The designer will ensure the application does not rely solely on a resource name to control access to a resource.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-16804 | APP3460 | SV-17804r1_rule | DCSQ-1 | High |
| Description |
|---|
| Application access control decisions should be based on authentication of users. Resource names alone can be spoofed allowing access control mechanisms to be bypassed giving immediate access to the application. |
| STIG | Date |
|---|---|
| Application Security and Development Checklist | 2014-12-22 |
Details
| Check Text ( C-17802r1_chk ) |
|---|
| Verify the application does not grant access solely based on a resource name (e.g., username, IP address, machine name). Also, verify a username with a blank password does not grant access to the application. 1) If authentication is granted based on a resource name only, it is a finding. |
| Fix Text (F-17087r1_fix) |
|---|
| Implement authentication on systems requiring access control. |