The Designer will ensure the application does not store configuration and control files in the same directory as user data.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6150	APP3060	SV-6150r1_rule	DCPA-1	Medium

Description
Application code and data require two very different security requirements, authentication and authorization (especially in file access). Without proper authentication and authorization there is the potential for existing code to be changed. These changes in code can lead to a Denial of Service (DoS) attack or allow malicious code to be placed within the application. In addition, collocating application data and code complicates many issues such as backup, recovery, directory access privilege, and upgrades.

Description

Application code and data require two very different security requirements, authentication and authorization (especially in file access). Without proper authentication and authorization there is the potential for existing code to be changed. These changes in code can lead to a Denial of Service (DoS) attack or allow malicious code to be placed within the application. In addition, collocating application data and code complicates many issues such as backup, recovery, directory access privilege, and upgrades.

STIG	Date
Application Security and Development Checklist	2014-12-22

Details

Check Text ( C-3055r1_chk )
Ask the application representative or examine the application documentation to determine the location of the application code and data. Examine the directory where the application code is located. 1) If the application data is located in the same directory as the code, this is a finding.

Fix Text (F-16988r1_fix)
Separate the application data into a different directory than the application code.