UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Program Manager will ensure a vulnerability management process is in place to include ensuring a mechanism is in place to notify users, and users are provided with a means of obtaining security updates for the application.


Overview

Finding ID Version Rule ID IA Controls Severity
V-16781 APP2130 SV-17781r1_rule DCCT-1 VIVM-1 Medium
Description
If there is no mechanism (e.g., e-mail list, patch server) to provide updates for an application that is already deployed, security flaws can never be addressed. Also, if there is no comprehensive vulnerability management process or policy for the systematic identification and mitigation of software vulnerabilities, security vulnerabilities may go unnoticed, unreported, or unmitigated.
STIG Date
Application Security and Development Checklist 2014-12-22

Details

Check Text ( C-17873r1_chk )
The Program Manager will:
- Ensure users are provided with a means of obtaining updates for the application.
- Ensure a mechanism is in place to notify users of security
flaws, and to provide users with the availability of patches.
- Ensure a comprehensive vulnerability management process, including systematic identification and mitigation of software vulnerabilities, is in place.

Interview the application representative to determine if users are provided with a means of obtaining updates for the application.

1) If users are not provided with a means of obtaining updates for the application, it is a finding.

2) If updates are transmitted over a LAN, and is not IPv6 capable, it is a finding.

Interview the application representative to determine if users are provided a mechanism to be notified of security flaws and the availability of patches.

3) If users are not provided security flaw and patch notifications for the application, it is a finding.

4) If security flaws and patch notifications are transmitted over a LAN, and is not IPv6 capable, it is a finding.

Interview the application representative and determine if a vulnerability management process exists.

5) If no vulnerability management process or policy exists, it is a finding.

Interview the application representative to determine maintenance is available for production applications.

6) If maintenance is not available for an application, it is a finding.
Fix Text (F-16979r1_fix)
Provide a distribution mechanism for obtaining updates to the application.