DATASHEET

DISA STIG Rule Enforcement

Application Security and Development Security Technical Implementation Guide

MAC-III Sensitive Version 5          
https://www.stigviewer.com/stig/application_security_and_development/

ENFORCEMENT FOR KW 2024.2

  

Total

C/C++

C#

Java

a

Total Number of Rules

286

286

286

286

b

Total Number of ‘Not Statically Enforceable’ Rules (Assisted/Unassisted)

8

8

8

8

c

Total Number of Enforceable Rules (a-b)

278

278

278

278

d

Total Number of Enforced Rules

51

36

22

46

e

Total Number of Unenforced Rules

227

242

256

232

f

Enforce Rules Percentage (d/c)

18%

13%

8%

17%

g

Unenforced Rules Percentage (e/c)

82%

87%

92%

83%

  

Total

C/C++

C#

Java

Severity High — Overview

     

a

Total Number of Rules

31

31

31

31

b

Total Number of ‘Not Statically Enforceable’ Rules (Assisted/Unassisted)

8

8

8

8

c

Total Number of Enforceable Rules (a-b)

23

23

23

23

d

Total Number of Enforced Rules

21

15

7

21

e

Total Number of Unenforced Rules

2

8

16

2

f

Enforce Rules Percentage (d/c)

91%

65%

30%

91%

g

Unenforced Rules Percentage (e/c)

9%

35%

70%

9%

Finding ID

Version ID

Title

C/C++

C#

Java

Severity High

     

V-222399

APSC-DV-000190

Messages protected with WS_Security must use time stamps with creation and expiration times.

NSE

NSE

NSE

V-222400

APSC-DV-000200

Validity periods must be verified on all application messages using WS-Security or SAML assertions.

NSE

NSE

NSE

V-222403

APSC-DV-000230

The application must use the NotOnOrAfter condition when using the SubjectConfirmation element in a SAML assertion.

NSE

NSE

NSE

V-222404

APSC-DV-000240

The application must use both the NotBefore and NotOnOrAfter elements or OneTimeUse element when using the Conditions element in a SAML assertion.

NSE

NSE

NSE

V-222425

APSC-DV-000460

The application must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Yes

No

Yes

V-222430

APSC-DV-000510

The application must execute without excessive account permissions.

Yes

No

Yes

V-222432

APSC-DV-000530

The application must enforce the limit of three consecutive invalid logon attempts by a user during a 15 minute time period.

No

No

No

V-222522

APSC-DV-001540

The application must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

No

No

Yes

V-222536

APSC-DV-001680

The application must enforce a minimum 15-character password length.

No

No

Yes

V-222542

APSC-DV-001740

The application must only store cryptographic representations of passwords.

Yes

Yes

Yes

V-222543

APSC-DV-001750

The application must transmit only cryptographically-protected passwords.

Yes

Yes

Yes

V-222550

APSC-DV-001810

The application, when utilizing PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.

No

No

Yes

V-222551

APSC-DV-001820

The application, when using PKI-based authentication, must enforce authorized access to the corresponding private key.

No

No

Yes

V-222554

APSC-DV-001850

The application must not display passwords/PINs as clear text.

No

No

Yes

V-222577

APSC-DV-002230

The application must not expose session IDs.

Yes

No

Yes

V-222578

APSC-DV-002240

The application must destroy the session ID value and/or cookie on logoff or browser close.

Yes

No

Yes

V-222585

APSC-DV-002310

The application must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.

No

No

Yes

V-222596

APSC-DV-002500

The application must protect the confidentiality and integrity of transmitted information.

Yes

No

Yes

V-222601

APSC-DV-002485

The application must not store sensitive information in hidden fields.

No

No

No

V-222602

APSC-DV-002490

The application must protect from Cross-Site Scripting (XSS) vulnerabilities.

Yes

Yes

Yes

V-222604

APSC-DV-002510

The application must protect from command injection.

Yes

Yes

Yes

V-222607

APSC-DV-002540

The application must not be vulnerable to SQL Injection.

Yes

Yes

Yes

V-222608

APSC-DV-002490

The application must not be vulnerable to XML-oriented attacks.

Yes

No

Yes

V-222609

APSC-DV-002560

The application must not be subject to input handling vulnerabilities.

Yes

Yes

Yes

V-222612

APSC-DV-002590

The application must not be vulnerable to overflow attacks.

Yes

Yes

Yes

V-222620

APSC-DV-002890

Application web servers must be on a separate network segment from the application and database servers if it is a tiered application operating in the DoD DMZ.

NSE

NSE

NSE

V-222642

APSC-DV-003110

The application must not contain embedded authentication data.

Yes

No

Yes

V-222643

APSC-DV-003120

The application must have the capability to mark sensitive/classified output when required.

NSE

NSE

NSE

V-222658

APSC-DV-003240

All products must be supported by the vendor or the development team.

NSE

NSE

NSE

V-222659

APSC-DV-003250

The application must be decommissioned when maintenance or support is no longer available.

NSE

NSE

NSE

V-222662

APSC-DV-003280

Default passwords must be changed.

Yes

No

Yes

  

Total

C/C++

C#

Java

Severity Medium — Overview

     

a

Total Number of Rules

233

233

233

233

b

Total Number of ‘Not Statically Enforceable’ Rules (Assisted/Unassisted)

0

0

0

0

c

Total Number of Enforceable Rules (a-b)

233

233

233

233

d

Total Number of Enforced Rules

29

21

15

24

e

Total Number of Unenforced Rules

204

212

218

209

f

Enforce Rules Percentage (d/c)

12%

9%

7%

10%

g

Unenforced Rules Percentage (e/c)

88%

91%

93%

90%

Finding ID

Version ID

Title

C/C++

C#

Java

Severity Medium

     

V-222388

APSC-DV-000060

The application must clear temporary storage and cookies when the session is terminated.

No

No

Yes

V-222396

APSC-DV-000160

The application must implement DoD-approved encryption to protect the confidentiality of remote access sessions.

Yes

Yes

Yes

V-222397

APSC-DV-000170

The application must implement cryptographic mechanisms to protect the integrity of remote access sessions.

Yes

Yes

Yes

V-222427

APSC-DV-000480

The application must enforce approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.

No

No

Yes

V-222444

APSC-DV-000650

The application must not write sensitive data into the application logs.

No

No

Yes

V-222501

APSC-DV-001290

The application must protect audit information from unauthorized modification.

No

No

Yes

V-222511

APSC-DV-001410

The application must enforce access restrictions associated with changes to application configuration.

Yes

No

No

V-222515

APSC-DV-001460

An application vulnerability assessment must be conducted.

No

No

Yes

V-222555

APSC-DV-001860

The application must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.

Yes

Yes

Yes

V-222566

APSC-DV-001980

The application must terminate all sessions and network connections when non-local maintenance is completed.

Yes

Yes

No

V-222567

APSC-DV-001995

The application must not be vulnerable to race conditions.

Yes

No

Yes

V-222568

APSC-DV-002000

The application must terminate all network connections associated with a communications session at the end of the session.

Yes

Yes

Yes

V-254803

APSC-DV-002010

The application must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

Yes

Yes

Yes

V-222571

APSC-DV-002030

The application must utilize FIPS-validated cryptographic modules when generating cryptographic hashes.

Yes

Yes

Yes

V-222572

APSC-DV-002040

The application must utilize FIPS-validated cryptographic modules when protecting unclassified information that requires cryptographic protection.

Yes

Yes

Yes

V-222583

APSC-DV-002290

The application must use the Federal Information Processing Standard (FIPS) 140-2-validated cryptographic modules and random number generator if the application implements encryption, key exchange, digital signature, and hash functionality.

Yes

Yes

Yes

V-222589

APSC-DV-002350

The application must use appropriate cryptography in order to protect stored DoD information when required by the information owner or DoD policy.

Yes

Yes

Yes

V-222590

APSC-DV-002360

The application must isolate security functions from non-security functions.

No

No

Yes

V-222592

APSC-DV-002380

Applications must prevent unauthorized and unintended information transfer via shared system resources.

Yes

No

No

V-222594

APSC-DV-002400

The application must restrict the ability to launch Denial of Service (DoS) attacks against itself or other information systems.

Yes

Yes

Yes

V-222600

APSC-DV-002480

The application must not disclose unnecessary information to users.

No

No

Yes

V-222603

APSC-DV-002500

The application must protect from Cross-Site Request Forgery (CSRF) vulnerabilities.

No

Yes

Yes

V-222605

APSC-DV-002520

The application must protect from canonical representation vulnerabilities.

Yes

No

No

V-222606

APSC-DV-002530

The application must validate all input.

Yes

Yes

Yes

V-222625

APSC-DV-002950

Execution flow diagrams and design documents must be created to show how deadlock and recursion issues in web services are being mitigated.

Yes

Yes

Yes

V-222641

APSC-DV-003100

The application must use encryption to implement key exchange and authenticate endpoints prior to establishing a communication channel for key exchange.

Yes

Yes

Yes

V-222648

APSC-DV-003170

An application code review must be performed on the application.

Yes

No

No

V-222656

APSC-DV-003235

The application must not be subject to error handling vulnerabilities.

Yes

No

Yes

V-222667

APSC-DV-003320

Protections against DoS attacks must be implemented.

Yes

No

Yes

  

Total

C/C++

C#

Java

Severity Low — Overview

     

a

Total Number of Rules

22

22

22

22

b

Total Number of ‘Not Statically Enforceable’ Rules (Assisted/Unassisted)

0

0

0

0

c

Total Number of Enforceable Rules (a-b)

22

22

22

22

d

Total Number of Enforced Rules

1

0

0

1

e

Total Number of Unenforced Rules

21

22

22

21

f

Enforce Rules Percentage (d/c)

5%

0%

0%

5%

g

Unenforced Rules Percentage (e/c)

95%

100%

100%

95%

Finding ID

Version ID

Title

C/C++

C#

Java

Severity Low

     

V-222653

APSC-DV-003215

The application development team must follow a set of coding standards.

No

No

Yes