Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The designer will ensure validity periods are verified on all messages using WS-Security or SAML assertions.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-19703 | APP3880 | SV-21844r1_rule | IAIA-2 | High |
| Description |
|---|
| When using WS-Security in SOAP messages, the application should check the validity of the timestamps with creation and expiration times. Unvalidated timestamps may lead to a replay event and provide immediate unauthorized access of the application. Unauthorized access results in an immediate loss of confidentiality. Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor, will directly and immediately result in loss of Confidentiality, Availability or Integrity of the system associated data. |
| STIG | Date |
|---|---|
| Application Security and Development STIG | 2014-04-03 |
Details
| Check Text ( C-24100r1_chk ) |
|---|
| Ask the application representative for the design document. Review the design document for web services. Review the design document and verify validity periods are checked on all messages using WS-Security or SAML assertions. 1) If the design document does not exist, or does not indicate validity periods are checked on messages using WS-Security or SAML assertions, it is a finding. |
| Fix Text (F-23059r1_fix) |
|---|
| Design the application to use validity periods are verified on all WS-Security token profiles and SAML Assertions |