Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-222630 | APSC-DV-002995 | SV-222630r508029_rule | Medium |
Description |
---|
A Configuration Management (CM) repository is used to manage application code versions and to securely store application code. Failure to properly apply security patches and secure the software Configuration Management system could affect the confidentiality and integrity of the application source-code. Compromise of the Configuration Management system could lead to unauthorized changes to applications including the addition of malware, root kits, back doors, logic bombs or other malicious functions into valid application code. This requirement is intended to be applied to application developers or organizations responsible for code management or who have and operate an application CM repository. |
STIG | Date |
---|---|
Application Security and Development Security Technical Implementation Guide | 2020-09-30 |
Check Text ( C-24300r493798_chk ) |
---|
Review the application system documentation and interview the application administrator. Identify if the STIG is being applied to application developers or organizations responsible for code management or who have and operate an application CM repository. If this is not the case, the requirement is not applicable. Review CM patch management processes and procedures. Have the system and CM admins demonstrate their patch management processes and verify the system has the latest security patches applied. Review the ATO documentation and verify the system that operates the CM repository software has had all relevant STIGs applied. If CM repository is not at the latest security patch level and is not operating on a STIG compliant system, this is a finding. |
Fix Text (F-24289r493799_fix) |
---|
Patch the CM system when new security patches are made available and apply the relevant STIGs. |