An error occurred:

Check: APSC-DV-003236

Application Security and Development STIG: APSC-DV-003236 (in versions v5 r3 through v5 r2)

Title

The application development team must provide an application incident response plan. (Cat II impact)

Discussion

An application incident response process is managed by the development team and should include a method for individuals to submit potential security vulnerabilities to the development or maintenance team. The plan should dictate what is to be done with the reported vulnerabilities. Reported vulnerabilities must be tracked throughout the process to ensure they are triaged, corrected, and tested. The corresponding update is released to the user community and the user community is notified of the availability of the application update. Without an established application incident management plan and process, discovered issues and vulnerabilities will go unreported. Vulnerabilities will not be triaged and managed, and there may be delays in corrective actions. Information on how to submit bug and vulnerability reports must also be included in the application design document or configuration guide. This requirement is meant to be applied when reviewing an application with the development team.

Check Content

If the application is a COTS application and the development team is not accessible to interview this requirement is not applicable. Interview the application development team members. Request and review the application incident response plan. Ensure the plan includes an implemented process that: - Tracks reported vulnerabilities and bugs - Confirms reported vulnerabilities and bugs - Tracks remediation effort - Notifies application users of available updates that address the reported issues. If the application incident response plan does not exist and at a minimum does not implement the aforementioned processes, this is a finding.

Fix Text

The development team creates an application incident response plan documenting and establishing a process that at a minimum: - Tracks reported vulnerabilities and bugs - Confirms reported vulnerabilities and bugs - Tracks remediation effort - Notifies application users of available updates that address the reported issues.

Additional Identifiers

Rule ID: SV-222657r879887_rule

Vulnerability ID: V-222657

Group Title: SRG-APP-000516

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-003289

The organization requires the developer of the information system, system component, or information system service to provide an incident response plan.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SA-15 (10)

Incident Response Plan