UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The designer will ensure the application follows the secure failure design principle.


Overview

Finding ID Version Rule ID IA Controls Severity
V-16787 APP3130 SV-17787r1_rule DCSQ-1 High
Description
The secure design principle ensures the application follows a secure predictable path in the application code. If all possible code paths are not accounted for, the application may allow access to unauthorized users. Applications should perform checks on the validity of data, user permissions, and resource existence before performing a function. Secure failure is defined if a check fails for any reason, the application remains in a secure state.
STIG Date
Application Security and Development STIG 2014-04-03

Details

Check Text ( C-17772r1_chk )
Ask the application representative for code review results from the entire application or the documented code review process.

If the application is a COTS/GOTS product or is composed of only COTS/GOTS products with no custom code, this check does not apply unless the application is being reviewed by or in conjunction with the COTS/GOTS vendor in which case this check is applicable.

If the results are provided from a manual code review, the application representative will need to demonstrate how secure design principle vulnerabilities are identified during code reviews.

1) If the results are not provided or the application representative cannot demonstrate how manual code reviews are performed to identify secure design principle vulnerabilities, this is a CAT I finding.

2) If code analysis tools are used to perform a code review and errors have not been fixed, this is a CAT II finding.
Fix Text (F-16995r1_fix)
Design and code the application so the secure design principle is followed.