Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-6142 | APP3240 | SV-6142r1_rule | ECRC-1 | Medium |
Description |
---|
DoD data may be compromised if applications do not protect residual data in objects when they are allocated to an unused state. Access authorizations to data should be revoked prior to initial assignment, allocation or reallocation to an unused state because subsequent use of the object could allow access to the residual data. |
STIG | Date |
---|---|
Application Security and Development Checklist | 2014-12-22 |
Check Text ( C-2956r1_chk ) |
---|
Ask the application for the design document. Review the design document to ensure the application handles objects so that no residual data exists when reusing objects. No information, including encrypted representations of information, produced by a prior actions is available to any subsequent use of the object. There should be no residual data from the former object. Verify the design document objects which are reused within the application do not contain any residual information. 1) If the design document does not exist or does not address object reuse, it is a finding. |
Fix Text (F-17013r1_fix) |
---|
Revoke access authorizations to data revoked prior to initial assignment, allocation, or reallocation, to an unused state. |