UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The designer will ensure signed Category 1A and Category 2 mobile code signature is validated before executing.


Overview

Finding ID Version Rule ID IA Controls Severity
V-6161 APP3710 SV-6161r1_rule DCMC-1 Medium
Description
Untrusted mobile code may contain malware or malicious code and digital signatures provide a source of the content which is crucial to authentication and trust of the data.
STIG Date
Application Security and Development Checklist 2014-12-22

Details

Check Text ( C-3039r1_chk )
Ask the application representative and examine the documentation to determine if the application accepts file inputs via e-mail, ftp, file uploads or other automated mechanisms.

If the application does not accept file uploads, this check is not applicable.

If the application accepts inputs, investigate the process that is used to process the request. If the process could contain mobile code, a mechanism must exist to ensure that before mobile code is executed, its signature must be validated.

The following examples are intended to show determination of the finding:

Non-finding example: The application allows upload of data. The data file is parsed looking for specific pieces of information in an expected format. An application program in accordance with established business rules then processes the data. This situation would be not a finding.

Finding example: The application allows upload of data. The data file is sent directly to an execution module for processing. This example could include a .doc file that is sent directly to MS Word for processing. Using this example, if there was a process in place to ensure that the document was digitally signed and validated to be a DoD approved PKI certificate before processing, this would be not a finding.
Fix Text (F-17121r1_fix)
Verify mobile code before executing.