Check: APSC-DV-003310
Application Security and Development STIG:
APSC-DV-003310
(in versions v5 r3 through v4 r2)
Title
Production database exports must have database administration credentials and sensitive data removed before releasing the export. (Cat II impact)
Discussion
Production database exports are often used to populate development databases. Test and development environments do not typically have the same rigid security protections that production environments do. When production data is used in test and development, the production database exports will need to be scrubbed to prevent information like passwords and other sensitive data from becoming available to development and test staff that may not have a need to know. Sensitive data should not be included in database exports because of classification, privacy, and other types of data protection requirement issues. Not all application developers have need-to-know sensitive information such as HIPAA data, Privacy Act Data, production admin passwords or classified data.
Check Content
Review the application documentation and identify the existence of databases within the application architecture. Ask the application admin to identify when data exports from this database are imported to test or development databases. If no data is exported to test or development databases, this check is not applicable. If there are such data exports, ask if the production database includes sensitive data identified by the data owner as sensitive such as passwords, financial, personnel, personal, HIPAA, Privacy Act, or classified data is included. If any database exports include sensitive data and that data is not sanitized or removed prior to or immediately after import to the development database, this is a finding.
Fix Text
Remove sensitive data from production database exports.
Additional Identifiers
Rule ID: SV-222666r879887_rule
Vulnerability ID: V-222666
Group Title: SRG-APP-000516
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
CCI-002478 |
The organization removes organization-defined information at rest from online storage. |