Check: APSC-DV-003210
Application Security and Development STIG:
APSC-DV-003210
(in versions v5 r3 through v4 r2)
Title
Security flaws must be fixed or addressed in the project plan. (Cat II impact)
Discussion
This requirement is meant to apply to developers or organizations that are doing application development work. Application development efforts include the creation of a project plan to track and organize the development work. If security flaws are not tracked within the project plan, it is possible the flaws will be overlooked and included in a release. Tracking flaws in the project plan will help identify code elements to be changed as well as the requested change.
Check Content
This requirement is meant to apply to developers or organizations that are doing application development work. If the organization managing the application is not performing or managing the development of the application the requirement is not applicable. Ask the application representative to demonstrate how security flaws are integrated into the project plan. If security flaws are not addressed in the project plan or there is no process to introduce security flaws into the project plan, this is a finding.
Fix Text
Address security flaws within a project plan to ensure they are tracked and addressed by management.
Additional Identifiers
Rule ID: SV-222652r879887_rule
Vulnerability ID: V-222652
Group Title: SRG-APP-000516
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000366 |
The organization implements the security configuration settings. |
| CCI-003178 |
The organization requires the developer of the information system, system component, or information system service to correct flaws identified during security testing/evaluation. |