Skip to content

Application Security and Development Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • The application must not be vulnerable to overflow attacks.

    <VulnDiscussion>A buffer overflow occurs when a program exceeds the amount of data allocated to a buffer. The buffer is a sequential section ...
    Rule High Severity
  • SRG-APP-000454

    <GroupDescription></GroupDescription>
    Group
  • The application must remove organization-defined software components after updated versions have been installed.

    &lt;VulnDiscussion&gt;Previous versions of software components that are not removed from the information system after updates have been installed m...
    Rule Medium Severity
  • SRG-APP-000456

    <GroupDescription></GroupDescription>
    Group
  • Security-relevant software updates and patches must be kept up to date.

    &lt;VulnDiscussion&gt;Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products t...
    Rule Medium Severity
  • The application performing organization-defined security functions must verify correct operation of security functions.

    &lt;VulnDiscussion&gt;Without verification, security functions may not operate correctly and this failure may go unnoticed. Security function is d...
    Rule Medium Severity
  • SRG-APP-000473

    <GroupDescription></GroupDescription>
    Group
  • The application must perform verification of the correct operation of security functions: upon system startup and/or restart; upon command by a user with privileged access; and/or every 30 days.

    &lt;VulnDiscussion&gt;Without verification, security functions may not operate correctly and this failure may go unnoticed. Security function is d...
    Rule Medium Severity
  • SRG-APP-000275

    <GroupDescription></GroupDescription>
    Group
  • The application must notify the ISSO and ISSM of failed security verification tests.

    &lt;VulnDiscussion&gt;If personnel are not notified of failed security verification tests, they will not be able to take corrective action and the ...
    Rule Low Severity
  • SRG-APP-000206

    <GroupDescription></GroupDescription>
    Group
  • Unsigned Category 1A mobile code must not be used in the application in accordance with DoD policy.

    &lt;VulnDiscussion&gt;Use of un-trusted Level 1A mobile code technologies can introduce security vulnerabilities and malicious code into the client...
    Rule Medium Severity
  • SRG-APP-000516

    <GroupDescription></GroupDescription>
    Group
  • The ISSO must ensure an account management process is implemented, verifying only authorized users can gain access to the application, and individual accounts designated as inactive, suspended, or terminated are promptly removed.

    &lt;VulnDiscussion&gt;A comprehensive account management process will ensure that only authorized users can gain access to applications and that in...
    Rule Medium Severity
  • SRG-APP-000516

    <GroupDescription></GroupDescription>
    Group
  • Application web servers must be on a separate network segment from the application and database servers if it is a tiered application operating in the DoD DMZ.

    &lt;VulnDiscussion&gt;A tiered application usually consists of 3 tiers, the web layer (presentation tier), the application layer (application logic...
    Rule High Severity
  • SRG-APP-000516

    <GroupDescription></GroupDescription>
    Group
  • The ISSO must ensure application audit trails are retained for at least 1 year for applications without SAMI data, and 5 years for applications including SAMI data.

    &lt;VulnDiscussion&gt;Log files are a requirement to trace intruder activity or to audit user activity.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt...
    Rule Medium Severity
  • SRG-APP-000516

    <GroupDescription></GroupDescription>
    Group
  • The ISSO must review audit trails periodically based on system documentation recommendations or immediately upon system security events.

    &lt;VulnDiscussion&gt;Without access control the data is not secure. It can be compromised, misused, or changed by unauthorized access at any time....
    Rule Medium Severity
  • SRG-APP-000516

    <GroupDescription></GroupDescription>
    Group
  • The ISSO must report all suspected violations of IA policies in accordance with DoD information system IA procedures.

    &lt;VulnDiscussion&gt;Violations of IA policies must be reviewed and reported. If there are no policies regarding the reporting of IA violations, I...
    Rule Medium Severity
  • SRG-APP-000516

    <GroupDescription></GroupDescription>
    Group
  • The ISSO must ensure active vulnerability testing is performed.

    &lt;VulnDiscussion&gt;Use of automated scanning tools accompanied with manual testing/validation which confirms or expands on the automated test re...
    Rule Medium Severity
  • SRG-APP-000516

    <GroupDescription></GroupDescription>
    Group
  • Execution flow diagrams and design documents must be created to show how deadlock and recursion issues in web services are being mitigated.

    &lt;VulnDiscussion&gt;In order to understand data flows within web services, the process flow of data must be developed and documented. There are ...
    Rule Medium Severity
  • SRG-APP-000516

    <GroupDescription></GroupDescription>
    Group
  • The designer must ensure the application does not store configuration and control files in the same directory as user data.

    &lt;VulnDiscussion&gt;Application configuration settings and user data are required to be stored in separate locations in order to prevent applicat...
    Rule Medium Severity
  • SRG-APP-000516

    <GroupDescription></GroupDescription>
    Group
  • The ISSO must ensure if a DoD STIG or NSA guide is not available, a third-party product will be configured by following available guidance.

    &lt;VulnDiscussion&gt;Not all COTS products are covered by a STIG. Those products not covered by a STIG, should follow commercially accepted best p...
    Rule Medium Severity
  • SRG-APP-000516

    <GroupDescription></GroupDescription>
    Group
  • New IP addresses, data services, and associated ports used by the application must be submitted to the appropriate approving authority for the organization, which in turn will be submitted through the DoD Ports, Protocols, and Services Management (DoD PPSM)

    &lt;VulnDiscussion&gt;Failure to comply with DoD Ports, Protocols, and Services (PPS) Vulnerability Analysis and associated PPS mitigations may res...
    Rule Medium Severity
  • SRG-APP-000516

    <GroupDescription></GroupDescription>
    Group
  • The application must be registered with the DoD Ports and Protocols Database.

    &lt;VulnDiscussion&gt;Failure to register the applications usage of ports, protocols, and services with the DoD PPS Database may result in a Denial...
    Rule Medium Severity
  • SRG-APP-000516

    <GroupDescription></GroupDescription>
    Group
  • Test procedures must be created and at least annually executed to ensure system initialization, shutdown, and aborts are configured to verify the system remains in a secure state.

    &lt;VulnDiscussion&gt;Secure state assurance cannot be accomplished without testing the system state at least annually to ensure the system remains...
    Rule Low Severity
  • The Configuration Management (CM) repository must be properly patched and STIG compliant.

    &lt;VulnDiscussion&gt;A Configuration Management (CM) repository is used to manage application code versions and to securely store application code...
    Rule Medium Severity
  • SRG-APP-000516

    <GroupDescription></GroupDescription>
    Group
  • Access privileges to the Configuration Management (CM) repository must be reviewed every three months.

    &lt;VulnDiscussion&gt;A Configuration Management (CM) repository is used to manage application code versions and to securely store application code...
    Rule Medium Severity
  • SRG-APP-000516

    <GroupDescription></GroupDescription>
    Group
  • A Software Configuration Management (SCM) plan describing the configuration control and change management process of application objects developed by the organization and the roles and responsibilities of the organization must be created and maintained.

    &lt;VulnDiscussion&gt;Software Configuration Management (SCM) is very important in tracking code releases, baselines, and managing access to the co...
    Rule Medium Severity
  • SRG-APP-000516

    <GroupDescription></GroupDescription>
    Group
  • A Configuration Control Board (CCB) that meets at least every release cycle, for managing the Configuration Management (CM) process must be established.

    &lt;VulnDiscussion&gt;Software Configuration Management (SCM) is very important in tracking code releases, baselines, and managing access to the co...
    Rule Medium Severity
  • SRG-APP-000387

    <GroupDescription></GroupDescription>
    Group
  • The application services and interfaces must be compatible with and ready for IPv6 networks.

    &lt;VulnDiscussion&gt;If the application has not been upgraded to execute on an IPv6-only network, there is a possibility the application will not ...
    Rule Medium Severity
  • SRG-APP-000516

    <GroupDescription></GroupDescription>
    Group
  • SRG-APP-000516

    <GroupDescription></GroupDescription>
    Group
  • The application must not be hosted on a general purpose machine if the application is designated as critical or high availability by the ISSO.

    &lt;VulnDiscussion&gt;Critical applications should not be hosted on a multi-purpose server with other applications. Applications that share resourc...
    Rule Medium Severity
  • SRG-APP-000516

    <GroupDescription></GroupDescription>
    Group
  • A disaster recovery/continuity plan must exist in accordance with DoD policy based on the applications availability requirements.

    &lt;VulnDiscussion&gt;All applications must document disaster recovery/continuity procedures to include business recovery plans, system contingenc...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules