Check: APSC-DV-003236
Application Security and Development STIG:
APSC-DV-003236
(in versions v6 r1 through v4 r2)
Title
The application development team must provide an application incident response plan. (Cat II impact)
Discussion
An application incident response process is managed by the development team and should include a method for individuals to submit potential security vulnerabilities to the development or maintenance team. The plan should dictate what is to be done with the reported vulnerabilities. Reported vulnerabilities must be tracked throughout the process to ensure they are triaged, corrected, and tested. The corresponding update is released to the user community and the user community is notified of the availability of the application update. Without an established application incident management plan and process, discovered issues and vulnerabilities will go unreported. Vulnerabilities will not be triaged and managed, and there may be delays in corrective actions. Information on how to submit bug and vulnerability reports must also be included in the application design document or configuration guide. This requirement is meant to be applied when reviewing an application with the development team.
Check Content
If the application is a COTS application and the development team is not accessible to interview this requirement is not applicable. Interview the application development team members. Request and review the application incident response plan. Ensure the plan includes an implemented process that: - Tracks reported vulnerabilities and bugs - Confirms reported vulnerabilities and bugs - Tracks remediation effort - Notifies application users of available updates that address the reported issues. If the application incident response plan does not exist and at a minimum does not implement the aforementioned processes, this is a finding.
Fix Text
The development team creates an application incident response plan documenting and establishing a process that at a minimum: - Tracks reported vulnerabilities and bugs - Confirms reported vulnerabilities and bugs - Tracks remediation effort - Notifies application users of available updates that address the reported issues.
Additional Identifiers
Rule ID: SV-222657r961863_rule
Vulnerability ID: V-222657
Group Title: SRG-APP-000516
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000366 |
Implement the security configuration settings. |
| CCI-003289 |
Require the developer of the system, system component, or system service to provide an incident response plan. |