The designer will ensure sensitive data held in memory is cryptographically protected when not in use, if required by the information owner, and classified data held in memory is always cryptographically protected when not in use.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-16792 | APP3220 | SV-17792r1_rule | ECCR-1 ECCR-2 ECCR-3 | Medium |
| Description |
|---|
| Sensitive or classified data in memory must be encrypted to protect data from the possibility of an attacker causing an application crash then analyzing a memory dump of the application for sensitive or classified information. |
| STIG | Date |
|---|---|
| Application Security and Development Checklist | 2014-12-22 |
Details
| Check Text ( C-17780r1_chk ) |
|---|
| If the application does not contain sensitive or classified information this check does not apply. If the application is a COTS/GOTS product or is composed of only COTS/GOTS products with no custom code, this check does not apply unless the application is being reviewed by or in conjunction with the COTS/GOTS vendor in which case this check is applicable.. Ask the application representative to review global variables for the application. If the global variables contain sensitive information, ask the application representative if they are required to be encrypted by the data owner. If the data is required to be encrypted by the data owner, ask the application representative to demonstrate they are encrypted. Note: The .Net Framework 2.0 and higher provides a SecureString class which can encrypt sensitive string values. 1) If sensitive or classified information is required to be encrypted by the data owner and global variables containing sensitive information are not encrypted, it is a finding. |
| Fix Text (F-17010r1_fix) |
|---|
| Encrypt sensitive and classified data in memory when not in use. |