The application server must validate the integrity of security attributes exchanged between systems.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35368	SRG-APP-000204-AS-000144	SV-46655r1_rule		Medium

Description
Application servers provide a capability to exchange data between multiple web service hops. In application server terms, this is referred to as message layer security. While transport layer security ensures data security between two points, message layer security is built into the message itself and provides security across multiple hops. When data is exchanged between information systems, the integrity of said data needs to be validated. Application servers must be able to validate the integrity of data messages. This is accomplished via the use of cryptographic means such as utilizing cryptographic signatures and data signing.

Description

Application servers provide a capability to exchange data between multiple web service hops. In application server terms, this is referred to as message layer security. While transport layer security ensures data security between two points, message layer security is built into the message itself and provides security across multiple hops. When data is exchanged between information systems, the integrity of said data needs to be validated. Application servers must be able to validate the integrity of data messages. This is accomplished via the use of cryptographic means such as utilizing cryptographic signatures and data signing.

STIG	Date
Application Server Security Requirements Guide	2013-01-08

Details

Check Text ( C-43730r1_chk )
Review AS documentation to validate the AS is capable of cryptographically signing the messages that are exchanged between other AS systems. If the AS is not configured to meet this requirement, this is a finding.

Fix Text (F-39912r1_fix)
Configure the AS to cryptographically sign messages when specified by application design or policy.