UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The designer will ensure sensitive data held in memory is cryptographically protected when not in use, if required by the information owner, and classified data held in memory is always cryptographically protected when not in use.


Overview

Finding ID Version Rule ID IA Controls Severity
V-16792 APP3220 SV-17792r1_rule ECCR-1 ECCR-2 ECCR-3 Medium
Description
Sensitive or classified data in memory must be encrypted to protect data from the possibility of an attacker causing an application crash then analyzing a memory dump of the application for sensitive or classified information.
STIG Date
Application Security and Development Checklist 2013-07-16

Details

Check Text ( C-17780r1_chk )
If the application does not contain sensitive or classified information this check does not apply.

If the application is a COTS/GOTS product or is composed of only COTS/GOTS products with no custom code, this check does not apply unless the application is being reviewed by or in conjunction with the COTS/GOTS vendor in which case this check is applicable..

Ask the application representative to review global variables for the application. If the global variables contain sensitive information, ask the application representative if they are required to be encrypted by the data owner. If the data is required to be encrypted by the data owner, ask the application representative to demonstrate they are encrypted.

Note: The .Net Framework 2.0 and higher provides a SecureString class which can encrypt sensitive string values.

1) If sensitive or classified information is required to be encrypted by the data owner and global variables containing sensitive information are not encrypted, it is a finding.
Fix Text (F-17010r1_fix)
Encrypt sensitive and classified data in memory when not in use.