The designer will ensure uncategorized or emerging mobile code is not used in applications.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6162	APP3730	SV-6162r1_rule	DCMC-1	Medium

Description
Mobile code does not require any traditional software acceptance testing or security validation. Mobile code needs to follow sound policy to maintain a reasonable level of trust. Mobile code that does not fall into existing policy cannot be trusted.

STIG	Date
Application Security and Development Checklist	2014-12-22

Details

Check Text ( C-3040r1_chk )
Ask the application representative for design documentation and examine the documentation to determine if additional mobile code types are being used that have not been defined in the mobile code policy. By definition, mobile code is software obtained from remote systems outside the enclave boundary, transferred across a network, and then downloaded and executed on a local system without explicit installation or execution by the recipient. In order to determine if an emerging technology is covered by the current policy, excerpts of the DoD Mobile Code Policy dated 23 October 2006, and policy memorandum are included so the reviewer knows what types of technologies are included, which he or she must know to determine what is outside the scope of the policy. The memorandum containing the Mobile Code Technologies Risk Category List is available here: https://powhatan.iiie.disa.mil/mcp/mobile-code-memo-2011Mar14.pdf Items covered by the policy include: • ActiveX • Windows Scripting Host when used as mobile code • Unix Shell Scripts when used as mobile code • DOS batch scripts when used as mobile code • Java applets and other Java mobile code • Visual Basic for Applications (VBA) • LotusScript • PerfectScript • Postscript • JavaScript (including Jscript and ECMAScript variants) • VBScript • Portable Document Format (PDF) • Shockwave/Flash • Rich Internet Applications Currently the following are not designated as mobile code by the policy: • XML • SMIL • QuickTime • VRML (exclusive of any associated Java applets or JavaScript scripts) The following are outside the scope of the DoD Mobile Code Policy: • Scripts and applets embedded in or linked to web pages and executed in the context of the web server. Examples of this are Java servlets, Java Server pages, CGI, Active Server Pages, CFML, PHP, SSI, server-side JavaScript, server-side LotusScript. • Local programs and command scripts • Distributed object-oriented programming systems (e.g., CORBA, DCOM). • Software patches, updates, including self-extracting updates - software updates that must be invoked explicitly by the user are outside the mobile code policy. Examples of technologies in this area include: Netscape SmartUpdate, Microsoft Windows Update, Netscape web browser plug-ins and Linux. If other types of mobile code technologies are present that are not covered by the policy, a written waiver must be granted by the CIO (allowing use of emerging mobile code technology). Also uncategorized mobile code must be submitted for approval. 1) If the application representative is unable to present the written waiver granted by the CIO, it is finding. 2) If the application representative provides acceptable written waiver granted by the CIO, it is not a finding.

Check Text ( C-3040r1_chk )

Ask the application representative for design documentation and examine the documentation to determine if additional mobile code types are being used that have not been defined in the mobile code policy.

By definition, mobile code is software obtained from remote systems outside the enclave boundary, transferred across a network, and then downloaded and executed on a local system without explicit installation or execution by the recipient.

In order to determine if an emerging technology is covered by the current policy, excerpts of the DoD Mobile Code Policy dated 23 October 2006, and policy memorandum are included so the reviewer knows what types of technologies are included, which he or she must know to determine what is outside the scope of the policy.

The memorandum containing the Mobile Code Technologies Risk Category List is available here:

https://powhatan.iiie.disa.mil/mcp/mobile-code-memo-2011Mar14.pdf

Items covered by the policy include:

• ActiveX
• Windows Scripting Host when used as mobile code
• Unix Shell Scripts when used as mobile code
• DOS batch scripts when used as mobile code
• Java applets and other Java mobile code
• Visual Basic for Applications (VBA)
• LotusScript
• PerfectScript
• Postscript
• JavaScript (including Jscript and ECMAScript variants)
• VBScript
• Portable Document Format (PDF)
• Shockwave/Flash
• Rich Internet Applications

Currently the following are not designated as mobile code by the policy:

• XML
• SMIL
• QuickTime
• VRML (exclusive of any associated Java applets or JavaScript scripts)

The following are outside the scope of the DoD Mobile Code Policy:

• Scripts and applets embedded in or linked to web pages and executed in the context of the web server. Examples of this are Java servlets, Java Server pages, CGI, Active Server Pages, CFML, PHP, SSI, server-side JavaScript, server-side LotusScript.
• Local programs and command scripts
• Distributed object-oriented programming systems (e.g., CORBA, DCOM).
• Software patches, updates, including self-extracting updates - software updates that must be invoked explicitly by the user are outside the mobile code policy. Examples of technologies in this area include: Netscape SmartUpdate, Microsoft Windows Update, Netscape web browser plug-ins and Linux.

If other types of mobile code technologies are present that are not covered by the policy, a written waiver must be granted by the CIO (allowing use of emerging mobile code technology). Also uncategorized mobile code must be submitted for approval.

1) If the application representative is unable to present the written waiver granted by the CIO, it is finding.

2) If the application representative provides acceptable written waiver granted by the CIO, it is not a finding.

Fix Text (F-4470r1_fix)
Remove uncategorized mobile code.