UCF STIG Viewer Logo

The application must not be subject to error handling vulnerabilities.


Overview

Finding ID Version Rule ID IA Controls Severity
V-70391 APSC-DV-003235 SV-85013r1_rule Medium
Description
Error handling is the failure to check the return values of functions or catch top level exceptions within a program. Improper error handling in an application can lead to an application failure or possibly result in the application entering an insecure state. The primary way to detect error handling vulnerabilities is to perform code reviews. If a manual code review cannot be performed, static code analysis tools should be employed in conjunction with tests to help force the error conditions by specifying invalid input (such as fuzzed data and malformed filenames) and by using different accounts to run the application. These tests may give indications of vulnerability, but they are not comprehensive. In order to minimize error handling errors, ensure proper return code and exception handling is implemented throughout the application.
STIG Date
Application Security and Development Security Technical Implementation Guide 2018-04-03

Details

Check Text ( C-70845r1_chk )
Review the application documentation, code review reports and the results from static code analysis tools.

Identify the most recent security scans and code analysis testing conducted. Verify testing configuration includes tests for error handling issues.

Check test results for identified error handling vulnerabilities within the application.

If the test results indicate the existence of error handling vulnerabilities and no remediation evidence is presented, this is a finding.

If no test results are available for review, this is a finding.
Fix Text (F-76627r1_fix)
Ensure proper return code and exception handling is implemented throughout the application.