Check: APSC-DV-003200
Application Security and Development STIG:
APSC-DV-003200
(in versions v5 r3 through v4 r2)
Title
The changes to the application must be assessed for IA and accreditation impact prior to implementation. (Cat II impact)
Discussion
When changes are made to an application, either in the code or in the configuration of underlying components such as the OS or the web or application server, there is the potential for security vulnerabilities to be opened up on the system. IA assessment of proposed changes is necessary to verify security integrity is maintained within the application.
Check Content
Interview the application and system administrators and determine if changes to the application are assessed for IA impact prior to implementation. Review the CCB process documentation to ensure potential changes to the application are evaluated to determine impact. An informal group may be tasked with impact assessment of upcoming version changes. If IA impact analysis is not performed, this is a finding.
Fix Text
Review IA impact to the system prior to implementing changes.
Additional Identifiers
Rule ID: SV-222651r879887_rule
Vulnerability ID: V-222651
Group Title: SRG-APP-000516
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000366 |
The organization implements the security configuration settings. |
| CCI-003173 |
The organization requires the developer of the information system, system component, or information system service to perform unit, integration, system, and/or regression testing/evaluation at an organization-defined depth and coverage. |