Check: APSC-DV-003170
Application Security and Development STIG:
APSC-DV-003170
(in versions v5 r3 through v4 r2)
Title
An application code review must be performed on the application. (Cat II impact)
Discussion
A code review is a systematic evaluation of computer source code conducted for the purposes of identifying and remediating the security flaws in the software. This requirement is meant to apply to developers or organizations that are doing application development work and have the responsibility for maintaining the application source code. Examples of security flaws include but are not limited to: - format string exploits - memory leaks - buffer overflows - race conditions - sql injection - dead/unused/commented code - input validation exploits The code review is conducted during the application development phase, this allows discovered security issues to be corrected prior to release. Code reviews performed after the development phase must eventually go back to development for correction so conducting the code review during development is the logical and preferred action. Automated code review tools are to be used whenever reviewing application source code. These tools are often incorporated into Integrated Development Environments (IDE) so code reviews can be conducted during all stages of the development life cycle. Periodically reviewing code during the development phase makes transition to a production environment easier as flaws are continually identified and addressed during the development phase rather than en masse at the end of the development effort. Code review processes and the tools used to conduct the code review analysis will vary depending upon application architecture and the development languages utilized. In addition to automated testing, manual code reviews may also be used to validate or augment automated code review results. Larger projects will have a large code base and will require the use of automated code review tools in order to achieve complete code review coverage. A manual code review may consist of a peer review wherein other programmers on the team manually examine source code and automated code review results for known flaws that introduce security bugs into the application. As with any testing, there is no single best approach and the tests must be tailored to the application architecture. Use of automated tools along with manual review of code and testing results is considered a best practice when conducting code reviews. This method is the most likely way to ensure the maximum number of errors are caught and addressed prior to implementing the application in a production environment.
Check Content
This requirement is meant to apply to developers or organizations that are doing the application development work and have the responsibility for maintaining the application source code. Otherwise, the requirement is not applicable. Review the system documentation and ask the application representative to describe the code review process or provide documentation outlining the organizations code review process. If code reviews are conducted with software tools, have the application representative provide the latest code review report for the application. Ensure the code review looks for all known security flaws including but not limited to: - format string exploits - memory leaks - buffer overflows - race conditions - sql injection - dead/unused/commented code - input validation exploits If the organization does not conduct code reviews on the application that attempt to identify all known and potential security issues, or if code review results are not available for review, this is a finding.
Fix Text
Conduct and document code reviews on the application during development and identify and remediate all known and potential security vulnerabilities prior to releasing the application.
Additional Identifiers
Rule ID: SV-222648r879887_rule
Vulnerability ID: V-222648
Group Title: SRG-APP-000516
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
CCI-003187 |
The organization requires the developer of the information system, system component, or information system service to perform a manual code review of organization-defined specific code using organization-defined processes, procedures, and/or techniques. |