DISA's Application Security and Development STIG, V6R3 Compliance report
This report displays compliance issues found on your application against DISA's Application Security and Development STIG, Version 6, Release 3. The Application Security and Development Security Technical Implementation Guide (STIG) provides security guidance for use throughout the application development lifecycle. The Defense Information Systems Agency (DISA) encourages sites to use these guidelines as early as possible in the application development process.
Summary
The Application Security and Development (ASD) Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems.
Covered information
The Application Security and Development STIG is designed to be applied to all enterprise applications connected via the network. This includes client applications installed on desktop computers which establish network connections to remote systems, HTML and browser-based applications comprised of numerous web technologies and architectures including Java, JavaScript, .NET, Cloud, RESTful-based, and SOA-oriented web services.
This guide is a requirement for all DoD- developed, architected, and administered enterprise applications and systems connected to DoD networks. An Enterprise Application (EA) is defined as an application or software that is used by the organization to assist in the execution of the organizations missions or meeting organizational goals or tasks. While some EAs may be hosted on a single system with various degrees of redundancy or fault tolerance, many are typically complex in nature, scalable, mission critical, and spread across multiple systems. Management personnel may also choose to designate an application as mission critical and deserving of EA status based upon their own criteria or operational situations. The STIG is not intended to be applied to scripts, administrative or otherwise, firewalls, or other network devices with application management interfaces when a relevant product STIG or technology SRG already exists. These requirements are intended to assist Application Development Program Managers, Application Designers/Developers, Information System Security Managers (ISSMs), Information System Security Officers (ISSOs), and System Administrators (SAs) with configuring and maintaining security controls for their applications.
Covered entities
DoD Instruction (DoDI) 8500.01 requires that "all IT that receives, processes, stores, displays, or transmits DoD information will be […] configured […] consistent with applicable DoD cybersecurity policies, standards, and architectures" and tasks that Defense Information Systems Agency (DISA) "develops and maintains control correlation identifiers (CCIs), security requirements guides (SRGs), security technical implementation guides (STIGs), and mobile code risk categories and usage guides that implement and are consistent with DoD cybersecurity policies, standards, architectures, security controls, and validation procedures, with the support of the NSA/CSS, using input from stakeholders, and using automation whenever possible." This document is provided under the authority of DoDI 8500.01.
AppScan and the Application Security and Development STIG
This AppScan compliance report will help you to understand and locate compliance issues that may exist as a result of the current security posture of the scanned application. This compliance report uses the STIG requirements ID to reference the STIG requirements. Additionally, the compliance report includes the STIG's requirements severity level as they appear in the STIG:
- Category I (CAT I) - Any vulnerability, the exploitation of which will directly and immediately result in loss of Confidentiality, Availability, or Integrity.
- Category II (CAT II) - Any vulnerability, the exploitation of which can result in loss of Confidentiality, Availability, or Integrity.
- Category III (CAT III) - Any vulnerability, the existence of which degrades measures to protect against loss of Confidentiality, Availability, or Integrity.
| Sections | Description |
|---|---|
| V-222425, SV-222425r508029_rule: CAT I | The application must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
| V-222430, SV-222430r849431_rule: CAT I | The application must execute without excessive account permissions. |
| V-222522, SV-222522r508029_rule: CAT I | The application must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). |
| V-222542, SV-222542r508029_rule: CAT I | The application must only store cryptographic representations of passwords. |
| V-222596, SV-222596r849486_rule: CAT I | The application must protect the confidentiality and integrity of transmitted information. |
| V-222601, SV-222601r849491_rule: CAT I | The application must not store sensitive information in hidden fields. |
| V-222602, SV-222602r561263_rule: CAT I | The application must protect from Cross-Site Scripting (XSS) vulnerabilities. |
| V-222604, SV-222604r508029_rule: CAT I | The application must protect from command injection. |
| V-222607, SV-222607r508029_rule: CAT I | The application must not be vulnerable to SQL Injection. |
| V-222608, SV-222608r508029_rule: CAT I | The application must not be vulnerable to XML-oriented attacks. |
| V-222609, SV-222609r864578_rule: CAT I | The application must not be subject to input handling vulnerabilities. |
| V-222612, SV-222612r864579_rule: CAT I | The application must not be vulnerable to overflow attacks. |
| V-222662, SV-222662r864444_rule: CAT I | Default passwords must be changed. |
| V-222642, SV-222642r849509_rule: CAT I | The Designer will ensure the application does not contain embedded authentication data. |
| V-222388, SV-222388r849416_rule: CAT II | The application must clear temporary storage and cookies when the session is terminated. |
| V-222391, SV-222391r849419_rule: CAT II | Applications requiring user access authentication must provide a logoff capability for user initiated communication session. |
| V-222396, SV-222396r508029_rule: CAT II | The application must implement DoD-approved encryption to protect the confidentiality of remote access sessions. |
| V-222397, SV-222397r508029_rule: CAT II | The application must implement cryptographic mechanisms to protect the integrity of remote access sessions. |
| V-222406, SV-222406r508029_rule: CAT II | The application must ensure messages are encrypted when the SessionIndex is tied to privacy data. |
| V-222429, SV-222429r849430_rule: CAT II | The application must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. |
| V-222513, SV-222513r864575_rule: CAT II | The application must have the capability to prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization. |
| V-222515, SV-222515r508029_rule: CAT II | An application vulnerability assessment must be conducted. |
| V-222517, SV-222517r849455_rule: CAT II | The application must employ a deny-all, permit-by-exception (whitelist) policy to allow the execution of authorized software programs. |
| V-222518, SV-222518r508029_rule: CAT II | The application must be configured to disable non-essential capabilities. |
| V-222523, SV-222523r508029_rule: CAT II | The application must use multifactor (Alt. Token) authentication for network access to privileged accounts. |
| V-222524, SV-222524r849458_rule: CAT II | The application must accept Personal Identity Verification (PIV) credentials. |
| V-222525, SV-222525r849459_rule: CAT II | The application must electronically verify Personal Identity Verification (PIV) credentials. |
| V-222576, SV-222576r508029_rule: CAT II | The application must set the secure flag on session cookies. |
| V-222577, SV-222577r508029_rule: CAT II | The application must not expose session IDs. |
| V-222579, SV-222579r508029_rule: CAT II | Applications must use system-generated session identifiers that protect against session fixation. |
| V-222581, SV-222581r508029_rule: CAT II | Applications must not use URL embedded session IDs. |
| V-222582, SV-222582r508029_rule: CAT II | The application must not re-use or recycle session IDs. |
| V-222593, SV-222593r864576_rule: CAT II | XML-based applications must mitigate DoS attacks by using XML filters, parser options, or gateways. |
| V-222594, SV-222594r561257_rule: CAT II | The application must restrict the ability to launch Denial of Service (DoS) attacks against itself or other information systems. |
| V-222600, SV-222600r849490_rule: CAT II | The application must not disclose unnecessary information to users. |
| V-222603, SV-222603r508029_rule: CAT II | The application must protect from Cross-Site Request Forgery (CSRF) vulnerabilities. |
| V-222606, SV-222606r508029_rule: CAT II | The application must validate all input. |
| V-222610, SV-222610r508029_rule: CAT II | The application must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. |
| V-222614, SV-222614r849497_rule: CAT II | Security-relevant software updates and patches must be kept up to date. |
| V-222642, SV-222642r508029_rule: CAT II | The application must not contain embedded authentication data. |
| V-222656, SV-222656r864438_rule: CAT II | The application must not be subject to error handling vulnerabilities. |
| V-222667, SV-222667r864449_rule: CAT II | Protections against DoS attacks must be implemented. |
Related information
To learn more about the DoD Application Security and Development STIG, visit: Security Technical Implementation Guides (STIGs) – DoD Cyber Exchange