The application server must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate recognized and approved by the organization.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-204740 | SRG-APP-000131-AS-000002 | SV-204740r981678_rule | CCI-003992 | medium |
| Description | ||||
| Changes to any software components can have significant effects on the overall security of the application. Verifying software components have been digitally signed using a certificate recognized and approved by the organization ensures the software has not been tampered with and that it has been provided by a trusted vendor. Accordingly, patches, service packs, or application components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The application should not have to verify the software again. This requirement does not mandate DOD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA. | ||||
| STIG | Date | |||
| Application Server Security Requirements Guide | 2025-02-11 | |||
Details
Check Text (C-204740r981678_chk)
Review system documentation to determine if the application server prevents the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate recognized and approved by the organization.
If the application server does not meet this requirement, this is a finding.
Fix Text (F-4860r981677_fix)
Configure the application server to prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate recognized and approved by the organization.