Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-6168 | APP3300 | SV-6168r1_rule | IATS-1 IATS-2 | Medium |
Description |
---|
Applications not using PKI are at risk of containing many password vulnerabilities. PKI is the preferred method of authentication. |
STIG | Date |
---|---|
Application Security and Development Checklist | 2014-12-22 |
Check Text ( C-2944r1_chk ) |
---|
Ask the application SA or developer if the application enables clients to authenticate to the server or the application it is communicating with. The most common example of this type of authentication is when a client validates a server’s PKI certificate when initiating an SSL or IPSEC connection. 1) If the SA or developer answers that this capability is not present, this is a finding. If the SA or developer states that the capability is present, validate this by logging on to each component that supports authentication of servers. For web applications, note cases in which the client browser issues a warning that the server’s certificate is not valid. Reasons include: • A trusted certificate authority did not issue the certificate • The certificate has expired • The name of the certificate does not match the URL of the page you are trying to view The client application should provide a function to allow or disallow the server access to the client application. The server must be setup with a certificate for identification. Determine if the application checks for server authentication before allowing the user to continue. The server’s certificate should be checked by the user’s web browser or client application. 2) If there is no server certificate or the client application does not validate the server certificate, it is a finding. |
Fix Text (F-17019r1_fix) |
---|
Enable the application to use PKI for authentication. |