DISA's Application Security and Development STIG, V5R1 Compliance Report
This report displays DISA's Application Security and Development STIG, V5R1 Compliance issues found on your application. The Application Security and Development Security Technical Implementation Guide (STIG) provides security guidance for use throughout the application development lifecycle. The Defense Information Systems Agency (DISA) encourages sites to use these guidelines as early as possible in the application development process.
Summary
The Application Security and Development (ASD) Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems.
Covered information
The Application Security and Development STIG provides guidelines for securing enterprise applications connected via a network, including client applications, HTML, and browser-based apps using various web technologies. The STIG is mandatory for all DoD-developed, -architected, and -administered applications and systems connected to DoD networks. It helps managers and developers configure and maintain app security controls.
Covered entities
DoDI 8500.01 mandates that all DoD information technology must align with cybersecurity policies, standards, and architectures. DISA is responsible for creating and upkeeping control correlation identifiers (CCIs), security requirements guides (SRGs), security technical implementation guides (STIGs), and mobile code risk guidelines, ensuring they adhere to DoD cybersecurity principles, standards, and validation procedures. This is authorized by DoDI 8500.01.
AppScan and the Application Security and Development STIG
The AppScan compliance report will help you understand and locate compliance issues due to the scanned application's current security posture. This compliance report uses the STIG requirements ID to reference the STIG requirements. Additionally, the compliance report includes the STIG's requirements severity level as they appear in the STIG:
- Category I (CAT I) - Any vulnerability, the exploitation of which will directly and immediately result in loss of Confidentiality, Availability, or Integrity.
- Category II (CAT II)- Any vulnerability, the exploitation of which can result in loss of Confidentiality, Availability, or Integrity.
- Category III (CAT III)- Any vulnerability, the existence of which degrades measures to protect against loss of Confidentiality, Availability, or Integrity.
Sections | Description |
---|---|
V-222425, SV-222425r508029_rule: CAT I | The application must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
V-222430, SV-222430r849431_rule: CAT I | The application must execute without excessive account permissions. |
V-222522, SV-222522r508029_rule: CAT I | The application must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). |
V-222542, SV-222542r508029_rule: CAT I | The application must only store cryptographic representations of passwords. |
V-222596, SV-222596r849486_rule: CAT I | The application must protect the confidentiality and integrity of transmitted information. |
V-222601, SV-222601r849491_rule: CAT I | The application must not store sensitive information in hidden fields. |
V-222602, SV-222602r561263_rule: CAT I | The application must protect from Cross-Site Scripting (XSS) vulnerabilities. |
V-222604, SV-222604r508029_rule: CAT I | The application must protect from command injection. |
V-222607, SV-222607r508029_rule: CAT I | The application must not be vulnerable to SQL Injection. |
V-222608, SV-222608r508029_rule: CAT I | The application must not be vulnerable to XML-oriented attacks. |
V-222609, SV-222609r864578_rule: CAT I | The application must not be subject to input handling vulnerabilities. |
V-222612, SV-222612r864579_rule: CAT I | The application must not be vulnerable to overflow attacks. |
V-222662, SV-222662r864444_rule: CAT I | Default passwords must be changed. |
V-222642, SV-222642r849509_rule: CAT I | The Designer will ensure the application does not contain embedded authentication data. |
V-222388, SV-222388r849416_rule: CAT II | The application must clear temporary storage and cookies when the session is terminated. |
V-222391, SV-222391r849419_rule: CAT II | Applications requiring user access authentication must provide a logoff capability for user-initiated communication session. |
V-222396, SV-222396r508029_rule: CAT II | The application must implement DoD-approved encryption to protect the confidentiality of remote access sessions. |
V-222397, SV-222397r508029_rule: CAT II | The application must implement cryptographic mechanisms to protect the integrity of remote access sessions. |
V-222406, SV-222406r508029_rule: CAT II | The application must ensure messages are encrypted when the SessionIndex is tied to privacy data. |
V-222429, SV-222429r849430_rule: CAT II | The application must prevent non-privileged users from executing privileged functions to including disabling, circumventing, or altering implemented security safeguards/countermeasures. |
V-222513, SV-222513r864575_rule: CAT II | The application must have the capability to prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization. |
V-222515, SV-222515r508029_rule: CAT II | An application vulnerability assessment must be conducted. |
V-222517, SV-222517r849455_rule: CAT II | The application must employ a deny-all, permit-by-exception (whitelist) policy to allow the execution of authorized software programs. |
V-222518, SV-222518r508029_rule: CAT II | The application must be configured to disable non-essential capabilities. |
V-222523, SV-222523r508029_rule: CAT II | The application must use multifactor (Alt. Token) authentication for network access to privileged accounts. |
V-222524, SV-222524r849458_rule: CAT II | The application must accept Personal Identity Verification (PIV) credentials. |
V-222525, SV-222525r849459_rule: CAT II | The application must electronically verify Personal Identity Verification (PIV) credentials. |
V-222576, SV-222576r508029_rule: CAT II | The application must set the secure flag on session cookies. |
V-222577, SV-222577r508029_rule: CAT II | The application must not expose session IDs. |
V-222579, SV-222579r508029_rule: CAT II | Applications must use system-generated session identifiers that protect against session fixation. |
V-222581, SV-222581r508029_rule: CAT II | Applications must not use URL-embedded session IDs. |
V-222582, SV-222582r508029_rule: CAT II | The application must not re-use or recycle session IDs. |
V-222593, SV-222593r864576_rule: CAT II | XML-based applications must mitigate DoS attacks by using XML filters, parser options, or gateways. |
V-222594, SV-222594r561257_rule: CAT II | The application must restrict the ability to launch Denial of Service (DoS) attacks against itself or other information systems. |
V-222600, SV-222600r849490_rule: CAT II | The application must not disclose unnecessary information to users. |
V-222603, SV-222603r508029_rule: CAT II | The application must protect from Cross-Site Request Forgery (CSRF) vulnerabilities. |
V-222606, SV-222606r508029_rule: CAT II | The application must validate all input. |
V-222610, SV-222610r508029_rule: CAT II | The application must generate error messages that provide information necessary for zero corrective actions without revealing information that could be exploited by adversaries. |
V-222614, SV-222614r849497_rule: CAT II | Security-relevant software updates and patches must be kept up to date. |
V-222642, SV-222642r508029_rule: CAT II | The application must not contain embedded authentication data. |
V-222656, SV-222656r864438_rule: CAT II | The application must not be subject to error handling vulnerabilities. |
V-222667, SV-222667r864449_rule: CAT II | Protections against DoS attacks must be implemented. |