Title

The mobile application must not permit DoD Mobile Code Policy Category 2 mobile code to access any resource not dedicated to the mobile application. (Cat I impact)

Discussion

Mobile code cannot conform to traditional installation and configuration safeguards. The use of local operating system resources and spawning of network connections introduce harmful and uncertain effects. In applying this control, the user is assured greater security and defense against malicious users who will access the application and device through escalated privileges as a result of a weak security posture.

Check Content

If the application does not download or interpret mobile code, this requirement is not applicable. Perform a static analysis of the code to assess of code is present that forces the application to access system resources external to the application. If the code review reveals the application executes mobile code that attempts to access local operating system resources or establish network connections to servers other than the application server, this is a finding.

Fix Text

Modify code so that DoD Mobile Code Policy Category 2 mobile code is unable to access resources not dedicated to the mobile application.

Additional Identifiers

Rule ID: SV-46551r1_rule

Vulnerability ID: V-35264

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.