Title

Only fully reviewed and tested web sites must exist on a production web server. (Cat II impact)

Discussion

In the case of a production web server, areas for content development and testing will not exist, as this type of content is only permissible on a development web site. The process of developing on a functional production web site entails a degree of trial and error and repeated testing. This process is often accomplished in an environment where debugging, sequencing, and formatting of content are the main goals. The opportunity for a malicious user to obtain files revealing business logic and login schemes is high in this situation. The existence of such immature content on a web server represents a significant security, which is totally avoidable.

Check Content

The reviewer should query the ISSO, SA, and Web Manager to find out if development web sites are being housed on production web servers. Definition: A production web server is any web server connected to a production network, regardless of its role. Proposed Questions: Do you have development sites on your production web server? What is your process to get development web sites / content posted to the production server? Do you use under construction notices on production web pages? A manual cehck can be completed by navigating to the web site via a browser and confirm the information provided by the web staff. If development web content is discovered on the production web server, this is a finding.

Fix Text

Ensure any pages in development are not installed on a production web server.

Additional Identifiers

Rule ID: SV-38069r2_rule

Vulnerability ID: V-2254

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.