Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-16793 | APP3230 | SV-17793r1_rule | ECCR-1 ECCR-2 ECCR-3 | Medium |
Description |
---|
Sensitive and classified data in memory should be cleared or overwritten to protect data from the possibility of an attacker causing the application to crash and analyzing a memory dump of the application for sensitive information. |
STIG | Date |
---|---|
Application Security and Development Checklist | 2014-12-22 |
Check Text ( C-17781r1_chk ) |
---|
If the application does not contain sensitive or classified information this check is not applicable. If the application is a COTS/GOTS product or is composed of only COTS/GOTS products with no custom code, this check does not apply unless the application is being reviewed by or in conjunction with the COTS/GOTS vendor in which case this check is applicable. Ask the application representative to demonstrate how the application clears and releases memory blocks. Microsoft Visual C++ provides SecureZeroMemory that will not be optimized out of code for clearing sensitive and classified data. 1) If the application releases objects before clearing them, it is a finding. |
Fix Text (F-17011r1_fix) |
---|
Clear memory blocks used for storing sensitive and classified data, before release. |