| V-19687 | High | The IAO will ensure web servers are on logically separate network segments from the application and database servers if it is a tiered application.
| Web servers should be on logically separated network segments from the application and database servers in order to provide different levels and types of defenses for each type of server. Failure... |
| V-19688 | High | The designer and the IAO will ensure physical operating system separation and physical application separation is employed between servers of different data types in the web tier of Increment 1/Phase 1 deployment of the DoD DMZ for Internet-facing applications.
| Restricted and unrestricted data residing on the same server may allow unauthorized access which would result in a loss of integrity and possibly the availability of the data.
This requirement... |
| V-16837 | High | The IAO will ensure the application is decommissioned when maintenance or support is no longer available. | When maintenance no longer exists for an application, there are no individuals responsible for providing security updates. The application is no longer supported, and should be decommissioned.
|
| V-16809 | High | The designer will ensure the application does not contain format string vulnerabilities.
| Format string vulnerabilities usually occur when unvalidated input is entered and is directly written into the format string used to format data in the print style family of C/C++ functions. If... |
| V-16808 | High | The designer will ensure the application is not vulnerable to integer arithmetic issues.
| Integer overflows occur when an integer has not been properly checked and is used in memory allocation, copying, and concatenation. Also, when incrementing integers past their maximum possible... |
| V-16800 | High | The designer will ensure users’ accounts are locked after three consecutive unsuccessful logon attempts within one hour.
| If user accounts are not locked after a set number of unsuccessful logins, attackers can infinitely retry user password combinations providing immediate access to the application. |
| V-16804 | High | The designer will ensure the application does not rely solely on a resource name to control access to a resource.
| Application access control decisions should be based on authentication of users. Resource names alone can be spoofed allowing access control mechanisms to be bypassed giving immediate access to... |
| V-16807 | High | The designer will ensure the application is not vulnerable to SQL Injection, uses prepared or parameterized statements, does not use concatenation or replacement to build SQL queries, and does not directly access the tables in a database. | SQL Injection can be used to bypass user login to gain immediate access to the application and can also be used to elevate privileges with an existing user account. |
| V-16813 | High | The designer will ensure the application does not use hidden fields to control user access privileges or as a part of a security mechanism.
| Using hidden fields to pass data in forms is very common. However, hidden fields can be easily manipulated by users. Hidden fields used to control access decisions can lead to a complete... |
| V-16810 | High | The designer will ensure the application does not allow command injection.
| A command injection attack, is an attack on a vulnerable application where improperly validated input is passed to a command shell setup in the application. A command injection allows an attacker... |
| V-16811 | High | The designer will ensure the application does not have cross site scripting (XSS) vulnerabilities.
| XSS vulnerabilities exist when an attacker uses a trusted website to inject malicious scripts into applications with improperly validated input.
|
| V-6129 | High | The designer will ensure the application using PKI validates certificates for expiration, confirms origin is from a DoD authorized CA, and verifies the certificate has not been revoked by CRL or OCSP, and CRL cache (if used) is updated at least daily. | The application should not provide access to users or other entities using expired, revoked or improperly signed certificates because the identity cannot be verified. |
| V-19703 | High | The designer will ensure validity periods are verified on all messages using WS-Security or SAML assertions.
| When using WS-Security in SOAP messages, the application should check the validity of the timestamps with creation and expiration times. Unvalidated timestamps may lead to a replay event and... |
| V-19702 | High | The designer will ensure when using WS-Security, messages use timestamps with creation and expiration times.
| The lack of timestamps could lead to the eventual replay of the message, leaving the application susceptible to replay events which may result in an immediate loss of confidentiality.
Any... |
| V-16795 | High | The designer will ensure the application does not display account passwords as clear text.
| Passwords being displayed in clear text can be easily seen by casual observers. Password masking should be employed so any casual observers cannot see passwords on the screen as they are being typed. |
| V-16797 | High | The designer will ensure the application stores account passwords in an approved encrypted format.
| Passwords stored without encryption or with weak, unapproved, encryption can easily be read and unencrypted. These passwords can then be used for immediate access to the application. |
| V-16796 | High | The designer will ensure the application transmits account passwords in an approved encrypted format.
| Passwords transmitted in clear text or with an unapproved format are vulnerable to network protocol analyzers. These passwords acquired with the network protocol analyzers can be used to... |
| V-21498 | High | The designer will ensure the application is not vulnerable to XML Injection.
| XML injection results in an immediate loss of “integrity” of the data.
Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor,... |
| V-6136 | High | The designer will ensure data transmitted through a commercial or wireless network is protected using an appropriate form of cryptography.
| Unencrypted sensitive application data could be intercepted in transit. |
| V-6134 | High | The IAO will ensure default passwords are changed.
| Default passwords can easily be compromised by attackers allowing immediate access to the applications. |
| V-6141 | High | The designer will ensure access control mechanisms exist to ensure data is accessed and changed only by authorized personnel.
| If access control mechanisms are not in place, anonymous users could potentially make unauthorized read and modification requests to the application data which is an immediate loss of the... |
| V-6146 | High | The designer will ensure the application has the capability to mark sensitive/classified output when required.
| Failure to properly mark output could result in a disclosure of sensitive or classified data which is an immediate loss in confidentiality.
Any vulnerability associated with a DoD Information... |
| V-22028 | High | The designer shall use the NotOnOrAfter property when using the <SubjectConfirmation> element in a SAML assertion.
| When a SAML assertion is used with a <SubjectConfirmation> element, a begin and end time for the <SubjectConfirmation> should be set to prevent reuse of the message at a later time. Not setting a... |
| V-22029 | High | The designer shall use both the <NotBefore> and <NotOnOrAfter> elements or <OneTimeUse> element when using the <Conditions> element in a SAML assertion.
| When a SAML assertion is used with a <Conditions> element, a begin and end time for the <Conditions> element should be set to prevent reuse of the message at a later time. Not setting a specific... |
| V-16848 | High | The IAO will ensure passwords generated for users are not predictable and comply with the organization's password policy.
| Predictable passwords may allow an attacker to gain immediate access to new user accounts which would result in a loss of integrity.
Any vulnerability associated with a DoD Information system or... |
| V-6153 | High | The designer will ensure the application removes authentication credentials on client computers after a session terminates.
| Leaving authentication credentials stored at the client level allows potential access to session information that can be used by subsequent users of a shared workstation and could also be exported... |
| V-6156 | High | The designer will ensure the application does not contain embedded authentication data.
| Authentication data stored in code could potentially be read and used by anonymous users to gain access to a backend database or application server. This could lead to immediate access to a... |
| V-16787 | High | The designer will ensure the application follows the secure failure design principle.
| The secure design principle ensures the application follows a secure predictable path in the application code. If all possible code paths are not accounted for, the application may allow access to... |
| V-16785 | High | The designer will ensure the application supports detection and/or prevention of communication session hijacking.
| Session tokens can be compromised by various methods. Using predictable session tokens can allow an attacker to hijack a session in progress. Session sniffing can be used to capture a valid... |
| V-6164 | High | The designer will ensure the application validates all input.
| Absence of input validation opens an application to improper manipulation of data. The lack of input validation can lead immediate access of application, denial of service, and corruption of data.
|
| V-6165 | High | The designer will ensure the application does not have buffer overflows, use functions known to be vulnerable to buffer overflows, and does not use signed values for memory allocation where permitted by the programming language. | Buffer overflow attacks occur when improperly validated input is passed to an application overwriting of memory. Usually, buffer overflow errors stop execution of the application causing a minimum... |
| V-19695 | High | The designer will ensure web services provide a mechanism for detecting resubmitted SOAP messages.
| SOAP messages should be designed so duplicate messages are detected.
Replay attacks may lead to a loss of confidentiality and potentially a loss of availability
Any vulnerability associated with... |
| V-21519 | High | The Program Manager will ensure all products are supported by the vendor or the development team. | Unsupported software products should not be used because of the unknown potential vulnerabilities.
Any vulnerability associated with a DoD Information system or system enclave, the exploitation... |
| V-19689 | Medium | The designer will ensure web services are designed and implemented to recognize and react to the attack patterns associated with application-level DoS attacks.
| Because of potential denial of service, web services should be designed to recognize potential attack patterns.
|
| V-16839 | Medium | The IAO will ensure protections against DoS attacks are implemented.
| Known threats documented in the threat model should be mitigated, to prevent DoS type attacks.
|
| V-16834 | Medium | The IAO shall ensure if a DoD STIG or NSA guide is not available, a third-party product will be configured by the following in descending order as available: 1) commercially accepted practices, (2) independent testing results, or (3) vendor literature. | Not all COTS products are covered by a STIG. Those products not covered by a STIG, should be minimally configured to vendors recommendation guidelines.
|
| V-16835 | Medium | The IAO will ensure at least one application administrator has registered to receive update notifications, or security alerts, when automated alerts are available.
| Administrators should register for updates to all COTS and custom developed software, so when security flaws are identified, they can be tracked for testing and updates of the application can be applied.
|
| V-16836 | Medium | The IAO will ensure the system and installed applications have current patches, security updates, and configuration settings.
| Due to viruses, worms, Trojans, and other malicious software, in addition to inevitable
weaknesses in code, the necessity to patch critical vulnerabilities is paramount. As part of the
general... |
| V-16830 | Medium | The Test Manager will ensure flaws found during a code review are tracked in a defect tracking system.
| If flaws are not tracked they may possibly be forgotten to be included in a release. Tracking flaws in the configuration management repository will help identify code elements to be changed, as... |
| V-16831 | Medium | The IAO will ensure active vulnerability testing is performed. | Use of automated scanning tools accompanied with manual testing/validation which confirms or expands on the automated test results is an accepted best practice when performing application security... |
| V-16832 | Medium | The Test Manager will ensure security flaws are fixed or addressed in the project plan.
| If security flaws are not tracked, they may possibly be forgotten to be included in a release. Tracking flaws in the project plan will help identify code elements to be changed as well as the... |
| V-16833 | Medium | The IAO will ensure if an application is designated critical, the application is not hosted on a general purpose machine.
| Critical applications should not be hosted on a multi-purpose server with other applications. Applications that share resources are susceptible to the other shared application security defects. ... |
| V-21500 | Medium | The designer will ensure the application does not have CSRF vulnerabilities.
| Cross Site Request Forgery (CSRF) is an attack where an end user is previously authenticated to a specific website and the user through social engineering (e.g., e-mail or chat) launches a... |
| V-16826 | Medium | The Test Manager will ensure tests plans and procedures are created and executed prior to each release of the application or updates to system patches.
| Without test plans and procedures for application releases or updates, unexpected results may occur which could lead to a denial of service to the application or components. |
| V-6198 | Medium | The Program Manager and IAO will ensure development systems, build systems, test systems, and all components comply with all appropriate DoD STIGs, NSA guides, and all applicable DoD policies.
The Test Manager will ensure both client and server machines are STIG compliant.
| Applications developed on a non STIG compliant platform may not function when deployed to a STIG compliant platform, and therefore cause a potential denial of service to the users and the... |
| V-6197 | Medium | The Program Manager will ensure a System Security Plan (SSP) is established to describe the technical, administrative, and procedural IA program and policies governing the DoD information system, and identifying all IA personnel and specific IA requirements and objectives. | If the DAA, IAM, or IAO are not performing assigned functions in accordance with DoD
requirements, it could impact the overall security of the facility, personnel, systems, and data, which
could... |
| V-16801 | Medium | The designer will ensure locked users’ accounts can only be unlocked by the application administrator.
| User accounts should only be unlocked by the user contacting an administrator, and making a formal request to have the account reset. Accounts that are automatically unlocked after a set time... |
| V-16803 | Medium | The designer and IAO will ensure application resources are protected with permission sets which allow only an application administrator to modify application resource configuration files.
| If application resources are not protected with permission sets that allow only an application administrator to modify application resource configuration files, unauthorized users can modify... |
| V-16802 | Medium | The designer will ensure the application provides a capability to automatically terminate a session and log out after a system defined session idle time limit is exceeded.
| In the event a user does not log out of the application, the application should automatically terminate the session and log out; otherwise, subsequent users of a shared system could continue to... |
| V-16806 | Medium | The designer will ensure the web application assigns the character set on all web pages.
| For web applications, setting the character set on the web page reduces the possibility of receiving unexpected input that uses other character set encodings by the web application. |
| V-16816 | Medium | The designer will ensure the application supports the creation of transaction logs for access and changes to the data.
| Without required logging and access control, security issues related to data changes will not be identified. This could lead to security compromises such as data misuse, unauthorized changes, or... |
| V-16814 | Medium | The designer will ensure the application does not disclose unnecessary information to users.
| Applications should not disclose information not required for the transaction. (e.g., a web application should not divulge the fact there is a SQL server database and/or its version) This... |
| V-16815 | Medium | The designer will ensure the application is not vulnerable to race conditions.
| A race condition occurs when an application receives two or more actions on the same resource in an unanticipated order which causes a conflict. Sometimes, the resource is locked by different... |
| V-16812 | Medium | The designer will ensure the application has no canonical representation vulnerabilities.
| Canonical representation issues arise when the name of a resource is used to control resource access. There are multiple methods of representing resource names on a computer system. An... |
| V-16818 | Medium | The designer will ensure the application has a capability to display the user’s time and date of the last change in data content.
| Without access control mechanisms in place, the data is not secure. The time and date display of data content change provides an indication that the data may have been accessed by unauthorized... |
| V-16819 | Medium | The designer will ensure development of new mobile code includes measures to mitigate the risks identified.
| New mobile code types may introduce unknown vulnerabilities if a risk assessment is not completed prior to the use of mobile code. |
| V-6127 | Medium | The designer will ensure applications requiring user authentication are PK-enabled and are designed and implemented to support hardware tokens (e.g., CAC for NIPRNet). | Non PK-enabled applications can allow unauthorized persons or entities to intercept information. A PK-enabled application gives assurance of the user accessing the application. |
| V-6128 | Medium | The designer and IAO will ensure PK-enabled applications are designed and implemented to use approved credentials authorized under the DoD PKI program.
| Using unapproved PKI certificates could allow access by non-DoD and unauthorized users. |
| V-19707 | Medium | The designer will ensure supporting application services and interfaces have been designed, or upgraded for, IPv6 transport.
| If the application's supporting services (e.g., software update, security update, driver updating, and automatic patching services) have not been updated to retrieve updates over a IPv6 network... |
| V-19706 | Medium | The designer will ensure the application is compliant with all DoD IT Standards Registry (DISR) IPv6 profiles.
| If the application has not been upgraded to execute on an IPv6-only network, there is a possibility the application will not execute properly, and as a result, a denial of service could occur.
|
| V-19705 | Medium | The designer shall ensure encrypted assertions, or equivalent confidentiality protections, when assertion data is passed through an intermediary, and confidentiality of the assertion data is required to pass through the intermediary.
| The confidentially of the data in a message as the message is passed through an intermediary web service may be required to be restricted by the intermediary web service. The intermediary web... |
| V-19704 | Medium | The designer shall ensure each unique asserting party provides unique assertion ID references for each SAML assertion.
| SAML assertion identifiers should be unique across a server implementation. Duplicate SAML assertion identifiers could lead to unauthorized access to a web service.
|
| V-19701 | Medium | The designer will ensure SOAP messages requiring integrity, sign the following message elements:
-Message ID
-Service Request
-Timestamp
-SAML Assertion (optionally included in messages)
| Digitally signed SOAP messages provide message integrity and authenticity of the signer of the message independent of the transport layer. Service requests may be intercepted and changed in... |
| V-19700 | Medium | The IAO will ensure if the UDDI registry contains sensitive information and read access to the UDDI registry is granted only to authenticated users.
| If a UDDI registry contains sensitive data, the repository should require authentication to read the UDDI data repository. If the repository does not require authentication, the UDDI data... |
| V-19709 | Medium | The designer will ensure the application is compliant with the IPv6 addressing scheme as defined in RFC 1884.
| If the application is not compliant with the IPv6 addressing scheme, the entry of IPv6 formats that are 128 bits long or hexadecimal notation including colons, could result in buffer overflows... |
| V-19708 | Medium | The designer will ensure the application is compliant with IPv6 multicast addressing and features an IPv6 network configuration options as defined in RFC 4038.
| If the application has not been updated to IPv6 multicast features, there is a possibility the application will not execute properly and as a result, a denial of service could occur.
|
| V-16799 | Medium | The designer will ensure the application installs with unnecessary accounts disabled, or deleted, by default.
| Unnecessary accounts should be disabled to limit the number of entry points for attackers to gain access to the system. Removing unnecessary accounts also limits the number of users and passwords... |
| V-16798 | Medium | The designer will ensure the application protects access to authentication data by restricting access to authorized users and services.
| If authentication is not properly restricted using access controls list, unauthorized users of the server where the authentication data is stored may be able to use the authentication data to... |
| V-16790 | Medium | The designer will ensure the application does not connect to a database using administrative credentials or other privileged database accounts. | If the application uses administrative credentials or other privileged database accounts to access the database, an attacker that has already compromised the application though another... |
| V-16793 | Medium | The designer will ensure the application properly clears or overwrites all memory blocks used to process sensitive data, if required by the information owner, and clears or overwrites all memory blocks used for classified data.
| Sensitive and classified data in memory should be cleared or overwritten to protect data from the possibility of an attacker causing the application to crash and analyzing a memory dump of the... |
| V-16792 | Medium | The designer will ensure sensitive data held in memory is cryptographically protected when not in use, if required by the information owner, and classified data held in memory is always cryptographically protected when not in use.
| Sensitive or classified data in memory must be encrypted to protect data from the possibility of an attacker causing an application crash then analyzing a memory dump of the application for... |
| V-16794 | Medium | The designer will ensure the application uses mechanisms assuring the integrity of all transmitted information (including labels and security parameters). | If integrity checks are not used to detect errors in data streams, there is no way to ensure the integrity of the application data as it traverses the network. |
| V-6138 | Medium | The designer will ensure the application design includes audits on all access to need-to-know information and key application events.
| Properly logged and monitored audit logs not only assist in combating threats, but also play a key role in diagnosis, forensics, and recovery. |
| V-6137 | Medium | The designer will ensure the application uses the Federal Information Processing Standard (FIPS) 140-2 validated cryptographic modules and random number generator if the application implements encryption, key exchange, digital signature, and hash functionality.
| Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity and DoD data may be compromised due to weak algorithms. |
| V-6135 | Medium | The designer will ensure the appropriate cryptography is used to protect stored DoD information if required by the information owner.
| Application data needs to be properly protected. Content of application data contains not only operationally sensitive data, but also personal data covered by the privacy act that needs to be... |
| V-6133 | Medium | The IAO will ensure unnecessary built-in application accounts are disabled.
| Default passwords and properties of built-in accounts are often publicly available. Anyone with necessary knowledge, internal or external, can compromise an application using built-in accounts. |
| V-6131 | Medium | The designer will ensure the application prevents the creation of duplicate accounts.
| Duplicate user accounts can create a situation where multiple users will be mapped to a single account. These duplicate user accounts may cause users to assume other users roles and privilege... |
| V-6130 | Medium | The designer will ensure the application has the capability to require account passwords that conform to DoD policy. | Weak passwords can be guessed or easily cracked using various methods. This can potentially lead to unauthorized access to the application. |
| V-16789 | Medium | The designer will ensure private keys are accessible only to administrative users. | If private keys are accessible to non-administrative users, these users could potentially read and use the private keys to unencrypt stored or transmitted sensitive data used by the application. |
| V-16773 | Medium | The Program Manager will provide an Application Configuration Guide to the application hosting
providers to include a list of all potential hosting enclaves and connection rules and requirements. | The security posture of the enclave could be degraded if an Application Configuration Guide is not available and followed by application developers. |
| V-22032 | Medium | The designer shall ensure if a OneTimeUse element is used in an assertion, there is only one used in the Conditions element portion of an assertion.
| Multiple OneTimeUse elements used in a SAML assertion can lead to elevation of privileges, if the application does not process SAML assertions correctly. |
| V-22031 | Medium | The designer shall ensure messages are encrypted when the SessionIndex is tied to privacy data.
| When the SessionIndex is tied to privacy data (e.g., attributes containing privacy data) the message should be encrypted. If the message is not encrypted there is the possibility of compromise of... |
| V-22030 | Medium | The designer will ensure the asserting party uses FIPS approved random numbers in the generation of SessionIndex in the SAML element AuthnStatement.
| A predictable SessionIndex could lead to an attacker computing a future SessionIndex, thereby, possibly compromising the application. |
| V-6148 | Medium | The designer will ensure threat models are documented and reviewed for each application release and updated as required by design and functionality changes or new threats are discovered.
| The lack of threat modeling will potentially leave unidentified threats for attackers to utilize to gain access to the application. |
| V-6149 | Medium | The designer will ensure the application does not contain source code that is never invoked during operation, except for software components and libraries from approved third-party products.
| Unused libraries increase a program size without any benefits. and may expose an enclave to possible malware. They can be used by a worm as program space, and increase the risk of a buffer... |
| V-6142 | Medium | The designer will ensure all access authorizations to data are revoked prior to initial assignment, allocation or reallocation to an unused state. | DoD data may be compromised if applications do not protect residual data in objects when they are allocated to an unused state. Access authorizations to data should be revoked prior to initial... |
| V-6143 | Medium | The designer will ensure the application executes with no more privileges than necessary for proper operation.
| An application with unnecessary access privileges can give an attacker access to the underlying operating system. |
| V-6140 | Medium | The designer and IAO will ensure the audit trail is readable only by the application and auditors and protected against modification and deletion by unauthorized individuals. | Excessive permissions of audit records allow cover up of intrusion or misuse of the application. |
| V-6147 | Medium | The Test Manager will ensure the application does not modify data files outside the scope of the application.
| Modifying data or files outside the scope of the application could lead to system instability in the event of an application problem. Also, a problem with this application could effect the... |
| V-6144 | Medium | The designer will ensure the application provides a capability to limit the number of logon sessions per user and per application. | If a user account has been compromised, limiting the number of sessions will allow the administrator to detect if the account has been compromised by an indication that the maximum number of... |
| V-6145 | Medium | If the application contains classified data, the Program Manager will ensure a Security Classification Guide exists containing data elements and their classification.
| Without a classification guide the marking, storage, and output media of classified material can be inadvertently mixed with unclassified material, leading to its possible loss or compromise. |
| V-16827 | Medium | The Test Manager will ensure test procedures are created and at least annually executed to ensure system initialization, shutdown, and aborts are configured to ensure the system remains in a secure state.
| Secure state assurance cannot be accomplished without testing the system state at least annually to ensure the system remains in a secure state upon intialization, shutdown and abort. |
| V-16779 | Medium | The Program Manager and designer will ensure the application is registered with the DoD Ports and Protocols Database.
| Failure to register the applications usage of ports, protocols, and services with the DoD PPS Database may result in a Denial of Service (DoS) because of enclave boundary protections at other end... |
| V-16778 | Medium | The Program Manager will document and obtain DAA risk acceptance for all public domain, shareware, freeware, and other software products/libraries with both (1) no source code to review, repair, and extend, and (2) limited or no warranty, when such products are required for mission accomplishment. | The security posture of the enclave could be compromised if untested or unwarranted software is used due to the risk of software failure, hidden vulnerabilities, or other malware embedded in the... |
| V-16849 | Medium | The IAO will ensure the application's users do not use shared accounts.
| Group or shared accounts for application access may be used only in conjunction with an individual authenticator. Group accounts do not allow for proper auditing of who is accessing the... |
| V-16845 | Medium | The IAO will ensure procedures are in place to assure the appropriate physical and technical protection of the backup and restoration of the application.
| Protection of backup and restoration assets is essential for the successful restore of operations after a catastrophic failure or damage to the system or data files. Failure to follow proper... |
| V-16844 | Medium | The IAO will ensure back-up copies of the application software are stored in a fire-rated container and not collocated with operational software.
| Inadequate back-up software or improper storage of back-up software can result in extended outages of the information system in the event of a fire or other situation that results in destruction... |
| V-16847 | Medium | The IAO will ensure an account management process is implemented, verifying only authorized users can gain access to the application, and individual accounts designated as inactive, suspended, or terminated are promptly removed.
| A comprehensive account management process will ensure that only authorized users can gain access to applications and that individual accounts designated as inactive, suspended, or terminated are... |
| V-16846 | Medium | The IAO will ensure a disaster recovery plan exists in accordance with DoD policy based on the Mission Assurance Category (MAC). | Well thought out recovery plans are essential for system recovery and/or business restoration in the event of catastrophic failure or disaster. |
| V-16775 | Medium | The Program Manager will ensure the system has been assigned specific MAC and confidentiality levels. | The site security posture and mission completion could be adversely affected if site managed applications and data are not properly assigned with the MAC and confidentiality levels. |
| V-16842 | Medium | The IAO will report all suspected violations of IA policies in accordance with DoD information system IA procedures.
| All potential sources are monitored for suspected violations of IA policies. If there are not policies regarding the reporting of IA violations, some IA violations may not be tracked or dealt... |
| V-6159 | Medium | The designer will ensure unsigned Category 1A mobile code is not used in the application in accordance with DoD policy. | Use of un-trusted Level 1 and 2 mobile code technologies can introduce security vulnerabilities and malicious code into the client system. |
| V-6158 | Medium | The designer will ensure the application only embeds mobile code in e-mail which does not execute automatically when the user opens the e-mail body or attachment.
| The practice of opening e-mails with executable code renders the recipient vulnerable to Internet worms, malicious content, and other threats. |
| V-6151 | Medium | The IAO will ensure unnecessary services are disabled or removed.
| Unnecessary services and software increases the security risk by increasing the potential attack surface of the application. |
| V-6150 | Medium | The Designer will ensure the application does not store configuration and control files in the same directory as user data.
| Application code and data require two very different security requirements, authentication and authorization (especially in file access). Without proper authentication and authorization there is... |
| V-6152 | Medium | The designer will ensure the application is capable of displaying a customizable click-through banner at logon which prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating "OK.”
| A logon banner is used to warn users against unauthorized entry and the possibility of legal action for unauthorized users, and advise all users that system use constitutes consent to monitoring,... |
| V-6155 | Medium | The designer will ensure the application provides a capability to terminate a session and log out.
| If a user cannot log out of the application, subsequent users of a shared system could continue to use the previous user's session to the application. |
| V-6154 | Medium | The designer will ensure the application is organized by functionality and roles to support the assignment of specific roles to specific application functions.
| Without a least privilege policy, a user can gain access to information that he or she is not entitled to and can compromise confidentiality, integrity, and availability of the system. Also,... |
| V-6157 | Medium | The designer will ensure the application does not contain invalid URL or path references.
| Resource information in code can easily advertise available vulnerabilities to unauthorized users. By placing the references into configuration files, the files can be further protected by file... |
| V-16786 | Medium | The designer will ensure the application installs with unnecessary functionality disabled by default.
| If functionality is enabled that is not required for operation of the application, this functionality may be exploited without knowledge because the functionality is not required by anyone. |
| V-16784 | Medium | The designer will ensure the user interface services are physically or logically separated from data storage and management services. | If user interface services are compromised, this may lead to the compromise of data storage and management services if they are not logically or physically separated. |
| V-16782 | Medium | The Program Manager will ensure a security incident response process for the application is established that defines reportable incidents and outlines a standard operating procedure for incident response to include Information Operations Condition (INFOCON).
| Without a plan, training, and assistance, users will not know what actions needs to be taken in the event of system attack or system/application compromise. This could result in additional... |
| V-16783 | Medium | The Program Manager will ensure procedures are implemented to assure physical handling and storage of information is in accordance with the data’s sensitivity.
| Failure to have proper workplace security procedures can lead to the loss or compromise of classified or sensitive information. |
| V-16780 | Medium | The Program Manager will ensure all levels of program management, designers, developers, and testers receive the appropriate security training pertaining to their job function. | Well trained IT personnel are the first line of defense against attacks or disruptions to the information system. Lack of sufficient training can lead to security oversights thereby, leading to... |
| V-16781 | Medium | The Program Manager will ensure a vulnerability management process is in place to include ensuring a mechanism is in place to notify users, and users are provided with a means of obtaining security updates for the application.
| If there is no mechanism (e.g., e-mail list, patch server) to provide updates for an application that is already deployed, security flaws can never be addressed. Also, if there is no... |
| V-16825 | Medium | The Test Manager will ensure the changes to the application are assessed for IA and accreditation impact prior to implementation.
| IA assessment of proposed changes is necessary to ensure security integrity is maintained within the application. |
| V-16788 | Medium | The designer will ensure the application uses encryption to implement key exchange and authenticate endpoints prior to establishing a communication channel for key exchange.
| If the application does not use encryption and authenticate endpoints prior to establishing a communication channel and prior to transmitting encryption keys, these keys may be intercepted, and... |
| V-47163 | Medium | The release manager must ensure application files are cryptographically hashed prior to deploying to DoD operational networks. | When application code and binaries are transferred from one environment to another, there is the potential for malware to be introduced into either the application code or even the application... |
| V-16777 | Medium | The Program Manager will ensure COTS IA and IA enabled products, comply with NIAP/NSA endorsed protection profiles.
| The security posture of the enclave could be compromised if applications are not at the approved NIAP/NSA protection profile. GOTS, or COTS IA and IA enabled IT products, must be in compliance... |
| V-16823 | Medium | The Release Manager will establish a Configuration Control Board (CCB), that meets at least every release cycle, for managing the CM process. | Software Configuration Management (SCM) is very important in tracking code releases, baselines, and managing access to the configuration management repository. The SCM plan identifies what should... |
| V-16822 | Medium | The Release Manager will develop an SCM plan describing the configuration control and change management process of objects developed and the roles and responsibilities of the organization.
| Software Configuration Management (SCM) is very important in tracking code releases, baselines, and managing access to the configuration management repository. The SCM plan identifies what should... |
| V-6166 | Medium | The designer will ensure the application is not subject to error handling vulnerabilities. | Unhandled exceptions leaves users with no means to properly respond to errors. Mishandled exceptions can transmit information that can be used in future security breaches. Properly handled... |
| V-6167 | Medium | The designer will ensure application initialization, shutdown, and aborts are designed to keep the application in a secure state.
| An application could be compromised, providing an attack vector into the enclave if application initialization, shutdown, and aborts are not designed to keep the application in a secure state.... |
| V-6160 | Medium | The designer will ensure unsigned Category 2 mobile code executing in a constrained environment has no access to local system and network resources.
| Mobile code cannot conform to traditional installation and configuration safeguards, therefore, the use of local operating system resources and spawning of network connections introduce harmful... |
| V-6161 | Medium | The designer will ensure signed Category 1A and Category 2 mobile code signature is validated before executing. | Untrusted mobile code may contain malware or malicious code and digital signatures provide a source of the content which is crucial to authentication and trust of the data. |
| V-6162 | Medium | The designer will ensure uncategorized or emerging mobile code is not used in applications.
| Mobile code does not require any traditional software acceptance testing or security validation. Mobile code needs to follow sound policy to maintain a reasonable level of trust. Mobile code... |
| V-6163 | Medium | The Designer will ensure the application removes temporary storage of files and cookies when the application is terminated.
| If the application does not remove temporary data (e.g., authentication data, temporary files containing sensitive data, etc.) this temporary data could be used to re-authenticate the user or... |
| V-16850 | Medium | The IAO will ensure connections between the DoD enclave and the Internet or other public or commercial wide area networks require a DMZ.
| In order to protect DoD data and systems, all remote access to DoD information systems must be mediated through a managed access control point, such as a remote access server in a DMZ.
|
| V-6168 | Medium | The designer will ensure applications requiring server authentication are PK-enabled.
| Applications not using PKI are at risk of containing many password vulnerabilities. PKI is the preferred method of authentication.
|
| V-6169 | Medium | The Program Manager and designer will ensure the application design complies with the DoD Ports and Protocols guidance.
| Failure to comply with DoD Ports, Protocols, and Services (PPS) Vulnerability Analysis and associated PPS mitigations may result in compromise of enclave boundary protections and/or functionality... |
| V-16776 | Medium | The Program Manager will ensure the development team follows a set of coding standards. | Implementing coding standards provides many benefits to the development process. These benefits include readability, consistency, and ease of integration.
Code conforming to a standard format... |
| V-6173 | Medium | The IAO will ensure application audit trails are retained for at least 1 year for applications without SAMI data, and 5 years for applications including SAMI data.
| Log files are a requirement to trace intruder activity or to audit user activity. |
| V-6172 | Medium | The IAO will ensure data backup is performed at required intervals in accordance with DoD policy.
| Without proper backups, the application is not protected from the loss of data or the operating environment in the event of hardware or software failure. |
| V-6171 | Medium | The IAO will ensure recovery procedures and technical system features exist so recovery is performed in a secure and verifiable manner.
The IAO will document circumstances inhibiting a trusted recovery.
| Without a disaster recovery plan, the application is susceptible to interruption in service due to damage within the processing site. |
| V-6174 | Medium | The IAO will ensure production database exports have database administration credentials and sensitive data removed before releasing the export.
| Production database exports allow export of active user account information. Such information can provide a simple target for password attacks outside the protections of database.
Not all... |
| V-19699 | Medium | The IAO will ensure web service inquiries to UDDI provide read-only access to the registry to anonymous users.
| If modification of UDDI registries are allowed by anonymous users, UDDI registries can be corrupted, or potentially be hijacked.
|
| V-19698 | Medium | The designer and IAO will ensure UDDI publishing is restricted to authenticated users.
| Ficticious or false entries could result if someone other than an authenticated user is able to create or modify the UDDI registry. The data integrity would be questionable if anonymous users are... |
| V-16829 | Medium | The Test Manager will ensure a code review is performed before the application is released.
| A code review is a systematic evaluation of computer source code conducted for the purposes of identifying and remediating security flaws. Examples of security flaws include but are not limited... |
| V-19691 | Medium | The designer will ensure web service design of critical functions is implemented using different algorithms to prevent similar attacks from forming a complete application level DoS. | Denial of service attacks could occur if web services use the same algorithm for all critical features. An algorithm is defined as: an effective method expressed as a finite list of well-defined... |
| V-19690 | Medium | The designer will ensure the web service design includes redundancy of critical functions.
| Because of potential denial of service, web services should be designed to be redundant.
|
| V-19693 | Medium | The designer will ensure execution flow diagrams are created and used to mitigate deadlock and recursion issues.
| To prevent web services from becoming deadlocked, an execution flow diagram should be documented.
|
| V-19692 | Medium | The designer will ensure web services are designed to prioritize requests to increase availability of the system.
| Because of potential denial of service, web services should be designed to prioritize web service requests.
|
| V-19694 | Medium | The IAO will ensure an XML firewall is deployed to protect web services.
| Web Services are vulnerable to many types of attacks. XML based firewalls can be used to prevent common attacks.
|
| V-19697 | Medium | The designer and IAO will ensure UDDI versions are used supporting digital signatures of registry entries.
| UDDI repositories must provide the capability to support digital signatures. Without the capability to support digital signatures, web service users cannot verify the integrity of the UDDI registry.
|
| V-19696 | Medium | The designer and IAO will ensure digital signatures exist on UDDI registry entries to verify the publisher.
| UDDI registries must provide digital signatures for verification of integrity of the publisher of each web service contained within the registry. Users publishing to the UDDI repository could... |
| V-7013 | Medium | The designer will create and update the Design Document for each release of the application. | The detailed functional architecture must be documented to ensure all risks are assessed and mitigated to the maximum extent practical. Failure to do so may result in unexposed risk, and failure... |
| V-16838 | Low | Procedures are not in place to notify users when an application is decommissioned.
| When maintenance no longer exists for an application, there are no individuals responsible for making security updates. The application should maintain procedures for decommissioning.
|
| V-16817 | Low | The designer will ensure the application has a capability to notify the user of important login information. | Attempted logons must be controlled to prevent password guessing exploits and unauthorized access attempts. |
| V-16791 | Low | The designer will ensure transaction based applications implement transaction rollback and transaction journaling. | Transaction based systems must have transaction rollback and transaction journaling, or technical equivalents implemented to ensure the system can recover from an attack or faulty transaction... |
| V-6139 | Low | The designer will ensure the application has a capability to notify an administrator when audit logs are nearing capacity as specified in the system documentation.
| If an application audit log reaches capacity without warning, it will stop logging important system and security events. It could also open the system up for a type of denial of service attack,... |
| V-6132 | Low | The IAO will ensure all user accounts are disabled which are authorized to have access to the application but have not authenticated within the past 35 days.
| Disabling inactive userids ensures access and privilege are available to only those who need it. |
| V-16841 | Low | The IAO will review audit trails periodically based on system documentation recommendations or immediately upon system security events.
| Without access control the data is not secure. It can be compromised, misused, or changed by unauthorized access at any time. |
| V-16840 | Low | The IAO will ensure the system alerts an administrator when low resource conditions are encountered.
| In order to prevent DoS type attacks, applications should be monitored when resource conditions reach a predefined threshold indicating there may be attack occurring. |
| V-16824 | Low | The Test Manager will ensure at least one tester is designated to test for security flaws in addition to functional testing.
| If there is no person designated to test for security flaws, vulnerabilities can potentially be missed during testing. |
| V-16820 | Low | The Release Manager will ensure the access privileges to the configuration management (CM) repository are reviewed every 3 months.
| Incorrect access privileges to the CM repository can lead to malicious code or unintentional code being introduced into the application. |
| V-6170 | Low | The Program Manager and designer will ensure any IA, or IA enabled, products used by the application are NIAP approved or in the NIAP approval process.
| IA or IA enabled products that have not been evaluated by NIAP may degrade the security posture of the enclave, if they do not operate as expected, be configured incorrectly, or have hidden... |
| V-16828 | Low | The Test Manager will ensure code coverage statistics are maintained for each release of the application.
| Code coverage statistics describes the how much of the source code has been executed based on the test procedures.
|
