Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-19703 | APP3880 | SV-21844r1_rule | IAIA-2 | High |
Description |
---|
When using WS-Security in SOAP messages, the application should check the validity of the timestamps with creation and expiration times. Unvalidated timestamps may lead to a replay event and provide immediate unauthorized access of the application. Unauthorized access results in an immediate loss of confidentiality. Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor, will directly and immediately result in loss of Confidentiality, Availability or Integrity of the system associated data. |
STIG | Date |
---|---|
Application Security and Development Checklist | 2014-04-03 |
Check Text ( C-24100r1_chk ) |
---|
Ask the application representative for the design document. Review the design document for web services. Review the design document and verify validity periods are checked on all messages using WS-Security or SAML assertions. 1) If the design document does not exist, or does not indicate validity periods are checked on messages using WS-Security or SAML assertions, it is a finding. |
Fix Text (F-23059r1_fix) |
---|
Design the application to use validity periods are verified on all WS-Security token profiles and SAML Assertions |