UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The designer will ensure when using WS-Security, messages use timestamps with creation and expiration times.


Overview

Finding ID Version Rule ID IA Controls Severity
V-19702 APP3870 SV-55089r1_rule ECTM-2 IAIA-2 High
Description
The lack of timestamps could lead to the eventual replay of the message, leaving the application susceptible to replay events which may result in an immediate loss of confidentiality. Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor, will directly and immediately result in loss of Confidentiality, Availability or Integrity of the system associated data.
STIG Date
Application Security and Development Checklist 2014-12-22

Details

Check Text ( C-24099r1_chk )
Examine the contents of a SOAP message using WS Security, all messages should contain timestamps, sequence numbers, and expiration.

1) If messages using WS Security do not contain timestamps, sequence numbers, and an expiration, it is a finding.
Fix Text (F-23058r1_fix)
Design application using WS-Security messages to use timestamps with creation and expiration times.