The CA API Gateway must generate error messages that provide the information necessary for corrective actions without revealing information that could be exploited by adversaries.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-71387 | CAGW-GW-000490 | SV-86011r1_rule | Medium |
| Description |
|---|
| Providing too much information in error messages risks compromising the data and security of the application and system. Organizations must carefully consider the structure/content of error messages. The required information within error messages will vary based on the protocol and error condition. Information that could be exploited by adversaries includes, for example, ICMP messages that reveal the use of firewalls or access-control lists. The CA API Gateway must include within the Registered Services Policies customized error responses revealing only the necessary information as required by the organization. |
| STIG | Date |
|---|---|
| CA API Gateway ALG Security Technical Implementation Guide | 2017-04-07 |
Details
| Check Text ( C-71787r1_chk ) |
|---|
| Open the CA API Gateway - Policy Manager and double-click all Registered Services that require a customized error response, revealing only the necessary information about an error. Verify the "Customize Error Response" Assertion is included in the policy and placed in accordance with organizational requirements. If it is not, this is a finding. |
| Fix Text (F-77705r1_fix) |
|---|
| Open the CA API Gateway - Policy Manager and double-click each of the Registered Services that require a customized error response and did not include a "Customize Error Response" Assertion. Add the "Customize Error Response" Assertion to the policy, placing and configuring it in accordance with organizational requirements. |