Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
SRG-APP-000516-MAPP-000040 | SRG-APP-000516-MAPP-000040 | SRG-APP-000516-MAPP-000040_rule | Medium |
Description |
---|
Class 3 certificates are issued to individuals, organizations, servers, devices, and administrators for CAs and root authorities (RAs). Class 3 certificates undergo independent verification and checking of identity and authority which is performed by the issuing (CA). Networks and applications not using Class 3 Certificates are vulnerable to a multiple of malicious attacks that would essentially allow unauthorized access to and intrusion in a network. Similarly, using approved PKI class 3 certificates ensure malicious intruders do not take advantage of any network resource exposure that may occur as a result of non-standard practices and tools being applied. In applying this control, the use of approved PKI Class 3 certificates will assure authentication, message, data and content integrity, and confidentiality encryption. |
STIG | Date |
---|---|
Mobile Application Security Requirements Guide | 2014-07-22 |
Check Text ( C-SRG-APP-000516-MAPP-000040_chk ) |
---|
For mobile apps that are involved in the production, control, and distribution of asymmetric cryptographic keys, perform a documentation review to assess if approved Class 3 certificates or prepositioned keying material are used by the app. The documentation review will also include assessing if there is a JITC certification of the key management technology's presence in the app. If the documentation review is inconclusive, perform a dynamic program analysis to assess if approved Class 3 certificates or prepositioned keying material are used by the app. If the dynamic program analysis could not be performed or the results were inconclusive, carry out a static program analysis to assess if the app supports functional code, able to execute routines and functions that enable the app use of approved, Class 3 certificates or prepositioned keying material. If the documentation review, dynamic program analysis and/or the static program analysis reveal that the app is unable to or does not use approved PKI Class 3 certificates or prepositioned keying material, this is a finding. |
Fix Text (F-SRG-APP-000516-MAPP-000040_fix) |
---|
Modify the mobile app code to ensure it uses approved Class 3 certificates or prepositioned keying material. |