Check: APSC-DV-003160
Application Security and Development STIG:
APSC-DV-003160
(in versions v5 r3 through v4 r2)
Title
Test procedures must be created and at least annually executed to ensure system initialization, shutdown, and aborts are configured to verify the system remains in a secure state. (Cat III impact)
Discussion
Secure state assurance cannot be accomplished without testing the system state at least annually to ensure the system remains in a secure state upon initialization, shutdown, and aborts.
Check Content
Review the process documentation and interview the admin staff. Identify if testing procedures exist and if they include annual testing to ensure the application remains in a secure state on initialization, shutdown, and aborts. Checks should include at a minimum, attempts to access the application and application configuration settings without credentials or with improper credentials both locally and remotely. Dates should be noted as to the last date of testing. If annual testing procedures do not exist, or if administrators are unable to provide testing dates that indicate the tests were conducted within the last year, this is a finding.
Fix Text
Create test procedures to test the security state of the application and exercise test procedures annually.
Additional Identifiers
Rule ID: SV-222647r879887_rule
Vulnerability ID: V-222647
Group Title: SRG-APP-000516
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000366 |
The organization implements the security configuration settings. |
| CCI-003182 |
The organization requires the developer of the information system, system component, or information system service to perform testing/evaluation of the as-built system, component, or service subsequent to threat and vulnerability analysis. |