The application server must verify digital signatures on software components and applications in process.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35127	SRG-APP-000007-AS-000004	SV-46414r1_rule		Medium

Description
If the application does not maintain the data security attributes while it processes the data, there is a risk of data compromise. Encryption is utilized to assist in the maintenance of data security attributes. Encryption is also resource intensive and sometimes only a particular sub-component of a web services message or application may require encryption. The AS must be capable of verifying the digital signatures attached to any and all parts of messages and applications.

Description

If the application does not maintain the data security attributes while it processes the data, there is a risk of data compromise. Encryption is utilized to assist in the maintenance of data security attributes. Encryption is also resource intensive and sometimes only a particular sub-component of a web services message or application may require encryption. The AS must be capable of verifying the digital signatures attached to any and all parts of messages and applications.

STIG	Date
Application Server Security Requirements Guide	2013-01-08

Details

Check Text ( C-43515r1_chk )
Review system documentation to determine if the AS verifies the digital signatures attached to messages when those messages are processed. If these verifications are not performed, this is a finding.

Fix Text (F-39679r2_fix)
Configure the AS to verify digital signatures attached to messages and applications.