The designer will ensure unsigned Category 1A mobile code is not used in the application in accordance with DoD policy.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6159	APP3700	SV-6159r1_rule	DCMC-1	Medium

Description
Use of un-trusted Level 1 and 2 mobile code technologies can introduce security vulnerabilities and malicious code into the client system.

STIG	Date
Application Security and Development Checklist	2014-12-22

Details

Check Text ( C-3037r1_chk )
The designer will ensure Category 1A mobile code used in an application is signed with a DoD-approved code-signing certificate. The designer will ensure signed Category 1A mobile code used in an application is obtained from a trusted source and is designated as trusted. The designer will ensure Category 1X mobile code is not used in applications. The designer will ensure signed Category 2 mobile code used in an application is signed with a DoD-approved code signing certificate. The designer will ensure Category 2 mobile code not executing in a constrained execution environment is obtained from a trusted source over an assured channel using at least one of the following measures: Interview the application representative and examine the application documentation to determine if Category 1A or 2 mobile code is used. The URL of the application must be added to the Trusted Sites zone. This is accomplished via the Tools, Internet Options, and Security Tab. Select the Trusted Sites zone. Click the sites button. Enter the URL into the text box below the Add this site to this zone message. Click Add. Click OK. Note: This requires administrator privileges to add URL to sites on a STIG compliant workstation. Next, test the application. This testing should include functional testing from all major components of the application. If mobile code is in use, the browser will prompt to download the control. At the download prompt, the browser will indicate that code has been digitally signed. 1) If the code has not been signed or the application warns that a control cannot be invoked due to security settings, it is a finding. 2) If the code has not been signed with a DoD approved PKI certificate, it is a finding.

Check Text ( C-3037r1_chk )

The designer will ensure Category 1A mobile code used in an application is signed with a DoD-approved code-signing certificate.

The designer will ensure signed Category 1A mobile code used in an application is obtained from a trusted source and is designated as trusted.

The designer will ensure Category 1X mobile code is not used in applications.

The designer will ensure signed Category 2 mobile code used in an application is signed with a DoD-approved code signing certificate.

The designer will ensure Category 2 mobile code not executing in a constrained execution environment is obtained from a trusted source over an assured channel using at least one of the following measures:

Interview the application representative and examine the application documentation to determine if Category 1A or 2 mobile code is used.

The URL of the application must be added to the Trusted Sites zone. This is accomplished via the Tools, Internet Options, and Security Tab. Select the Trusted Sites zone.
Click the sites button. Enter the URL into the text box below the Add this site to this zone message. Click Add. Click OK.

Note: This requires administrator privileges to add URL to sites on a STIG compliant workstation.

Next, test the application. This testing should include functional testing from all major components of the application. If mobile code is in use, the browser will prompt to download the control. At the download prompt, the browser will indicate that code has been digitally signed.

1) If the code has not been signed or the application warns that a control cannot be invoked due to security settings, it is a finding.

2) If the code has not been signed with a DoD approved PKI certificate, it is a finding.

Fix Text (F-17119r1_fix)
Sign Category 1 or Category 2 mobile code.