Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-6174 | APP6100 | SV-6174r1_rule | ECAN-1 | Medium |
Description |
---|
Production database exports allow export of active user account information. Such information can provide a simple target for password attacks outside the protections of database. Not all application developers have a need to know concerning sensitive information such as HIPAA data, Privacy Act Data, or classified data. |
STIG | Date |
---|---|
Application Security and Development Checklist | 2014-04-03 |
Check Text ( C-3060r1_chk ) |
---|
Ask if any database exports from this database are imported to development databases. If no database exports exist, this check is not applicable. If there are such exports, ask if policy and procedures are in place to require the modification of the production database account passwords after import into the development database. 1) If there are no policy and procedures in place to modify production database account passwords, it is a finding. If there are such exports, ask if the production database includes sensitive data identified by the data owner as sensitive such as financial, personnel, personal, HIPAA, Privacy Act, or classified data is included. 2) If any database exports include sensitive data and it is not modified or removed prior to or after import to the development database, it is a finding. 3) If there are no policy and procedures in place to modify production database account passwords, it is a finding. If there are such exports, ask if the production database includes sensitive data identified by the data owner as sensitive such as financial, personnel, personal, HIPAA, Privacy Act, or classified data is included. 4) If any database exports include sensitive data, and it is not modified or removed prior to or after import to the development database, it is a finding. |
Fix Text (F-4642r1_fix) |
---|
Remove sensitive data from production export. |