Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-16804 | APP3460 | SV-17804r1_rule | DCSQ-1 | High |
Description |
---|
Application access control decisions should be based on authentication of users. Resource names alone can be spoofed allowing access control mechanisms to be bypassed giving immediate access to the application. |
STIG | Date |
---|---|
Application Security and Development Checklist | 2014-01-07 |
Check Text ( C-17802r1_chk ) |
---|
Verify the application does not grant access solely based on a resource name (e.g., username, IP address, machine name). Also, verify a username with a blank password does not grant access to the application. 1) If authentication is granted based on a resource name only, it is a finding. |
Fix Text (F-17087r1_fix) |
---|
Implement authentication on systems requiring access control. |