The Program Manager will ensure a vulnerability management process is in place to include ensuring a mechanism is in place to notify users, and users are provided with a means of obtaining security updates for the application.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-16781	APP2130	SV-17781r1_rule	DCCT-1 VIVM-1	Medium

Description
If there is no mechanism (e.g., e-mail list, patch server) to provide updates for an application that is already deployed, security flaws can never be addressed. Also, if there is no comprehensive vulnerability management process or policy for the systematic identification and mitigation of software vulnerabilities, security vulnerabilities may go unnoticed, unreported, or unmitigated.

STIG	Date
Application Security and Development STIG	2014-04-03

Details

Check Text ( C-17873r1_chk )
The Program Manager will: - Ensure users are provided with a means of obtaining updates for the application. - Ensure a mechanism is in place to notify users of security flaws, and to provide users with the availability of patches. - Ensure a comprehensive vulnerability management process, including systematic identification and mitigation of software vulnerabilities, is in place. Interview the application representative to determine if users are provided with a means of obtaining updates for the application. 1) If users are not provided with a means of obtaining updates for the application, it is a finding. 2) If updates are transmitted over a LAN, and is not IPv6 capable, it is a finding. Interview the application representative to determine if users are provided a mechanism to be notified of security flaws and the availability of patches. 3) If users are not provided security flaw and patch notifications for the application, it is a finding. 4) If security flaws and patch notifications are transmitted over a LAN, and is not IPv6 capable, it is a finding. Interview the application representative and determine if a vulnerability management process exists. 5) If no vulnerability management process or policy exists, it is a finding. Interview the application representative to determine maintenance is available for production applications. 6) If maintenance is not available for an application, it is a finding.

Check Text ( C-17873r1_chk )

The Program Manager will:
- Ensure users are provided with a means of obtaining updates for the application.
- Ensure a mechanism is in place to notify users of security
flaws, and to provide users with the availability of patches.
- Ensure a comprehensive vulnerability management process, including systematic identification and mitigation of software vulnerabilities, is in place.

Interview the application representative to determine if users are provided with a means of obtaining updates for the application.

1) If users are not provided with a means of obtaining updates for the application, it is a finding.

2) If updates are transmitted over a LAN, and is not IPv6 capable, it is a finding.

Interview the application representative to determine if users are provided a mechanism to be notified of security flaws and the availability of patches.

3) If users are not provided security flaw and patch notifications for the application, it is a finding.

4) If security flaws and patch notifications are transmitted over a LAN, and is not IPv6 capable, it is a finding.

Interview the application representative and determine if a vulnerability management process exists.

5) If no vulnerability management process or policy exists, it is a finding.

Interview the application representative to determine maintenance is available for production applications.

6) If maintenance is not available for an application, it is a finding.

Fix Text (F-16979r1_fix)
Provide a distribution mechanism for obtaining updates to the application.