UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The designer will ensure validity periods are verified on all messages using WS-Security or SAML assertions.


Overview

Finding ID Version Rule ID IA Controls Severity
V-19703 APP3880 SV-21844r1_rule IAIA-2 High
Description
When using WS-Security in SOAP messages, the application should check the validity of the timestamps with creation and expiration times. Unvalidated timestamps may lead to a replay event and provide immediate unauthorized access of the application. Unauthorized access results in an immediate loss of confidentiality. Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor, will directly and immediately result in loss of Confidentiality, Availability or Integrity of the system associated data.
STIG Date
Application Security and Development Checklist 2014-12-22

Details

Check Text ( C-24100r1_chk )
Ask the application representative for the design document. Review the design document for web services. Review the design document and verify validity periods are checked on all messages using WS-Security or SAML assertions.

1) If the design document does not exist, or does not indicate validity periods are checked on messages using WS-Security or SAML assertions, it is a finding.
Fix Text (F-23059r1_fix)
Design the application to use validity periods are verified on all WS-Security token profiles and SAML Assertions