The Program Manager and IAO will ensure development systems, build systems, test systems, and all components comply with all appropriate DoD STIGs, NSA guides, and all applicable DoD policies. The Test Manager will ensure both client and server machines are STIG compliant.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6198	APP2160	SV-6198r1_rule	DCCS-1 DCCS-2 ECSC-1	Medium

Description
Applications developed on a non STIG compliant platform may not function when deployed to a STIG compliant platform, and therefore cause a potential denial of service to the users and the application, or require lessening security requirements on the client side of the application.

STIG	Date
Application Security and Development STIG	2014-04-03

Details

Check Text ( C-2962r1_chk )
The application and the application client (e.g., web browser, C++ application, etc.) must be designed to work on a STIG compliant platform. Vulnerabilities are discovered frequently and security updates must be applied constantly and may not be reflected in the latest baseline of a secure image of the operating system. Any finding required to make the application client operate correctly will be documented in this check. Conduct a review of the application and the application client platform using the SRR process or utilize an up to date application/client platform SRR if available. Ensure the application client platform was included in the overall application SRR review. Ensure the SRR was completed after the most recent system updates or changes. If the client is Windows based and the application uses either a browser interface or an MS Office Product, a Desktop Application review must also be conducted. 1) If the review of the application client platform produces findings indicating that the application client will not operate correctly in a STIG compliant environment, it is a finding. Ensure the application review includes test and build systems. All deployment, development, as well as test and build systems should be included in the application review to ensure the applicable DoD approved or other acceptable security configuration documents have been applied. 2) If the application review does not include all deployment, development, as well as test and build systems, it is a finding.

Check Text ( C-2962r1_chk )

The application and the application client (e.g., web browser, C++ application, etc.) must be designed to work on a STIG compliant platform. Vulnerabilities are discovered frequently and security updates must be applied constantly and may not be reflected in the latest baseline of a secure image of the operating system. Any finding required to make the application client operate correctly will be documented in this check.

Conduct a review of the application and the application client platform using the SRR process or utilize an up to date application/client platform SRR if available. Ensure the application client platform was included in the overall application SRR review. Ensure the SRR was completed after the most recent system updates or changes. If the client is Windows based and the application uses either a browser interface or an MS Office Product, a Desktop Application review must also be conducted.

1) If the review of the application client platform produces findings indicating that the application client will not operate correctly in a STIG compliant environment, it is a finding.

Ensure the application review includes test and build systems. All deployment, development, as well as test and build systems should be included in the application review to ensure the applicable DoD approved or other acceptable security configuration documents have been applied.

2) If the application review does not include all deployment, development, as well as test and build systems, it is a finding.

Fix Text (F-16983r1_fix)
Configure application client, application development, as well as test and build systems using the approved DoD security guidance (e.g., DoD STIGs, NSA Guides, etc.)