Application Security and Development Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The application must only allow the use of DoD-approved certificate authorities for verification of the establishment of protected sessions.
Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient secur...Rule Medium Severity -
The application must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.
Failure to a known safe state helps prevent systems from failing to a state that may cause loss of data or unauthorized access to system resources. Applications or systems that fail suddenly and wi...Rule High Severity -
In the event of a system failure, applications must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.
Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, i...Rule Medium Severity -
The application must implement approved cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest on organization-defined information system components.
Applications handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. Selection of a ...Rule Medium Severity -
The application must isolate security functions from non-security functions.
An isolation boundary provides access control and protects the integrity of the hardware, software, and firmware that perform security functions. Security functions are the hardware, software, and...Rule Medium Severity -
Applications must prevent unauthorized and unintended information transfer via shared system resources.
Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of ...Rule Medium Severity -
The application must protect the confidentiality and integrity of transmitted information.
Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepted and either read or altered. This requirement...Rule High Severity -
The application must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).
Data is subject to manipulation and other integrity related attacks whenever that data is transferred across a network. To protect data integrity during transmission, the application must implement...Rule Medium Severity -
The application must not disclose unnecessary information to users.
Applications should not disclose information not required for the transaction. (e.g., a web application should not divulge the fact there is a SQL server database and/or its version). These events...Rule Medium Severity -
The application must protect from Cross-Site Scripting (XSS) vulnerabilities.
XSS attacks are essentially code injection attacks against the various language interpreters contained within the browser. XSS can be executed via HTML, JavaScript, VBScript, ActiveX; essentially a...Rule High Severity -
The application must protect from command injection.
A command injection attack is an attack on a vulnerable application where improperly validated input is passed to a command shell setup in the application. The result is the ability of an attacker ...Rule High Severity -
The application must not be vulnerable to XML-oriented attacks.
Extensible Markup Language (XML) is widely employed in web technology and applications like web services (SOAP, REST, and WSDL) and is also used for configuration files. XML vulnerability examples ...Rule High Severity -
The application must not be vulnerable to overflow attacks.
A buffer overflow occurs when a program exceeds the amount of data allocated to a buffer. The buffer is a sequential section of memory and when the data is written outside the memory bounds, the pr...Rule High Severity -
Security-relevant software updates and patches must be kept up to date.
Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (incl...Rule Medium Severity -
The application must perform verification of the correct operation of security functions: upon system startup and/or restart; upon command by a user with privileged access; and/or every 30 days.
Without verification, security functions may not operate correctly and this failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information sys...Rule Medium Severity -
The ISSO must ensure an account management process is implemented, verifying only authorized users can gain access to the application, and individual accounts designated as inactive, suspended, or terminated are promptly removed.
A comprehensive account management process will ensure that only authorized users can gain access to applications and that individual accounts designated as inactive, suspended, or terminated are p...Rule Medium Severity -
Application web servers must be on a separate network segment from the application and database servers if it is a tiered application operating in the DoD DMZ.
A tiered application usually consists of 3 tiers, the web layer (presentation tier), the application layer (application logic tier), and the database layer (data storage tier). Using one system fo...Rule High Severity -
The ISSO must ensure active vulnerability testing is performed.
Use of automated scanning tools accompanied with manual testing/validation which confirms or expands on the automated test results is an accepted best practice when performing application security ...Rule Medium Severity -
Execution flow diagrams and design documents must be created to show how deadlock and recursion issues in web services are being mitigated.
In order to understand data flows within web services, the process flow of data must be developed and documented. There are several different ways that web service deadlock occurs, many times it i...Rule Medium Severity -
The Configuration Management (CM) repository must be properly patched and STIG compliant.
A Configuration Management (CM) repository is used to manage application code versions and to securely store application code. Failure to properly apply security patches and secure the software Co...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.