The designer will ensure signed Category 1A and Category 2 mobile code signature is validated before executing.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-6161 | APP3710 | SV-6161r1_rule | DCMC-1 | Medium |
| Description |
|---|
| Untrusted mobile code may contain malware or malicious code and digital signatures provide a source of the content which is crucial to authentication and trust of the data. |
| STIG | Date |
|---|---|
| Application Security and Development Checklist | 2014-12-22 |
Details
| Check Text ( C-3039r1_chk ) |
|---|
| Ask the application representative and examine the documentation to determine if the application accepts file inputs via e-mail, ftp, file uploads or other automated mechanisms. If the application does not accept file uploads, this check is not applicable. If the application accepts inputs, investigate the process that is used to process the request. If the process could contain mobile code, a mechanism must exist to ensure that before mobile code is executed, its signature must be validated. The following examples are intended to show determination of the finding: Non-finding example: The application allows upload of data. The data file is parsed looking for specific pieces of information in an expected format. An application program in accordance with established business rules then processes the data. This situation would be not a finding. Finding example: The application allows upload of data. The data file is sent directly to an execution module for processing. This example could include a .doc file that is sent directly to MS Word for processing. Using this example, if there was a process in place to ensure that the document was digitally signed and validated to be a DoD approved PKI certificate before processing, this would be not a finding. |
| Fix Text (F-17121r1_fix) |
|---|
| Verify mobile code before executing. |