The designer will ensure when using WS-Security, messages use timestamps with creation and expiration times.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19702	APP3870	SV-55089r1_rule	ECTM-2 IAIA-2	High

Description
The lack of timestamps could lead to the eventual replay of the message, leaving the application susceptible to replay events which may result in an immediate loss of confidentiality. Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor, will directly and immediately result in loss of Confidentiality, Availability or Integrity of the system associated data.

Description

The lack of timestamps could lead to the eventual replay of the message, leaving the application susceptible to replay events which may result in an immediate loss of confidentiality. Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor, will directly and immediately result in loss of Confidentiality, Availability or Integrity of the system associated data.

STIG	Date
Application Security and Development Checklist	2014-12-22

Details

Check Text ( C-24099r1_chk )
Examine the contents of a SOAP message using WS Security, all messages should contain timestamps, sequence numbers, and expiration. 1) If messages using WS Security do not contain timestamps, sequence numbers, and an expiration, it is a finding.

Fix Text (F-23058r1_fix)
Design application using WS-Security messages to use timestamps with creation and expiration times.