Check: APSC-DV-003250
Application Security and Development STIG:
APSC-DV-003250
(in versions v5 r3 through v4 r2)
Title
The application must be decommissioned when maintenance or support is no longer available. (Cat I impact)
Discussion
Unsupported software products should not be used because fixes to newly identified bugs will not be implemented by the vendor or development team. The lack of security updates can result in potential vulnerabilities. When maintenance updates and patches are no longer available, the application is no longer considered supported, and should be decommissioned.
Check Content
Interview the application representative and determine if all the application components are under maintenance contract. The entire application may be covered by a single maintenance agreement. The application should be decommissioned if maintenance or security support is no longer being provided by the vendor or by the development staff of a custom developed application. If the application or any of the application components are not being maintained, this is a finding.
Fix Text
Ensure there is maintenance for the application.
Additional Identifiers
Rule ID: SV-222659r879887_rule
Vulnerability ID: V-222659
Group Title: SRG-APP-000516
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000366 |
The organization implements the security configuration settings. |
| CCI-003376 |
The organization replaces information system components when support for the components is no longer available from the developer, vendor, or manufacturer. |