UCF STIG Viewer Logo

Application Security and Development Checklist



Findings (MAC I - Mission Critical Public)

Finding ID Severity Title
V-19687 High The IAO will ensure web servers are on logically separate network segments from the application and database servers if it is a tiered application.
V-19688 High The designer and the IAO will ensure physical operating system separation and physical application separation is employed between servers of different data types in the web tier of Increment 1/Phase 1 deployment of the DoD DMZ for Internet-facing applications.
V-16837 High The IAO will ensure the application is decommissioned when maintenance or support is no longer available.
V-16809 High The designer will ensure the application does not contain format string vulnerabilities.
V-16808 High The designer will ensure the application is not vulnerable to integer arithmetic issues.
V-16800 High The designer will ensure users’ accounts are locked after three consecutive unsuccessful logon attempts within one hour.
V-16804 High The designer will ensure the application does not rely solely on a resource name to control access to a resource.
V-16807 High The designer will ensure the application is not vulnerable to SQL Injection, uses prepared or parameterized statements, does not use concatenation or replacement to build SQL queries, and does not directly access the tables in a database.
V-16813 High The designer will ensure the application does not use hidden fields to control user access privileges or as a part of a security mechanism.
V-16810 High The designer will ensure the application does not allow command injection.
V-16811 High The designer will ensure the application does not have cross site scripting (XSS) vulnerabilities.
V-6129 High The designer will ensure the application using PKI validates certificates for expiration, confirms origin is from a DoD authorized CA, and verifies the certificate has not been revoked by CRL or OCSP, and CRL cache (if used) is updated at least daily.
V-19703 High The designer will ensure validity periods are verified on all messages using WS-Security or SAML assertions.
V-19702 High The designer will ensure when using WS-Security, messages use timestamps with creation and expiration times.
V-16795 High The designer will ensure the application does not display account passwords as clear text.
V-16797 High The designer will ensure the application stores account passwords in an approved encrypted format.
V-16796 High The designer will ensure the application transmits account passwords in an approved encrypted format.
V-21498 High The designer will ensure the application is not vulnerable to XML Injection.
V-6141 High The designer will ensure access control mechanisms exist to ensure data is accessed and changed only by authorized personnel.
V-22028 High The designer shall use the NotOnOrAfter condition when using the SubjectConfirmation element in a SAML assertion.
V-22029 High The designer shall use both the <NotBefore> and <NotOnOrAfter> elements or <OneTimeUse> element when using the <Conditions> element in a SAML assertion.
V-16848 High The IAO will ensure passwords generated for users are not predictable and comply with the organization's password policy.
V-6153 High The designer will ensure the application removes authentication credentials on client computers after a session terminates.
V-6156 High The designer will ensure the application does not contain embedded authentication data.
V-16787 High The designer will ensure the application follows the secure failure design principle.
V-16785 High The designer will ensure the application supports detection and/or prevention of communication session hijacking.
V-6164 High The designer will ensure the application validates all input.
V-6165 High The designer will ensure the application does not have buffer overflows, use functions known to be vulnerable to buffer overflows, and does not use signed values for memory allocation where permitted by the programming language.
V-19695 High The designer will ensure web services provide a mechanism for detecting resubmitted SOAP messages.
V-21519 High The Program Manager will ensure all products are supported by the vendor or the development team.
V-19689 Medium The designer will ensure web services are designed and implemented to recognize and react to the attack patterns associated with application-level DoS attacks.
V-16839 Medium The IAO will ensure protections against DoS attacks are implemented.
V-16834 Medium The IAO shall ensure if a DoD STIG or NSA guide is not available, a third-party product will be configured by the following in descending order as available: 1) commercially accepted practices, (2) independent testing results, or (3) vendor literature.
V-16835 Medium The IAO will ensure at least one application administrator has registered to receive update notifications, or security alerts, when automated alerts are available.
V-16836 Medium The IAO will ensure the system and installed applications have current patches, security updates, and configuration settings.
V-16830 Medium The Test Manager will ensure flaws found during a code review are tracked in a defect tracking system.
V-16831 Medium The IAO will ensure active vulnerability testing is performed.
V-16832 Medium The Test Manager will ensure security flaws are fixed or addressed in the project plan.
V-16833 Medium The IAO will ensure if an application is designated critical, the application is not hosted on a general purpose machine.
V-21500 Medium The designer will ensure the application does not have CSRF vulnerabilities.
V-16826 Medium The Test Manager will ensure tests plans and procedures are created and executed prior to each release of the application or updates to system patches.
V-6198 Medium The Program Manager and IAO will ensure development systems, build systems, test systems, and all components comply with all appropriate DoD STIGs, NSA guides, and all applicable DoD policies. The Test Manager will ensure both client and server machines are STIG compliant.
V-6197 Medium The Program Manager will ensure a System Security Plan (SSP) is established to describe the technical, administrative, and procedural IA program and policies governing the DoD information system, and identifying all IA personnel and specific IA requirements and objectives.
V-16801 Medium The designer will ensure locked users’ accounts can only be unlocked by the application administrator.
V-16803 Medium The designer and IAO will ensure application resources are protected with permission sets which allow only an application administrator to modify application resource configuration files.
V-16802 Medium The designer will ensure the application provides a capability to automatically terminate a session and log out after a system defined session idle time limit is exceeded.
V-16806 Medium The designer will ensure the web application assigns the character set on all web pages.
V-16816 Medium The designer will ensure the application supports the creation of transaction logs for access and changes to the data.
V-16814 Medium The designer will ensure the application does not disclose unnecessary information to users.
V-16815 Medium The designer will ensure the application is not vulnerable to race conditions.
V-16812 Medium The designer will ensure the application has no canonical representation vulnerabilities.
V-16818 Medium The designer will ensure the application has a capability to display the user’s time and date of the last change in data content.
V-16819 Medium The designer will ensure development of new mobile code includes measures to mitigate the risks identified.
V-6127 Medium The designer will ensure applications requiring user authentication are PK-enabled and are designed and implemented to support hardware tokens (e.g., CAC for NIPRNet).
V-6128 Medium The designer and IAO will ensure PK-enabled applications are designed and implemented to use approved credentials authorized under the DoD PKI program.
V-19707 Medium The designer will ensure supporting application services and interfaces have been designed, or upgraded for, IPv6 transport.
V-19706 Medium The designer will ensure the application is compliant with all DoD IT Standards Registry (DISR) IPv6 profiles.
V-19705 Medium The designer shall ensure encrypted assertions, or equivalent confidentiality protections, when assertion data is passed through an intermediary, and confidentiality of the assertion data is required to pass through the intermediary.
V-19704 Medium The designer shall ensure each unique asserting party provides unique assertion ID references for each SAML assertion.
V-19701 Medium The designer will ensure SOAP messages requiring integrity, sign the following message elements: -Message ID -Service Request -Timestamp -SAML Assertion (optionally included in messages)
V-19700 Medium The IAO will ensure if the UDDI registry contains sensitive information and read access to the UDDI registry is granted only to authenticated users.
V-19709 Medium The designer will ensure the application is compliant with the IPv6 addressing scheme as defined in RFC 1884.
V-19708 Medium The designer will ensure the application is compliant with IPv6 multicast addressing and features an IPv6 network configuration options as defined in RFC 4038.
V-16799 Medium The designer will ensure the application installs with unnecessary accounts disabled, or deleted, by default.
V-16798 Medium The designer will ensure the application protects access to authentication data by restricting access to authorized users and services.
V-16790 Medium The designer will ensure the application does not connect to a database using administrative credentials or other privileged database accounts.
V-16793 Medium The designer will ensure the application properly clears or overwrites all memory blocks used to process sensitive data, if required by the information owner, and clears or overwrites all memory blocks used for classified data.
V-16792 Medium The designer will ensure sensitive data held in memory is cryptographically protected when not in use, if required by the information owner, and classified data held in memory is always cryptographically protected when not in use.
V-16794 Medium The designer will ensure the application uses mechanisms assuring the integrity of all transmitted information (including labels and security parameters).
V-6138 Medium The designer will ensure the application design includes audits on all access to need-to-know information and key application events.
V-6137 Medium The designer will ensure the application uses the Federal Information Processing Standard (FIPS) 140-2 validated cryptographic modules and random number generator if the application implements encryption, key exchange, digital signature, and hash functionality.
V-6130 Medium The designer will ensure the application has the capability to require account passwords that conform to DoD policy.
V-16789 Medium The designer will ensure private keys are accessible only to administrative users.
V-16773 Medium The Program Manager will provide an Application Configuration Guide to the application hosting providers to include a list of all potential hosting enclaves and connection rules and requirements.
V-22032 Medium The designer shall ensure if a OneTimeUse element is used in an assertion, there is only one used in the Conditions element portion of an assertion.
V-22031 Medium The designer shall ensure messages are encrypted when the SessionIndex is tied to privacy data.
V-22030 Medium The designer will ensure the asserting party uses FIPS approved random numbers in the generation of SessionIndex in the SAML element AuthnStatement.
V-6148 Medium The designer will ensure threat models are documented and reviewed for each application release and updated as required by design and functionality changes or new threats are discovered.
V-6149 Medium The designer will ensure the application does not contain source code that is never invoked during operation, except for software components and libraries from approved third-party products.
V-6143 Medium The designer will ensure the application executes with no more privileges than necessary for proper operation.
V-6140 Medium The designer and IAO will ensure the audit trail is readable only by the application and auditors and protected against modification and deletion by unauthorized individuals.
V-6144 Medium The designer will ensure the application provides a capability to limit the number of logon sessions per user and per application.
V-6145 Medium If the application contains classified data, the Program Manager will ensure a Security Classification Guide exists containing data elements and their classification.
V-16827 Medium The Test Manager will ensure test procedures are created and at least annually executed to ensure system initialization, shutdown, and aborts are configured to ensure the system remains in a secure state.
V-16779 Medium The Program Manager and designer will ensure the application is registered with the DoD Ports and Protocols Database.
V-16778 Medium The Program Manager will document and obtain DAA risk acceptance for all public domain, shareware, freeware, and other software products/libraries with both (1) no source code to review, repair, and extend, and (2) limited or no warranty, when such products are required for mission accomplishment.
V-16849 Medium The IAO will ensure the application's users do not use shared accounts.
V-16845 Medium The IAO will ensure procedures are in place to assure the appropriate physical and technical protection of the backup and restoration of the application.
V-16844 Medium The IAO will ensure back-up copies of the application software are stored in a fire-rated container and not collocated with operational software.
V-16847 Medium The IAO will ensure an account management process is implemented, verifying only authorized users can gain access to the application, and individual accounts designated as inactive, suspended, or terminated are promptly removed.
V-16846 Medium The IAO will ensure a disaster recovery plan exists in accordance with DoD policy based on the Mission Assurance Category (MAC).
V-16775 Medium The Program Manager will ensure the system has been assigned specific MAC and confidentiality levels.
V-16842 Medium The IAO will report all suspected violations of IA policies in accordance with DoD information system IA procedures.
V-6159 Medium The designer will ensure unsigned Category 1A mobile code is not used in the application in accordance with DoD policy.
V-6158 Medium The designer will ensure the application only embeds mobile code in e-mail which does not execute automatically when the user opens the e-mail body or attachment.
V-6151 Medium The IAO will ensure unnecessary services are disabled or removed.
V-6150 Medium The Designer will ensure the application does not store configuration and control files in the same directory as user data.
V-6152 Medium The designer will ensure the application is capable of displaying a customizable click-through banner at logon which prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating "OK.”
V-6155 Medium The designer will ensure the application provides a capability to terminate a session and log out.
V-6154 Medium The designer will ensure the application is organized by functionality and roles to support the assignment of specific roles to specific application functions.
V-6157 Medium The designer will ensure the application does not contain invalid URL or path references.
V-16786 Medium The designer will ensure the application installs with unnecessary functionality disabled by default.
V-16784 Medium The designer will ensure the user interface services are physically or logically separated from data storage and management services.
V-16782 Medium The Program Manager will ensure a security incident response process for the application is established that defines reportable incidents and outlines a standard operating procedure for incident response to include Information Operations Condition (INFOCON).
V-16783 Medium The Program Manager will ensure procedures are implemented to assure physical handling and storage of information is in accordance with the data’s sensitivity.
V-16780 Medium The Program Manager will ensure all levels of program management, designers, developers, and testers receive the appropriate security training pertaining to their job function.
V-16781 Medium The Program Manager will ensure a vulnerability management process is in place to include ensuring a mechanism is in place to notify users, and users are provided with a means of obtaining security updates for the application.
V-16825 Medium The Test Manager will ensure the changes to the application are assessed for IA and accreditation impact prior to implementation.
V-16788 Medium The designer will ensure the application uses encryption to implement key exchange and authenticate endpoints prior to establishing a communication channel for key exchange.
V-47163 Medium The release manager must ensure application files are cryptographically hashed prior to deploying to DoD operational networks.
V-16777 Medium The Program Manager will ensure COTS IA and IA enabled products, comply with NIAP/NSA endorsed protection profiles.
V-16823 Medium The Release Manager will establish a Configuration Control Board (CCB), that meets at least every release cycle, for managing the CM process.
V-16822 Medium The Release Manager will develop an SCM plan describing the configuration control and change management process of objects developed and the roles and responsibilities of the organization.
V-6166 Medium The designer will ensure the application is not subject to error handling vulnerabilities.
V-6167 Medium The designer will ensure application initialization, shutdown, and aborts are designed to keep the application in a secure state.
V-6160 Medium The designer will ensure unsigned Category 2 mobile code executing in a constrained environment has no access to local system and network resources.
V-6161 Medium The designer will ensure signed Category 1A and Category 2 mobile code signature is validated before executing.
V-6162 Medium The designer will ensure uncategorized or emerging mobile code is not used in applications.
V-6163 Medium The Designer will ensure the application removes temporary storage of files and cookies when the application is terminated.
V-16850 Medium The IAO will ensure connections between the DoD enclave and the Internet or other public or commercial wide area networks require a DMZ.
V-6168 Medium The designer will ensure applications requiring server authentication are PK-enabled.
V-6169 Medium The Program Manager and Designer will ensure the use of new IPs, data services, and associated ports used by the application are submitted to the appropriate approving authority for that organization, which in turn are submitted through the DoD Ports, Protocols, and Services Management (DoD PPSM).
V-16776 Medium The Program Manager will ensure the development team follows a set of coding standards.
V-6173 Medium The IAO will ensure application audit trails are retained for at least 1 year for applications without SAMI data, and 5 years for applications including SAMI data.
V-6172 Medium The IAO will ensure data backup is performed at required intervals in accordance with DoD policy.
V-6171 Medium The IAO will ensure recovery procedures and technical system features exist so recovery is performed in a secure and verifiable manner. The IAO will document circumstances inhibiting a trusted recovery.
V-19699 Medium The IAO will ensure web service inquiries to UDDI provide read-only access to the registry to anonymous users.
V-19698 Medium The designer and IAO will ensure UDDI publishing is restricted to authenticated users.
V-16829 Medium The Test Manager will ensure a code review is performed before the application is released.
V-19691 Medium The designer will ensure web service design of critical functions is implemented using different algorithms to prevent similar attacks from forming a complete application level DoS.
V-19690 Medium The designer will ensure the web service design includes redundancy of critical functions.
V-19693 Medium The designer will ensure execution flow diagrams are created and used to mitigate deadlock and recursion issues.
V-19692 Medium The designer will ensure web services are designed to prioritize requests to increase availability of the system.
V-19694 Medium The IAO will ensure an XML firewall is deployed to protect web services.
V-19697 Medium The designer and IAO will ensure UDDI versions are used supporting digital signatures of registry entries.
V-19696 Medium The designer and IAO will ensure digital signatures exist on UDDI registry entries to verify the publisher.
V-7013 Medium The designer will create and update the Design Document for each release of the application.
V-16838 Low Procedures are not in place to notify users when an application is decommissioned.
V-16817 Low The designer will ensure the application has a capability to notify the user of important login information.
V-16791 Low The designer will ensure transaction based applications implement transaction rollback and transaction journaling.
V-6139 Low The designer will ensure the application has a capability to notify an administrator when audit logs are nearing capacity as specified in the system documentation.
V-6132 Low The IAO will ensure all user accounts are disabled which are authorized to have access to the application but have not authenticated within the past 35 days.
V-16841 Low The IAO will review audit trails periodically based on system documentation recommendations or immediately upon system security events.
V-16840 Low The IAO will ensure the system alerts an administrator when low resource conditions are encountered.
V-16824 Low The Test Manager will ensure at least one tester is designated to test for security flaws in addition to functional testing.
V-16820 Low The Release Manager will ensure the access privileges to the configuration management (CM) repository are reviewed every 3 months.
V-6170 Low The Program Manager and designer will ensure any IA, or IA enabled, products used by the application are NIAP approved or in the NIAP approval process.
V-16828 Low The Test Manager will ensure code coverage statistics are maintained for each release of the application.