A process must exist to ensure changes to a production web server’s software or a production web server’s configurable settings are tested and documented before being implemented.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-23842	WEBPL138	SV-28788r1_rule	ECSD-1 ECSD-2	Medium

Description
This requirement only addresses the physical web server software (e.g., IIS, Apache, etc.) and web server software configuration changes. It is not related to web site application code, web content, or changes to the OS that are governed by other vulnerabilities or STIGs. A significant threat to the production web server comes from the implementation of untested changes, which may risk compromising existing security controls with regard to availability, integrity, and confidentiality. The requirement for formal testing should be driven by the completion of a risk and security impact assessment. Although all changes should be tested, a DoD component may determine that formal testing may not be necessary, based on the recommendation of the assessment. However, in those cases where an assessment clearly indicates risk, a formal testing process should exist. This process should be followed and documented.

Description

This requirement only addresses the physical web server software (e.g., IIS, Apache, etc.) and web server software configuration changes. It is not related to web site application code, web content, or changes to the OS that are governed by other vulnerabilities or STIGs. A significant threat to the production web server comes from the implementation of untested changes, which may risk compromising existing security controls with regard to availability, integrity, and confidentiality. The requirement for formal testing should be driven by the completion of a risk and security impact assessment. Although all changes should be tested, a DoD component may determine that formal testing may not be necessary, based on the recommendation of the assessment. However, in those cases where an assessment clearly indicates risk, a formal testing process should exist. This process should be followed and documented.

STIG	Date
Web Policy STIG	2011-10-03

Details

Check Text ( C-29326r1_chk )
When the web server software is going to be changed, updated, or patched, or when the web server software configurable settings are going to be changed, a process must exist to document, test, and receive approval for the change prior to its implementation on the production web server. This check focuses on the review, testing, documentation, and approval aspects of the change management process. Ask the SA, or a member of the Change Control Board (CCB), to show proof that a documented Change Management (CM) process exists to test changes to a production web server, prior to implementation. Key requirements of the process should include the following: 1. A documented security impact assessment. 2. The names of those individuals who completed the security impact assessment. 3. A plan developed to test the change. 4. The names of those individuals who tested the change. These individuals should not be the same individuals who designed the test plan. 5. An indication of what was being tested. 6. A description of how the test was performed. 7. A summation of the testing results. 8. An indication of testing success or failure. 9. An indication of any residual IA concerns. 10. The names of the approving authority that reviewed and accepted the testing results, including their commentary and/or their concerns. The provided proofs of the CM process should include the CM policy and those documents required by the policy. The policy should substantially address the elements listed above. If proof that the CM process does not substantially include the elements listed above, particularly with regard to testing, this is a finding.

Check Text ( C-29326r1_chk )

When the web server software is going to be changed, updated, or patched, or when the web server software configurable settings are going to be changed, a process must exist to document, test, and receive approval for the change prior to its implementation on the production web server.

This check focuses on the review, testing, documentation, and approval aspects of the change management process.

Ask the SA, or a member of the Change Control Board (CCB), to show proof that a documented Change Management (CM) process exists to test changes to a production web server, prior to implementation.

Key requirements of the process should include the following:
1. A documented security impact assessment.
2. The names of those individuals who completed the security impact assessment.
3. A plan developed to test the change.
4. The names of those individuals who tested the change. These individuals should not be the same individuals who designed the test plan.
5. An indication of what was being tested.
6. A description of how the test was performed.
7. A summation of the testing results.
8. An indication of testing success or failure.
9. An indication of any residual IA concerns.
10. The names of the approving authority that reviewed and accepted the testing results, including their commentary and/or their concerns.

The provided proofs of the CM process should include the CM policy and those documents required by the policy. The policy should substantially address the elements listed above.

If proof that the CM process does not substantially include the elements listed above, particularly with regard to testing, this is a finding.

Fix Text (F-26358r1_fix)
Include testing documentation in the CM process.