAP messages, this check is not applicable. Review the design document and SOAP messages. If they are included, verify they are signed with a certificate. The lack of time stamps could lead to the eventual replay of the message, leaving the application susceptible to replay events which may result in an immediate loss of confidentiality.

Design and configure applications using WS-Security messages to use time stamps with creation and expiration times and sequence numbers. Ask the application representative for the design document. Review the design document for web services using WS-Security tokens. If the application does not utilize WS-Security tokens, this check is not applicable.

If messages using WS Security do not contain time stamps, sequence numbers, and expiration, this is a finding. When using WS-Security in SOAP messages, the application should check the validity of the time stamps with creation and expiration times. Time stamps that are not validated may lead to a replay event and provide immediate unauthorized access of the application. Unauthorized access results in an immediate loss of confidentiality. Design and configure the application to use validity periods, ensure validity periods are verified on all WS-Security token profiles and SAML Assertions.

Review the design document for web services. If the design document does not exist, or does not indicate validity periods are checked on messages using WS-Security or SAML assertions, this is a finding.


  • google wallet to buy android apps.
  • DISA Application Security and Development STIG V3R9 report;
  • edit google drive docs ipad;
  • smartphone da 150 200 euro.

SAML is a standard for exchanging authentication and authorization data between security domains. SAML assertion identifiers should be unique across a system implementation. Duplicate SAML assertion identifiers could lead to unauthorized access to a web service. Review the design document for web services using SAML assertions. If the application does not utilize SAML assertions, this check is not applicable.

Review the design document and verify SAML assertion identifiers are not reused by a single asserting party. If the design document does not exist, or does not indicate SAML assertion identifiers which are unique for each asserting party, this is a finding. The confidentially of the data in a message as the message is passed through an intermediary web service may be required to be restricted by the intermediary web service.

The intermediary web service may leak or distribute the data contained in a message if not encrypted or protected. Encrypt assertions or use equivalent confidentiality when sensitive assertion data is passed through an intermediary. Verify all WS-Security tokens are transmitted via an approved encryption method. If the design document does not exist, or does not indicate all WS-Security tokens are only transmitted via an approved encryption method, this is a finding.

This can be accomplished if the application allows the ability to view XML messages or via a protocol analyzer like Wireshark. This can be accomplished using a protocol analyzer such as Wireshark. When the SessionIndex is tied to privacy data e. If the message is not encrypted there is the possibility of compromise of privacy data. Verify the information which is tied to the SessionIndex.

If the SessionIndex is tied to privacy information, and it is not encrypted, this is a finding. Enterprise environments make application account management challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error. Manual examples include but are not limited to admin staff logging into the system or systems and manually performing step by step actions affecting user accounts that could otherwise be automated.

This does not include any manual steps taken to initiate automated processes or the use of automated systems. A comprehensive application account management process that includes automation helps to ensure accounts designated as requiring attention are consistently and promptly addressed.

Examples include, but are not limited to, using automation to take action on multiple accounts designated as inactive, suspended or terminated or by disabling accounts located in non-centralized account stores such as multiple servers. The application must be configured to automatically provide account management functions and these functions must immediately enforce the organization's current account policy. The automated mechanisms may reside within the application itself or may be offered by the operating system or other infrastructure providing automated account management capabilities.

Automated mechanisms may be comprised of differing technologies that when placed together contain an overall automated mechanism supporting an organization's automated account management requirements. Account management functions include: The use of automated mechanisms can include, for example: Identify the account management methods, processes and procedures that are used. If the application is utilizing a centralized authentication mechanism such as Active Directory or LDAP, verify all user account activity is conducted via that solution and no local user accounts that circumvent the automated solution are used.

Determine if automated mechanisms are used when managing application user accounts and taking management action on application user accounts. Automated methods include but are not limited to: Taking action on accounts that have been determined to be inactive, suspended, terminated, or disabled. Automated action examples include: Verify the action that is taken is automated and repeatable.

If the account management process is manual in nature, this is a finding. There may also be instances when specific user actions need to be performed on the information system without unique user identification or authentication. Examples of credentials include passwords and group membership certificates. Create a procedure for deleting either member accounts or the entire group account when members leave the group. Review the application documentation and determine if there is a requirement for shared or group accounts.

If there is no official requirement for shared or group application accounts, this requirement is not applicable. Have the application representative provide their procedures for account management as it pertains to group users. Validate there is a procedure for deleting either member accounts or the entire group account when member leave the group. If there is no process for handling group account credentials, this is a finding. If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access.

To mitigate this risk, automated termination of all temporary accounts must be set upon account creation. Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. If temporary accounts are used, the application must be configured to automatically terminate these types of accounts after a DoD-defined time period of 72 hours starting from the point of account creation.


  • Application Security and Development (STIG).
  • Free DISA STIG and SRG Library | Vaulted.
  • Application Security and Development Security Technical Implementation Guide.
  • apps that boost twitter followers.
  • Related Scheduled Courses!
  • descargar real racing 3 para samsung galaxy ace plus;

Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality. Configure temporary accounts to be automatically removed or disabled after 72 hours after account creation. If official documentation exist that disallows the use of temporary user accounts within the application, this requirement is not applicable. Examine the application documentation or interview the application representative to identify how the application users are managed.

Navigate to the screen where user accounts are configured. Create a test account and determine if there is a setting to specify the user account as being temporary in nature. Determine if there is an available setting to expire the account after a period of time. If the application has no ability to specify a user account as being temporary in nature, or if the account has no ability to automatically disable or remove the account after 72 hours after account creation, this is a finding.

Attackers that are able to exploit an inactive account can potentially obtain and maintain undetected access to an application. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. Applications need to track periods of user inactivity and disable accounts after 35 days of inactivity. Such a process greatly reduces the risk that accounts will be hijacked, leading to a data compromise.

This policy does not apply to either emergency accounts or infrequently used accounts. Emergency accounts are administrator accounts created in response to crisis situations. Interview the application administrator and determine if the application is configured to utilize a centralized user management system like Active Directory AD for user management or if the application manages user accounts within the application. If the application is configured to use an enterprise-based application user management capability that is STIG compliant, the requirement is not applicable.

If the application handles the management tasks for user accounts, access the applications user management utility. Navigate to the screen where user accounts are configured to be disabled after 35 days of inactivity. Confirm this setting is active. If the application is not set to expire inactive accounts after 35 days, or if the application has no ability to expire accounts after 35 days of inactivity, this is a finding. Test or demonstration accounts are sometimes created during the application installation process. This creates a security risk as these accounts often remain after the initial installation process and can be used to gain unauthorized access to the application.

Applications must be designed and configured to disable or delete any unnecessary accounts that may be created. Care must be taken to ensure valid accounts used for valid application operations are not disabled or deleted when this requirement is applied. Design the application so unessential user accounts are not created during installation. Disable or delete all unnecessary application user accounts.

Review the system documentation and identify any valid application accounts that are required in order for the application to operate. Accounts the application itself uses in order to function are not in scope for this requirement. Have the application administrator generate a list of all application users. This should include relevant user metadata such as phone numbers or department identifiers. Have the application administrator identify and validate all user accounts.

If any accounts cannot be validated and are deemed to be unnecessary, this is a finding. Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation is one method for mitigating this risk. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. Configure the application to write a log entry when a new user account is created.

At a minimum, ensure account name, date and time of the event are recorded. Examine the application documentation to identify how the application users are managed. Interview the application administrator and determine if the application is configured to utilize a centralized user management system like Active Directory for user management or if the application manages user accounts within the application.

Identify the location of the audit logs and review the end of the logs. Access the user account management functionality and create a new user account. Examine the log file again and determine if the account creation event was logged. The information logged should, at a minimum, include enough detail to determine which account was created and when. If the account creation event was not logged, this is a finding.

Using the DoD STIG and SCAP Tool Basic Rundown

One way for an attacker to establish persistent access is for the attacker to modify or copy an existing account. Auditing of account modification is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail documents the modification of application user accounts.

Such a process greatly reduces the risk that accounts will be surreptitiously modified and provides logging that can be used for forensic purposes. Configure the application to write a log entry when a user account is modified. Access the user account management functionality and modify a test user account. Examine the log file again and determine if the account event was logged. The information logged should, at a minimum, include enough detail to determine which account was modified and when. If the account modification event information was not logged, this is a finding.

When application accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual application users or for identifying the application processes themselves. In order to detect and respond to events affecting user accessibility and application processing, applications must audit account disabling actions and, as required, notify the appropriate individuals, so they can investigate the event. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes.

Configure the application to write a log entry when a user account is disabled. Access the user account management functionality and disable a test user account. Examine the log file again and determine if the account disable event was logged. The information logged should, at a minimum, include enough detail to determine which account was disabled and when.

If the account disabling event information was not logged, this is a finding. When application accounts are removed, user accessibility is affected. In order to detect and respond to events affecting user accessibility and application processing, applications must audit account removal actions and, as required, notify the appropriate individuals, so they can investigate the event.

Configure the application to write a log entry when a user account is removed. Access the user account management functionality and remove a test user account. Examine the log file again and determine if the account removal event was logged. If the account removal event information was not logged, this is a finding.

Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of re-establishing access. Notification of account creation is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the creation of application user accounts and notifies administrators and Information System Security Officers ISSO exists.

Configure the application to notify the system administrator and the ISSO when application accounts are created. Review the application and system documentation. Ensure the application is configured to notify system administrators when new accounts are created by identifying system administrators who will be notified when new accounts are created, creating a test account and checking with system administrator to verify notification was received.

If system administrators and ISSOs are not notified when accounts are created, this is a finding. Configure the application to notify the system administrator and the ISSO when application accounts are modified. Ensure the application is configured to notify system administrators when accounts are modified by identifying system administrators who will be notified when accounts are modified. Modify a test account and check with a system administrator to verify notification was received. If system administrators and ISSOs are not notified when accounts are modified, this is a finding.

Configure the application to notify the system administrator and the ISSO when application accounts are disabled. Ensure application is configured to notify system administrators when accounts are disabled by identifying system administrators who will be notified when accounts are disabled. Disable a test account and check with a system administrator to verify notification was received.

If system administrators and ISSOs are not notified when accounts are disabled, this is a finding. Configure the application to notify the system administrator and the ISSO when application accounts are removed. Ensure application is configured to notify system administrators when accounts are removed by identifying system administrators who will be notified when accounts are removed. Remove a test account and check with a system administrator to verify notification was received. If system administrators and ISSOs are not notified when accounts are removed, this is a finding.

When application accounts are enabled, user accessibility is affected. Configure the application to write a log entry when a user account is enabled. Access the user account management functionality and enable a test user account. Examine the log file again and determine if the account enable event was logged. The information logged should, at a minimum, include enough detail to determine which account was enabled and when. If the account enabling event information was not logged, this is a finding.

One way to accomplish this is for the attacker to simply enable an existing account that has been previously disabled. Notification when account enabling actions occur is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the enabling of application user accounts and notifies administrators and Information System Security Officers ISSO exists.

Configure the application to notify the system administrator and the ISSO when application accounts are enabled. Interview application administrator and determine if the application is configured to utilize a centralized user management system like Active Directory for user management or if the application manages user accounts within the application. Ensure application is configured to notify system administrators when accounts are enabled by identifying system administrators who will be notified when accounts are enabled.

Disable and then enable a test account and check with system administrator to verify notification was received to indicate the account was enabled. If system administrators and ISSOs are not notified when accounts are enabled, this is a finding. Failure to protect organizational information from data mining may result in a compromise of information.

In order to assign the appropriate data protections, application data must be identified and then protection requirements assigned. Access to sensitive data and sensitive data objects should be restricted to those authorized to access the data. Examples of sensitive data include but are not limited to; Social Security Numbers, Personally Identifiable Information, or any other data that is has been identified as being sensitive in nature by the data owner. Data storage objects include, for example, databases, database records, and database fields. Data mining prevention and detection techniques include, for example: Protection methods include but are not limited to data encryption, Role-Based Access Controls and access authentication.

Ask the application representative for the documentation that identifies the application data elements, the protection requirements, and any associated steps that are being taken to protect the data. If the application data protection requirements are not documented, this is a finding. Data mining occurs when the application is programmatically probed and data is automatically extracted. While there are valid uses for data mining within data sets, the organization should be mindful that adversaries may attempt to use data mining capabilities built into the application in order to completely extract application data so it can be evaluated using methods that are not natively offered by the application.

This can provide the adversary with an opportunity to utilize inference attacks or obtain additional insights that might not have been intended when the application was designed. Methods of extraction include database queries or screen scrapes using the application itself. The entity performing the data mining must have access to the application in order to extract the data.

Data mining attacks will usually occur with publicly releasable data access but can also occur when access is limited to authorized or authenticated inside users. Review the security plan, application and system documentation and interview the application administrator to identify data mining protections that are required of the application.

If there are no data mining protections required, this requirement is not applicable. Review the application authentication requirements and permissions. Review documented protections that have been established to protect from data mining. This can include limiting the number of queries allowed. Automated alarming on atypical query events. Limiting the number of records allowed to be returned in a query. Not allowing data dumps. If the application requirements specify protections for data mining and the application administrator is unable to identify or demonstrate that the protections are in place, this is a finding.

To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems e. Successful authentication must not automatically give an entity access to a restricted asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.

Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users or processes acting on behalf of users and objects e. This requirement is applicable to access control enforcement applications e. Review application data protection requirements. Identify application resources that require protection and authentication over and above the authentication required to access the application itself.

This can be access to a URL, a folder, a file, a process or a database record that should only be available to certain individuals. Identify the access control methods utilized by the application in order to control access to the resource. Using RBAC as an example, utilize a test account placed into a test role. Set a protection control on a resource and explicitly deny access to the role assigned to the test user account. Try to access an application resource that is not configured to allow access. Access should be denied. If the enforcement of configured access restrictions is not performed, this is a finding.

Discretionary Access Control allows users to determine who is allowed to access their data. Successful authentication must not automatically give an entity access to an asset or security boundary. Review application data protection requirements and application integrated access control methods. Identify if the application implements discretionary access control to application resources. Discretionary Access Controls DAC allows application users to determine and set permissions on application data and application objects. The result is the user is given the ability to control who has access to the data they control.

If the application does not implement discretionary access controls, this requirement is not applicable. Resources can be a URL, a folder, a file, a process, a database record, or any other application asset that warrants sharing or authorization permission reassignment. Create 3 test accounts. Using test account 1 set protection control on a test user 1 controlled resource. Grant access to test user 2 and only test user 2. Authenticate as test user 3 and attempt to access the application resource where test user 1 and test user 2 are granted access.

A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If information flow is not enforced based on approved authorizations, the system may become compromised. Information flow control regulates where information is allowed to travel within a system and between interconnected systems. The flow of all system information must be monitored and controlled so it does not introduce any unacceptable risk to the systems or data. Application specific examples of enforcement occurs in systems that employ rule sets or establish configuration settings that restrict information system services, or message-filtering capability based on message content e.

This is usually established by identifying if there are rulesets, policies or other configurations settings provided by the application which serve to control the flow of information within the system. Control of data flow is established by using labels on data and data subsets, evaluating the destination of the data within or without the system similar security domain and referencing a corresponding policy that is used to control the flow of data.

Applications providing information flow control must be able to enforce approved authorizations for controlling the flow of information within the system in accordance with applicable policy. Configure the application to enforce data flow control in accordance with data flow control policies. Review the application documentation and interview the application and system administrators.

Review application features and functions to determine if the application is designed to control the flow of information within the system. If the application does not provide data flow control capabilities, the requirement is not applicable. Access the system as a user with access rights that allow the creation of test data or use of existing test data. Create a test data set and label the data with a data label provided with or by the application, e.

Review the policy to determine where in the system the PII labeled data is allowed and is not allowed to go. Using application features and functions, attempt to transmit the labeled data to an area that is prohibited by policy. Verify the flow control policy was enforced and the data was not transmitted. If the application does not enforce the approved authorizations for controlling data flow, this is a finding.

Identify application features and functions to determine if the application is designed to control the flow of information between interconnected systems. Access the system as a user with access rights allowing the creation of test data or use of existing test data. Create a test data set and label the data with a data label provided with or by the application for example, a Personally Identifiable Information PII data label. Review the policy settings to determine where the PII labeled data is allowed and is not allowed.

Using application features and functions, attempt to transmit the labeled data to an interconnected system that is prohibited by policy. Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations.

Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users. Modify the application to limit access and prevent the disabling or circumvention of security safeguards. Identify the application user account s that the application uses to run.

These accounts include the application processes defined by Control Panel Services Windows or ps —ef UNIX or for an n-tier application, the account that connects from one service such as a web server to another such as a database server. Determine the OS user groups in which each account is a member. List the user rights assigned to these users and groups and evaluate whether any of them are unnecessary. If the OS rights exceed application operational requirements, this is a finding. Search the file system to determine if the application user or groups have ownership or permissions to any files or directories.

Review the list of files and identify any that are outside the scope of the application. If there are such files outside the scope of the application, this is a finding. Check ownership and permissions; identify permissions beyond the minimum necessary to support the application. If there are instances of unnecessary ownership or permissions, this is a finding.

The finding details should note the full path of the file s and the associated issue i. Applications are often designed to utilize a user account. The account represents a means to control application permissions and access to OS resources, application resources or both. When the application is designed and installed, care must be taken not to assign excessive permissions to the user account that is used by the application. Applications must be designed and configured to operate with only those permissions that are required for proper operation.

Configure the application accounts with minimalist privileges. Do not allow the application to operate with admin credentials. Review the system documentation or interview the application representative and identify if the application utilizes an account in order to operate. Determine the OS user groups in which each application account is a member. List the user rights assigned to these users and groups using relevant OS commands and evaluate whether any of them provide admin rights or if they are unnecessary or excessive.

If the application connects to a database, open an admin console to the database and view the database users, their roles and group rights. Locate the application user account used to access the database and examine the accounts privileges. This includes group privileges. If the application user account has excessive OS privileges such as being in the admin group, database privileges such as being in the DBA role, has the ability to create, drop, alter the database not application database tables , or if the application user account has other excessive or undefined system privileges, this is a finding.

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse, and identify the risk from insider threats and the advanced persistent threat.

Configure the application to write log entries when privileged functions are executed. At a minimum, ensure the specific action taken, date and time of event are recorded. Log on to the application as an administrative user. Identify functionality within the application that requires utilizing the admin role. Monitor application logs while performing privileged functions within the application. Perform administrative types of tasks such as adding or modifying user accounts, modifying application configuration, or managing encryption keys.

Review logs for entries that indicate the administrative actions performed were logged. Ensure the specific action taken, date and time or event is recorded. If the execution of privileged functionality is not logged, this is a finding. By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced.

Limits are imposed by locking the account. User notification when three failed logon attempts are exceeded is an operational consideration determined by the application owner. In some instances the operational situation may dictate that no notice is to be provided to the user when their account is locked. In other situations, the user may be notified their account is now locked. This decision is left to the application owner based upon their operational scenarios. Configure the application to enforce an account lock after 3 failed logon attempts occurring within a minute window.

All testing must be performed within a minute window. Log on to the application with a test user account. In the case of centralized logging, or other instances V Medium Applications used for non-local maintenance sessions must implement cryptographic mechanisms to protect the confidentiality of non-local maintenance and diagnostic communications. V Medium The application must produce audit records containing enough information to establish which component, feature or function of the application triggered the audit event. It is impossible to establish, correlate, and investigate the events relating to an incident if the details regarding the source of the event it not available.

In order to compile an accurate V Medium Applications used for non-local maintenance sessions must audit non-local maintenance and diagnostic sessions for organization-defined auditable events. Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network e. V Medium The application must generate audit records containing information that establishes the identity of any individual or process associated with the event.

Without information that establishes the identity of the subjects i. V Medium The application must produce audit records that contain information to establish the outcome of the events. Without information about the outcome of events, security personnel cannot make an accurate assessment as to whether an attack was successful or if changes were made to the security state of the V Medium The application must automatically audit account disabling actions. When application accounts are disabled, user accessibility is affected.

V Medium The application must maintain the confidentiality and integrity of information during preparation for transmission. Data is subject to manipulation and other integrity related attacks whenever that data is transferred across a network. To protect data integrity during transmission, the application must V Medium The application must generate audit records containing the full-text recording of privileged commands or the individual identities of group account users.

Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. Organizations consider limiting the additional audit information to only V Medium Applications used for non-local maintenance sessions must verify remote disconnection at the termination of non-local maintenance and diagnostic sessions. V Medium The application must enforce approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.

A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If information flow is not enforced based on approved authorizations, V Medium The application must enforce organization-defined discretionary access control policies over defined subjects and objects. Discretionary Access Control allows users to determine who is allowed to access their data. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued V Medium The application must use multifactor e. Token authentication for local access to non-privileged accounts.

To assure accountability, prevent unauthenticated access, and prevent misuse of the system, privileged users must utilize multifactor authentication for local access. Multifactor authentication V Medium The application must enforce approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies. V Medium The application must enforce password complexity by requiring that at least one upper-case character be used.

Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or V Medium The application must maintain the confidentiality and integrity of information during reception. V Medium The application must use multifactor Alt. Token authentication for local access to privileged accounts. Multifactor authentication requires using two or more factors to achieve authentication and access. Factors include: Token authentication for network access to non-privileged accounts. To assure accountability and prevent unauthenticated access, non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system.

V Medium The application must utilize FIPS-validated cryptographic modules when protecting unclassified information that requires cryptographic protection. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards V Medium The application must enforce password complexity by requiring that at least one lower-case character be used. V Medium The application must not disclose unnecessary information to users.

Applications should not disclose information not required for the transaction. V Medium Application data protection requirements must be identified and documented. Failure to protect organizational information from data mining may result in a compromise of information. In order to assign the appropriate data protections, application data must be identified V Medium In the event of a system failure, applications must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.

Failure to a known secure state helps prevent a loss of confidentiality, V Medium The application, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network. A local cache of revocation data is also known as a CRL list. This list contains a list of revoked certificates and can be periodically downloaded to ensure certificates can still be checked for V Medium The application must protect the confidentiality and integrity of stored information when required by DoD policy or the information owner.

Information at rest refers to the state of information when it is located on a secondary storage device e. Inappropriate access may be granted to unauthorized users if federal agency PIV credentials are not electronically verified. V Medium Production database exports must have database administration credentials and sensitive data removed before releasing the export. Production database exports are often used to populate development databases.

Test and development environments do not typically have the same rigid security protections that production V Medium The application must provide the capability to filter audit records for events of interest based upon organization-defined criteria. The ability to specify the event criteria that are of interest provides the persons reviewing the logs with the ability to quickly isolate and identify these events without having to review V Medium Data backup must be performed at required intervals in accordance with DoD policy.

Without proper backups, the application is not protected from the loss of data or the operating environment in the event of hardware or software failure. V Medium The application must uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users. Lack of authentication and identification enables non-organizational users to gain access to the application or possibly other information systems and provides an opportunity for intruders to V Medium The application must validate all input.

Checking the valid syntax and semantics of information system inputs e. V Medium The application must implement approved cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest on organization-defined information system components. V Medium The application must allow the use of a temporary password for system logons with an immediate change to a permanent password. Cross-Site Request Forgery CSRF is an attack where a website user is forced to execute an unwanted action on a website that he or she is currently authenticated to.

An attacker, through social V Medium The application must implement cryptographic mechanisms to protect the integrity of remote access sessions. Without integrity protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. V Medium The application must be configured to write application logs to a centralized log repository. Information stored in one location is vulnerable to accidental or incidental deletion or alteration. In addition, attackers often manipulate logs to hide or obfuscate their activity.

Token authentication for network access to privileged accounts. V Medium The application must off-load audit records onto a different system or media than the system being audited. The goal is V Medium The application must provide centralized management and configuration of the content to be captured in audit records generated by all application components. Without the ability to centrally manage the content captured in the audit records, identification, troubleshooting, and correlation of suspicious behavior would be difficult and could lead to a V Medium The application must implement transaction recovery logs when transaction based.

Without required logging and access control, security issues related to data changes will not be identified. This could lead to security compromises such as data misuse, unauthorized changes, or Those products not covered by a STIG, should follow commercially accepted best practices, independent testing results and vendors lock down guides and V Medium The application must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.

Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When applications provide the capability to change security roles or escalate the V Medium The application must utilize FIPS-validated cryptographic modules when generating cryptographic hashes. V Medium The application must require devices to reauthenticate when organization-defined circumstances or situations requiring reauthentication. Without reauthenticating devices, unidentified or unknown devices may be introduced; thereby facilitating malicious activity. In addition to the reauthentication requirements associated with Failure to register the applications usage of ports, protocols, and services with the DoD PPS Database may result in a Denial of Service DoS because of enclave boundary protections at other end V Medium The system must alert an administrator when low resource conditions are encountered.

In order to prevent DoS type attacks, applications should be monitored when resource conditions reach a predefined threshold. This could indicate the onset of a DoS attack or could be the V Medium The application development team must provide an application incident response plan. An application incident response process is managed by the development team and should include a method for individuals to submit potential security vulnerabilities to the development or V Medium If the application contains classified data, a Security Classification Guide must exist containing data elements and their classification.

Without a classification guide the marking, storage, and output media of classified material can be inadvertently mixed with unclassified material, leading to its possible loss or compromise. V Medium Application files must be cryptographically hashed prior to deploying to DoD operational networks. When application code and binaries are transferred from one environment to another, there is the potential for malware to be introduced into either the application code or even the application V Medium The application must require the change of at least 8 of the total number of characters when passwords are changed.

V Medium The application must disable device identifiers after 35 days of inactivity unless a cryptographic certificate is used for authentication. Device identifiers are used to identify hardware devices that interact with the application much like a user account is used to identify an application user. Examples of hardware devices include V Medium Threat models must be documented and reviewed for each application release and updated as required by design and functionality changes or when new threats are discovered.

Threat modeling is an approach for analyzing the security of an application. It is a structured approach that enables you to identify, quantify, and address the security risks associated with an V Medium Applications must use system-generated session identifiers that protect against session fixation. Applications become Control of application execution is a mechanism used to prevent execution of unauthorized applications in order to follow the rules of least privilege.

Some applications may provide a capability V Medium Execution flow diagrams and design documents must be created to show how deadlock and recursion issues in web services are being mitigated. In order to understand data flows within web services, the process flow of data must be developed and documented.

There are several different ways that web service deadlock occurs, many times it V Medium The application must employ a deny-all, permit-by-exception whitelist policy to allow the execution of authorized software programs. Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of V Medium The application user interface must be either physically or logically separated from data storage and management interfaces.

Application management functionality includes functions necessary for administration and requires privileged user access. Allowing non-privileged users to access application management Violations of IA policies must be reviewed and reported. If there are no policies regarding the reporting of IA violations, IA violations may not be tracked or addressed in a proper manner. V Medium Applications requiring user access authentication must provide a logoff capability for user initiated communication session.

If a user cannot explicitly end an application session, the session may remain open and be exploited by an attacker. Applications providing user access must provide the ability for users to V Medium The application must protect from canonical representation vulnerabilities. Canonical representation vulnerabilities can occur when a data conversion process does not convert the data to its simplest form resulting in the possible misrepresentation of the data.

V Medium The application must shut down by default upon audit failure unless availability is an overriding concern. It is critical that when the application is at risk of failing to process audit logs as required, it take action to mitigate the failure. Audit processing failures include: V Medium For applications providing audit record aggregation, the application must compile audit records from organization-defined information system components into a system-wide audit trail that is time-correlated with an organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail.

Without the ability to collate records based on the time when the events occurred, the ability to perform forensic analysis and investigations across multiple components is significantly V Medium The application must provide the capability to centrally review and analyze audit records from multiple components within the system. Successful incident response and auditing relies on timely, accurate system information and analysis in order to allow the organization to identify and respond to potential incidents in a V Medium Applications categorized as having a moderate or high impact must provide an immediate real-time alert to the SA and ISSO at a minimum for all audit failure events.

Applications that are categorized as having a high or moderate impact on the organization must provide immediate alerts when encountering failures with the application audit system. It is It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required.

Without this notification, the security personnel may be unaware of an V Medium The application must enforce password complexity by requiring that at least one special character be used. V Medium The application must protect against an individual or process acting on behalf of an individual falsely denying having performed organization-defined actions to be covered by non-repudiation.

Without non-repudiation, it is impossible to positively attribute an action to an individual or process acting on behalf of an individual. Non-repudiation services can be used to determine if V Medium The web service design must include redundancy mechanisms when used with high-availability systems. In the case V Medium Security flaws must be fixed or addressed in the project plan. Application development efforts include the creation of a project plan to track and V Medium The application must authenticate all network connected endpoint devices before establishing any connection.

Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. For distributed architectures e. V Medium The designer must ensure the application does not store configuration and control files in the same directory as user data. Application configuration settings and user data are required to be stored in separate locations in order to prevent application users from possibly being able to access application configuration V Medium The application must use the Federal Information Processing Standard FIPS validated cryptographic modules and random number generator if the application implements encryption, key exchange, digital signature, and hash functionality.

Sequentially generated session IDs can be easily guessed by an attacker. Employing the concept of randomness in the generation of unique session identifiers helps to protect against brute-force V Medium The application must utilize organization-defined data mining detection techniques for organization-defined data storage objects to adequately detect data mining attempts.

Data mining occurs when the application is programmatically probed and data is V Medium An XML firewall function must be deployed to protect web services when exposed to untrusted networks. The risks increase when these applications are exposed to untrusted V Medium The changes to the application must be assessed for IA and accreditation impact prior to implementation.

When changes are made to an application, either in the code or in the configuration of underlying components such as the OS or the web or application server, there is the potential for security V Low The application must have a process, feature or function that prevents removal or disabling of emergency accounts. Emergency accounts are administrator accounts which are established in response to crisis situations where the need for rapid account activation is required.

Therefore, emergency account V Low Test procedures must be created and at least annually executed to ensure system initialization, shutdown, and aborts are configured to verify the system remains in a secure state. Secure state assurance cannot be accomplished without testing the system state at least annually to ensure the system remains in a secure state upon initialization, shutdown, and aborts.

V Low Code coverage statistics must be maintained for each release of the application. Code coverage statistics describes the overall functionality provided by the V Low The application must generate audit records when concurrent logons from different workstations occur. When an application provides users with the ability to concurrently logon, an event must be recorded that indicates the user has logged on from different workstations. It is important to ensure Display of the DoD-approved use notification before granting access to the application ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of re-establishing access.

One way to accomplish this is for the attacker to simply V Low The application must display an explicit logoff message to users indicating the reliable termination of authenticated communications sessions. If a user is not explicitly notified that their application session has been terminated, they cannot be certain that their session did not remain open.

Applications with a user access interface V Low Prior to each release of the application, updates to system, or applying patches; tests plans and procedures must be created and executed. Without test plans and procedures for application releases or updates, unexpected results may occur which could lead to a denial of service to the application or components.

This requirement is If personnel are not notified of failed security verification tests, they will not be able to take corrective action and the unsecure condition s will remain. Security function is defined as the V Low At least one application administrator must be registered to receive update notifications, or security alerts, when automated alerts are available. Administrators should register for updates to all COTS and custom-developed software, so when security flaws are identified, they can be tracked for testing and updates of the application can be V Low The application must provide notifications or alerts when product update and security related patches are available.

An application vulnerability management and update process must be in place to notify and provide users and administrators with a means of obtaining security patches and updates for the V Low The application must automatically disable accounts after a 35 day period of account inactivity. Attackers that are able to exploit an inactive account can potentially obtain and maintain undetected access to an application. Owners of inactive accounts will not notice if unauthorized access V Low Procedures must be in place to notify users when an application is decommissioned.

When maintenance no longer exists for an application, there are no individuals responsible for making security updates. The application support staff should maintain procedures for Display of a standardized and approved use notification before granting access to the publicly accessible application ensures privacy and security notification verbiage used is consistent with V Low The application must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.

The banner must be acknowledged by the user prior to allowing the user access to the application. This provides assurance that the user has seen the message and accepted the conditions for access. V Low The application must display the time and date of the users last successful logon. Providing a last successful logon date and time stamp notification to the user when they authenticate and access the application allows the user to determine if their application account has been V Low The designer must create and update the Design Document for each release of the application.

The application design document or configuration guide includes configuration V Low The application development team must follow a set of coding standards. Coding standards are guidelines established by the development team or individual developers that recommend programming style, practices and methods. The coding standards employed will vary based Comments or proposed revisions to this document should be sent via e-mail to the following address: I - Mission Critical Classified.

I - Mission Critical Public. I - Mission Critical Sensitive. II - Mission Support Classified. II - Mission Support Public. II - Mission Support Sensitive. III - Administrative Classified. III - Administrative Public. III - Administrative Sensitive. The application must transmit only cryptographically-protected passwords. The application must enforce the limit of three consecutive invalid logon attempts by a user during a 15 minute time period. The application must not contain embedded authentication data. The application must not expose session IDs.

The application must not be vulnerable to overflow attacks. Application web servers must be on a separate network segment from the application and database servers if it is a tiered application operating in the DoD DMZ. The application must not store sensitive information in hidden fields. The application must fail to a secure state if system initialization fails, shutdown fails, or aborts fail. The application, when using PKI-based authentication, must enforce authorized access to the corresponding private key. The application, when utilizing PKI-based authentication, must validate certificates by constructing a certification path which includes status information to an accepted trust anchor.

The application must protect the confidentiality and integrity of transmitted information. The application must enforce a minimum character password length. The application must execute without excessive account permissions. The application must not be subject to input handling vulnerabilities.

Default passwords must be changed. The application must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. The application must uniquely identify and authenticate organizational users or processes acting on behalf of organizational users. All products must be supported by the vendor or the development team. The application must be decommissioned when maintenance or support is no longer available. The application must only store cryptographic representations of passwords.

Navigation menu

The application must not be vulnerable to XML-oriented attacks. The application must not be vulnerable to SQL Injection. The application must protect from command injection. The application must clear temporary storage and cookies when the session is terminated. The application must associate organization-defined types of security attributes having organization-defined security attribute values with information in storage. The application must prohibit user installation of software without explicit privileged status. At least one tester must be designated to test for security flaws in addition to functional testing.

The integrity of the audit tools must be validated by checking the files for changes in the cryptographic hash value. The application must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

An application code review must be performed on the application. The application must enforce access restrictions associated with changes to application configuration. The application must provide a capability to limit the number of logon sessions per user. Flaws found during a code review must be tracked in a defect tracking system.

The application must have the capability to prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization. The application must employ strong authenticators in the establishment of non-local maintenance and diagnostic sessions. Connections between the DoD enclave and the Internet or other public or commercial wide area networks must require a DMZ.

The application must terminate all sessions and network connections when non-local maintenance is completed. The application must provide an audit reduction capability that supports on-demand reporting requirements. The application must provide an audit reduction capability that supports on-demand audit review and analysis. The application must provide an audit reduction capability that supports after-the-fact investigations of security incidents.

The application must provide a report generation capability that supports on-demand audit review and analysis. The application must provide a report generation capability that supports on-demand reporting requirements. The application must audit the execution of privileged functions. The application administrator must follow an approved process to unlock locked user accounts. The application must prohibit password reuse for a minimum of five generations. The application must use encryption to implement key exchange and authenticate endpoints prior to establishing a communication channel for key exchange.

The application must provide audit record generation capability for connecting system IP addresses. The application must provide audit record generation capability for session timeouts. The application must record a time stamp indicating when the event occurred. The application must enforce a day maximum password lifetime restriction. The application must record the username or user ID of the user associated with the event.

The application must associate organization-defined types of security attributes having organization-defined security attribute values with information in transmission. The application must ensure encrypted assertions, or equivalent confidentiality protections are used when assertion data is passed through an intermediary, and confidentiality of the assertion data is required when passing through the intermediary.

The application must ensure each unique asserting party provides unique assertion ID references for each SAML assertion. The applications must use internal system clocks to generate time stamps for audit records. The application must provide a report generation capability that does not alter original content or time ordering of audit records. The application must set the secure flag on session cookies. The application must provide an audit reduction capability that does not alter original content or time ordering of audit records.

The application must provide a report generation capability that supports after-the-fact investigations of security incidents. The application must perform verification of the correct operation of security functions: The application must remove organization-defined software components after updated versions have been installed. The application performing organization-defined security functions must verify correct operation of security functions. The application must automatically audit account enabling actions.

Security-relevant software updates and patches must be kept up to date. The application must automatically terminate the admin user session and log off admin users after a 10 minute idle time period is exceeded. The application must automatically terminate the non-privileged user session and log off non-privileged users after a 15 minute idle time period has elapsed.

Unsigned Category 1A mobile code must not be used in the application in accordance with DoD policy. The application must audit who makes configuration changes to the application. The application must protect audit information from any type of unauthorized read access. The application must record time stamps for audit records that meet a granularity of one second for a minimum degree of precision. Applications with SOAP messages requiring integrity must include the following message elements: The application must protect audit information from unauthorized deletion.

The application must protect audit information from unauthorized modification. The application must protect audit tools from unauthorized modification. The application must protect audit tools from unauthorized access. The designer must ensure uncategorized or emerging mobile code is not used in applications. The application must provide audit record generation capability for the creation of session IDs.

The application must provide the capability for organization-identified individuals or roles to change the auditing to be performed on all application components, based on all selectable event criteria within organization-defined time thresholds. Procedures must be in place to assure the appropriate physical and technical protection of the backup and restoration of the application. The application must provide audit record generation capability for the renewal of session IDs.

The application must enforce password complexity by requiring that at least one numeric character be used. The application must provide audit record generation capability for the destruction of session IDs. Unnecessary built-in application accounts must be disabled. Back-up copies of the application software or source code must be stored in a fire-rated container or stored separately offsite. The application must not write sensitive data into the application logs.

An Application Configuration Guide must be created and included with the application. The Program Manager must verify all levels of program management, designers, developers, and testers receive annual security training pertaining to their job function. Recovery procedures and technical system features must exist so recovery is performed in a secure and verifiable manner.

The application must back up audit records at least every seven days onto a different system or system component than the system or component being audited. The application must ensure messages are encrypted when the SessionIndex is tied to privacy data. The application must generate audit records showing starting and ending time for user access to the system.

The application must ensure if a OneTimeUse element is used in an assertion, there is only one of the same used in the Conditions element portion of an assertion. The application must only allow the use of DoD-approved certificate authorities for verification of the establishment of protected sessions. The application must provide automated mechanisms for supporting account management functions. The application must not re-use or recycle session IDs. The application must automatically remove or disable temporary user accounts 72 hours after account creation. The application must generate audit records for privileged activities or other system-level access.

Applications must validate session identifiers. The ISSO must review audit trails periodically based on system documentation recommendations or immediately upon system security events. The ISSO must ensure an account management process is implemented, verifying only authorized users can gain access to the application, and individual accounts designated as inactive, suspended, or terminated are promptly removed. The application must protect audit tools from unauthorized deletion. Protections against DoS attacks must be implemented.

The application must use cryptographic mechanisms to protect the integrity of audit information. Application audit tools must be cryptographically hashed. The application must map the authenticated identity to the individual user or group account for PKI-based authentication. The application must not be hosted on a general purpose machine if the application is designated as critical or high availability by the ISSO.

The application must associate organization-defined types of security attributes having organization-defined security attribute values with information in process. A Software Configuration Management SCM plan describing the configuration control and change management process of application objects developed by the organization and the roles and responsibilities of the organization must be created and maintained. Access privileges to the Configuration Management CM repository must be reviewed every three months.

The application services and interfaces must be compatible with and ready for IPv6 networks. The application must use appropriate cryptography in order to protect stored DoD information when required by the information owner or DoD policy. The application must initiate session auditing upon startup. The application must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.

The application must automatically audit account removal actions. The application must generate audit records for all direct access to the information system. The application must generate audit records for all account creations, modifications, disabling, and termination events. The application must not be subject to error handling vulnerabilities. The application must not be vulnerable to race conditions. The applications must limit privileges to change the software resident within software libraries.

An application vulnerability assessment must be conducted. The application must implement DoD-approved encryption to protect the confidentiality of remote access sessions. The application must implement replay-resistant authentication mechanisms for network access to privileged accounts. The application must log user actions involving access to data.

DISA's Application Security and Development STIG: How OWASP Can Help You

The application must log user actions involving changes to data. Applications must prevent unauthorized and unintended information transfer via shared system resources. The application must log application shutdown events. The application must maintain a separate execution domain for each executing process. The application must log destination IP addresses. The application must isolate security functions from non-security functions. The application must produce audit records containing information to establish when date and time the events occurred.

The application must restrict the ability to launch Denial of Service DoS attacks against itself or other information systems. The application must terminate all network connections associated with a communications session at the end of the session. The application must automatically audit account creation.

The application must automatically audit account modification. Unnecessary application accounts must be disabled, or deleted. The application must utilize mutual authentication when endpoint device non-repudiation protections are required by DoD policy or by the data owner. The application must implement replay-resistant authentication mechanisms for network access to non-privileged accounts. The application password must not be changeable by users other than the administrator or the user with which the password is associated.

The application must ensure users are authenticated with an individual authenticator prior to using a group authenticator. The application must terminate existing user sessions upon account deletion. The application must utilize FIPS-validated cryptographic modules when signing application components. The application must be configured to disable non-essential capabilities. The application must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.

Applications used for non-local maintenance sessions must implement cryptographic mechanisms to protect the integrity of non-local maintenance and diagnostic communications. When using centralized logging; the application must include a unique identifier in order to distinguish itself from other application logs. Applications used for non-local maintenance sessions must implement cryptographic mechanisms to protect the confidentiality of non-local maintenance and diagnostic communications. The application must produce audit records containing enough information to establish which component, feature or function of the application triggered the audit event.

Applications used for non-local maintenance sessions must audit non-local maintenance and diagnostic sessions for organization-defined auditable events. The application must generate audit records containing information that establishes the identity of any individual or process associated with the event. The application must produce audit records that contain information to establish the outcome of the events. The application must automatically audit account disabling actions. The application must maintain the confidentiality and integrity of information during preparation for transmission.

The application must generate audit records containing the full-text recording of privileged commands or the individual identities of group account users. Applications used for non-local maintenance sessions must verify remote disconnection at the termination of non-local maintenance and diagnostic sessions. The application must enforce approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.

The application must enforce organization-defined discretionary access control policies over defined subjects and objects. The application must use multifactor e. The application must enforce approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies. The application must enforce password complexity by requiring that at least one upper-case character be used. The application must maintain the confidentiality and integrity of information during reception.

The application must use multifactor Alt. The application must utilize FIPS-validated cryptographic modules when protecting unclassified information that requires cryptographic protection. The application must enforce password complexity by requiring that at least one lower-case character be used.

The application must not disclose unnecessary information to users. Application data protection requirements must be identified and documented. In the event of a system failure, applications must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes. The application, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.

The application must protect the confidentiality and integrity of stored information when required by DoD policy or the information owner. The application must electronically verify Personal Identity Verification PIV credentials from other federal agencies. Production database exports must have database administration credentials and sensitive data removed before releasing the export. The application must provide the capability to filter audit records for events of interest based upon organization-defined criteria.

Data backup must be performed at required intervals in accordance with DoD policy. The application must uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users. The application must validate all input. The application must implement approved cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest on organization-defined information system components.

The application must allow the use of a temporary password for system logons with an immediate change to a permanent password. The application must implement cryptographic mechanisms to protect the integrity of remote access sessions. The application must be configured to write application logs to a centralized log repository.

The application must off-load audit records onto a different system or media than the system being audited. The application must provide centralized management and configuration of the content to be captured in audit records generated by all application components. The application must implement transaction recovery logs when transaction based. New IP addresses, data services, and associated ports used by the application must be submitted to the appropriate approving authority for the organization, which in turn will be submitted through the DoD Ports, Protocols, and Services Management DoD PPSM.

The application must require users to reauthenticate when organization-defined circumstances or situations require reauthentication. The application must utilize FIPS-validated cryptographic modules when generating cryptographic hashes. The application must require devices to reauthenticate when organization-defined circumstances or situations requiring reauthentication. The system must alert an administrator when low resource conditions are encountered. The application development team must provide an application incident response plan. If the application contains classified data, a Security Classification Guide must exist containing data elements and their classification.

Application files must be cryptographically hashed prior to deploying to DoD operational networks. The application must require the change of at least 8 of the total number of characters when passwords are changed. The application must disable device identifiers after 35 days of inactivity unless a cryptographic certificate is used for authentication.

Threat models must be documented and reviewed for each application release and updated as required by design and functionality changes or when new threats are discovered. Applications must use system-generated session identifiers that protect against session fixation. Execution flow diagrams and design documents must be created to show how deadlock and recursion issues in web services are being mitigated. The application must employ a deny-all, permit-by-exception whitelist policy to allow the execution of authorized software programs.

The ISSO must ensure active vulnerability testing is performed. The application user interface must be either physically or logically separated from data storage and management interfaces.