Change on a production web site is controlled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-23839	WEBPL133	SV-28775r1_rule	DCPR-1	Medium

Description
One of the greatest potential threats to a production web server comes from the allowance of inappropriately controlled software change. All change and modification to production web sites must be controlled with respect to organizational policy or to a specific and approved local policy. The preferred mechanism to introduce approved new programs and CGI should be through an automated, auditable, and access controlled interface. This interface should have the ability to maintain software versions that will allow a rapid reversion to a known working copy of the software in the event of a problem. Both direct and un-auditable changes should be disallowed on production web sites. Exceptions to change management policy must be documented and approved by the IAO or higher authority.

Description

One of the greatest potential threats to a production web server comes from the allowance of inappropriately controlled software change. All change and modification to production web sites must be controlled with respect to organizational policy or to a specific and approved local policy. The preferred mechanism to introduce approved new programs and CGI should be through an automated, auditable, and access controlled interface. This interface should have the ability to maintain software versions that will allow a rapid reversion to a known working copy of the software in the event of a problem. Both direct and un-auditable changes should be disallowed on production web sites. Exceptions to change management policy must be documented and approved by the IAO or higher authority.

STIG	Date
Web Policy STIG	2011-10-03

Details

Check Text ( C-29222r1_chk )
The intent of this control is to manage software changes for web sites on a production web server and to have in place mechanisms that prevent unauthorized and uncontrolled implementation of application code and scripts. This control does not address change management from the perspective of code changes and reviews that take place by a development team at the development level. Only code and scripts that physically reside or will reside on the production web server are affected by this check. After a development team has gone through a change management process for application code, and approved code changes to a production application or script, what change management process is in place to actually deliver that code and implement it on a production web server? A process will exist to manage change from the point where code has been approved and is awaiting implementation to the point where it is actually implemented on the production web server. A fully automated change management solution that places approved code in an access controlled interim location, scans it for viruses, date and time stamps records of receipt, and maintains a record of an authorized ID or service that initiated the change is preferable and would meet the requirements of this check. A manual or semi-automated process incorporating the majority of the following elements would also meet the intent of this check. Such processes are as follows: 1. The code is placed in an interim location and scanned for viruses. 2. An audit entry, manual or automated, exists to date and time stamp the receipt of the code changes. This entry will also include the authorized ID, web service or program or individual, associated with the change process. 3. Access control mechanisms are placed on the interim location so that only authorized personnel, programs, or services may access or write to or read from that location. 4. The delivery of the code to the interim location is through a secured channel. 5. The delivery of the code from the interim location to the production web server is through a secure channel. 6. Direct implementation of code on the production web server by developers or code authors is prohibited. Only SAs, web administrators, or authorized and secured services or programs may implement the code on the production web server. If change management to the production web server is governed by an MOU or an SLA, the majority of the elements listed above must still be addressed within those documents. Assurances will be provided by the application owners to the hosting administration. These assurances will be made available to an authorized reviewer. If a majority of the elements listed above are not a part of the change management process, this is a finding. NOTE: The future direction of this requirement is to require that all elements must be satisfied and not just a majority.

Check Text ( C-29222r1_chk )

The intent of this control is to manage software changes for web sites on a production web server and to have in place mechanisms that prevent unauthorized and uncontrolled implementation of application code and scripts. This control does not address change management from the perspective of code changes and reviews that take place by a development team at the development level. Only code and scripts that physically reside or will reside on the production web server are affected by this check.

After a development team has gone through a change management process for application code, and approved code changes to a production application or script, what change management process is in place to actually deliver that code and implement it on a production web server?

A process will exist to manage change from the point where code has been approved and is awaiting implementation to the point where it is actually implemented on the production web server.

A fully automated change management solution that places approved code in an access controlled interim location, scans it for viruses, date and time stamps records of receipt, and maintains a record of an authorized ID or service that initiated the change is preferable and would meet the requirements of this check.

A manual or semi-automated process incorporating the majority of the following elements would also meet the intent of this check. Such processes are as follows:

1. The code is placed in an interim location and scanned for viruses.
2. An audit entry, manual or automated, exists to date and time stamp the receipt of the code changes. This entry will also include the authorized ID, web service or program or individual, associated with the change process.
3. Access control mechanisms are placed on the interim location so that only authorized personnel, programs, or services may access or write to or read from that location.
4. The delivery of the code to the interim location is through a secured channel.
5. The delivery of the code from the interim location to the production web server is through a secure channel.
6. Direct implementation of code on the production web server by developers or code authors is prohibited. Only SAs, web administrators, or authorized and secured services or programs may implement the code on the production web server.

If change management to the production web server is governed by an MOU or an SLA, the majority of the elements listed above must still be addressed within those documents. Assurances will be provided by the application owners to the hosting administration. These assurances will be made available to an authorized reviewer.

If a majority of the elements listed above are not a part of the change management process, this is a finding.

NOTE: The future direction of this requirement is to require that all elements must be satisfied and not just a majority.

Fix Text (F-26243r1_fix)
Ensure that a process is in place to control change on a production web site.