Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-35368 | SRG-APP-000204-AS-000144 | SV-46655r1_rule | Medium |
Description |
---|
Application servers provide a capability to exchange data between multiple web service hops. In application server terms, this is referred to as message layer security. While transport layer security ensures data security between two points, message layer security is built into the message itself and provides security across multiple hops. When data is exchanged between information systems, the integrity of said data needs to be validated. Application servers must be able to validate the integrity of data messages. This is accomplished via the use of cryptographic means such as utilizing cryptographic signatures and data signing. |
STIG | Date |
---|---|
Application Server Security Requirements Guide | 2013-01-08 |
Check Text ( C-43730r1_chk ) |
---|
Review AS documentation to validate the AS is capable of cryptographically signing the messages that are exchanged between other AS systems. If the AS is not configured to meet this requirement, this is a finding. |
Fix Text (F-39912r1_fix) |
---|
Configure the AS to cryptographically sign messages when specified by application design or policy. |