Check: APSC-DV-002995
Application Security and Development STIG:
APSC-DV-002995
(in versions v5 r3 through v4 r2)
Title
The Configuration Management (CM) repository must be properly patched and STIG compliant. (Cat II impact)
Discussion
A Configuration Management (CM) repository is used to manage application code versions and to securely store application code. Failure to properly apply security patches and secure the software Configuration Management system could affect the confidentiality and integrity of the application source-code. Compromise of the Configuration Management system could lead to unauthorized changes to applications including the addition of malware, root kits, back doors, logic bombs or other malicious functions into valid application code. This requirement is intended to be applied to application developers or organizations responsible for code management or who have and operate an application CM repository.
Check Content
Review the application system documentation and interview the application administrator. Identify if the STIG is being applied to application developers or organizations responsible for code management or who have and operate an application CM repository. If this is not the case, the requirement is not applicable. Review CM patch management processes and procedures. Have the system and CM admins demonstrate their patch management processes and verify the system has the latest security patches applied. Review the ATO documentation and verify the system that operates the CM repository software has had all relevant STIGs applied. If CM repository is not at the latest security patch level and is not operating on a STIG compliant system, this is a finding.
Fix Text
Patch the CM system when new security patches are made available and apply the relevant STIGs.
Additional Identifiers
Rule ID: SV-222630r879887_rule
Vulnerability ID: V-222630
Group Title: SRG-APP-000516
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
CCI-001795 |
The organization implements a configuration management plan for the information system that establishes a process for managing the configuration of the configuration items. |