UCF STIG Viewer Logo

The designer will ensure validity periods are verified on all messages using WS-Security or SAML assertions.


Overview

Finding ID Version Rule ID IA Controls Severity
V-19703 APP3880 SV-21844r1_rule IAIA-2 High
Description
When using WS-Security in SOAP messages, the application should check the validity of the timestamps with creation and expiration times. Unvalidated timestamps may lead to a replay event and provide immediate unauthorized access of the application. Unauthorized access results in an immediate loss of confidentiality. Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor, will directly and immediately result in loss of Confidentiality, Availability or Integrity of the system associated data.
STIG Date
Application Security and Development Checklist 2014-12-22

Details

Check Text ( C-24100r1_chk )
Ask the application representative for the design document. Review the design document for web services. Review the design document and verify validity periods are checked on all messages using WS-Security or SAML assertions.

1) If the design document does not exist, or does not indicate validity periods are checked on messages using WS-Security or SAML assertions, it is a finding.
Fix Text (F-23059r1_fix)
Design the application to use validity periods are verified on all WS-Security token profiles and SAML Assertions