Application Security and Development Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The application must use multifactor (e.g., CAC, Alt. Token) authentication for network access to non-privileged accounts.
To assure accountability and prevent unauthenticated access, non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system. Multifactor auth...Rule Medium Severity -
The application must use multifactor (Alt. Token) authentication for local access to privileged accounts.
Multifactor authentication (MFA) requires using two or more factors to achieve authentication and access. Factors include: (i) something a user knows (e.g., password/PIN); (ii) something a user ha...Rule Medium Severity -
The application must use multifactor (e.g., CAC, Alt. Token) authentication for local access to nonprivileged accounts.
To assure accountability, prevent unauthenticated access, and prevent misuse of the system, privileged users must utilize multifactor authentication (MFA) for local access. MFA is defined as using...Rule Medium Severity -
The application must ensure users are authenticated with an individual authenticator prior to using a group authenticator.
To ensure individual accountability and prevent unauthorized access, application users must be individually identified and authenticated. Individual accountability mandates that each user is unique...Rule Medium Severity -
The application must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.
A replay attack is a man-in-the-middle style attack which allows an attacker to repeat or alter a valid data transmission that may enable unauthorized access to the application. Authentication sess...Rule Medium Severity -
The application must utilize mutual authentication when endpoint device non-repudiation protections are required by DoD policy or by the data owner.
Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. With one way SSL authentication which is the typical form of SSL authentica...Rule Medium Severity -
Service-Oriented Applications handling non-releasable data must authenticate endpoint devices via mutual SSL/TLS.
Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. One way SSL/TLS authentication is the typical form of authentication done ...Rule Medium Severity -
The application must enforce password complexity by requiring that at least one uppercase character be used.
Use of passwords for application authentication is intended only for limited situations and should not be used as a replacement for two-factor CAC-enabled authentication. Examples of situations wh...Rule Medium Severity -
The application must enforce password complexity by requiring that at least one lowercase character be used.
Use of passwords for application authentication is intended only for limited situations and should not be used as a replacement for two-factor CAC-enabled authentication. Examples of situations wh...Rule Medium Severity -
The application must enforce password complexity by requiring that at least one numeric character be used.
Use of passwords for application authentication is intended only for limited situations and should not be used as a replacement for two-factor CAC-enabled authentication. Examples of situations wh...Rule Medium Severity -
The application must enforce password complexity by requiring that at least one special character be used.
Use of passwords for application authentication is intended only for limited situations and should not be used as a replacement for two-factor CAC-enabled authentication. Examples of situations wh...Rule Medium Severity -
The application must only store cryptographic representations of passwords.
Use of passwords for application authentication is intended only for limited situations and should not be used as a replacement for two-factor CAC-enabled authentication. Examples of situations wh...Rule High Severity -
The application must enforce 24 hours/1 day as the minimum password lifetime.
Use of passwords for application authentication is intended only for limited situations and should not be used as a replacement for two-factor CAC-enabled authentication. Examples of situations wh...Rule Medium Severity -
The application must enforce a 60-day maximum password lifetime restriction.
Use of passwords for application authentication is intended only for limited situations and should not be used as a replacement for two-factor CAC-enabled authentication. Examples of situations wh...Rule Medium Severity -
The application must prohibit password reuse for a minimum of five generations.
Use of passwords for application authentication is intended only for limited situations and should not be used as a replacement for two-factor CAC-enabled authentication. Examples of situations wh...Rule Medium Severity -
The application must allow the use of a temporary password for system logons with an immediate change to a permanent password.
Use of passwords for application authentication is intended only for limited situations and should not be used as a replacement for two-factor CAC-enabled authentication. Examples of situations wh...Rule Medium Severity -
The application password must not be changeable by users other than the administrator or the user with which the password is associated.
If the application allows user A to change user B's password, user B can be locked out of the application, and user A is provided the ability to grant themselves access to the application as user ...Rule Medium Severity -
The application, when utilizing PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. A trust anchor is an authoritative entit...Rule High Severity -
The application, when using PKI-based authentication, must enforce authorized access to the corresponding private key.
If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure. The cornerstone of the PKI is the private key use...Rule High Severity -
The application must map the authenticated identity to the individual user or group account for PKI-based authentication.
Without mapping the certificate used to authenticate to a corresponding user account, the ability to determine the identity of the individual user or group will not be available for forensic analys...Rule Medium Severity -
The application, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.
A local cache of revocation data is also known as a CRL list. This list contains a list of revoked certificates and can be periodically downloaded to ensure certificates can still be checked for re...Rule Medium Severity -
The application must not display passwords/PINs as clear text.
To prevent the compromise of authentication information such as passwords during the authentication process, the feedback from the information system must not provide any information that would all...Rule High Severity -
The application must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
A cryptographic module is a hardware or software device or component that performs cryptographic operations securely within a physical or logical boundary, using a hardware, software or hybrid cryp...Rule High Severity -
The application must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
Lack of authentication and identification enables non-organizational users to gain access to the application or possibly other information systems and provides an opportunity for intruders to compr...Rule Medium Severity -
The application must accept Personal Identity Verification (PIV) credentials from other federal agencies.
Access may be denied to authorized users if federal agency PIV credentials are not accepted. Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that ...Rule Medium Severity -
The application must electronically verify Personal Identity Verification (PIV) credentials from other federal agencies.
Inappropriate access may be granted to unauthorized users if federal agency PIV credentials are not electronically verified. Personal Identity Verification (PIV) credentials are those credentials ...Rule Medium Severity -
The application must accept Federal Identity, Credential, and Access Management (FICAM)-approved third-party credentials.
FICAM establishes a federated identity framework for the federal government. FICAM provides government-wide services for common Identity, Credential and Access Management (ICAM) requirements. The F...Rule Medium Severity -
The application must conform to Federal Identity, Credential, and Access Management (FICAM)-issued profiles.
FICAM establishes a federated identity framework for the federal government. FICAM provides government-wide services for common Identity, Credential, and Access Management (ICAM) requirements. The ...Rule Medium Severity -
Applications used for non-local maintenance sessions must audit non-local maintenance and diagnostic sessions for organization-defined auditable events.
Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network...Rule Medium Severity -
Applications used for non-local maintenance sessions must implement cryptographic mechanisms to protect the integrity of non-local maintenance and diagnostic communications.
Privileged access contains control and configuration information which is particularly sensitive, so additional protections are necessary. This is maintained by using cryptographic mechanisms to pr...Rule Medium Severity -
Applications used for non-local maintenance sessions must implement cryptographic mechanisms to protect the confidentiality of non-local maintenance and diagnostic communications.
Privileged access contains control and configuration information which is particularly sensitive, so additional protections are necessary. This is maintained by using cryptographic mechanisms to pr...Rule Medium Severity -
The application must employ strong authenticators in the establishment of non-local maintenance and diagnostic sessions.
If maintenance tools are used by unauthorized personnel, they may accidentally or intentionally damage or compromise the system. The act of managing systems and applications includes the ability to...Rule Medium Severity -
The application must not be vulnerable to race conditions.
A race condition is a timing event within an application that can become a security vulnerability. A race condition can occur when a pair of programming calls operating simultaneously do not work ...Rule Medium Severity -
The application must utilize FIPS-validated cryptographic modules when signing application components.
Applications that distribute components of the application must sign the components to provide an identity assurance to consumers of the application component. Components can include application me...Rule Medium Severity -
The application user interface must be either physically or logically separated from data storage and management interfaces.
Application management functionality includes functions necessary for administration and requires privileged user access. Allowing non-privileged users to access application management functionalit...Rule Medium Severity -
The application must set the HTTPOnly flag on session cookies.
HTTPOnly is a flag included in a Set-Cookie HTTP response header. If the HTTPOnly flag is included in the HTTP response header, the cookie cannot be accessed through client side scripts like JavaSc...Rule Medium Severity -
The application must not expose session IDs.
Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. Application communication sessions are protect...Rule High Severity -
Applications must use system-generated session identifiers that protect against session fixation.
Session fixation allows an attacker to hijack a valid user’s application session. The attack focuses on the manner in which a web application manages the user’s session ID. Applications become vuln...Rule Medium Severity -
Applications must not use URL embedded session IDs.
Many web development frameworks such as PHP, .NET, and ASP include their own mechanisms for session management. Whenever possible it is recommended to utilize the provided session management framew...Rule Medium Severity -
The application must generate a unique session identifier using a FIPS 140-2/140-3 approved random number generator.
The application server will use session IDs to communicate between modules or applications within the application server and between the application server and users. The session ID allows the appl...Rule Medium Severity -
The application must only allow the use of DoD-approved certificate authorities for verification of the establishment of protected sessions.
Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient secur...Rule Medium Severity -
The application must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.
Failure to a known safe state helps prevent systems from failing to a state that may cause loss of data or unauthorized access to system resources. Applications or systems that fail suddenly and wi...Rule High Severity -
In the event of a system failure, applications must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.
Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, i...Rule Medium Severity -
The application must implement approved cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest on organization-defined information system components.
Applications handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. Selection of a ...Rule Medium Severity -
The application must isolate security functions from non-security functions.
An isolation boundary provides access control and protects the integrity of the hardware, software, and firmware that perform security functions. Security functions are the hardware, software, and...Rule Medium Severity -
Applications must prevent unauthorized and unintended information transfer via shared system resources.
Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of ...Rule Medium Severity -
The application must protect the confidentiality and integrity of transmitted information.
Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepted and either read or altered. This requirement...Rule High Severity -
The application must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).
Data is subject to manipulation and other integrity related attacks whenever that data is transferred across a network. To protect data integrity during transmission, the application must implement...Rule Medium Severity -
The application must not disclose unnecessary information to users.
Applications should not disclose information not required for the transaction. (e.g., a web application should not divulge the fact there is a SQL server database and/or its version). These events...Rule Medium Severity -
The application must protect from Cross-Site Scripting (XSS) vulnerabilities.
XSS attacks are essentially code injection attacks against the various language interpreters contained within the browser. XSS can be executed via HTML, JavaScript, VBScript, ActiveX; essentially a...Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.