An error occurred:

Check: SRG-APP-000074-MAPP-00020

Mobile Application SRG: SRG-APP-000074-MAPP-00020 (in version v1 r1)

Title

The mobile application must not execute unsigned DoD Mobile Code Policy Category 1A or 2 mobile code. (Cat I impact)

Discussion

Use of un-trusted Level 1 and 2 mobile code technologies can introduce security vulnerabilities and malicious code into the client system. Unsigned code is potentially dangerous to use since there is no verification the code is tested and free of defects that will cause security issues. Also, the code, being untested could contain malware. Category IA mobile code largely involves mobile code that runs on Microsoft Windows. While this code primarily concerns traditional PC and laptop computers, it may also function on versions of Microsoft Windows for mobile devices, either today or in subsequent releases. It is also possible for applications to be written for other MOS to incorporate the capability to interpret category IA mobile code. This control assures the user greater security against using code that is prohibited because it is untrusted and untested.

Check Content

Perform a review of the application documentation to assess if the application design prevents the application from executing unsigned Category 1A mobile code. If the documentation review is inconclusive, conduct a dynamic program analysis of all major components of the application to assess if: - mobile code is in use and the mobile application will prompt to download the code. - at the download prompt, the application will indicate that code has been digitally signed. If the code has not been signed or the application warns that code cannot be invoked due to security settings, this is a finding. If the code has not been signed with a DoD approved PKI certificate, this is a finding. Definitions for mobile code categories can be found at http://iase.disa.mil/mcp/index.html

Fix Text

Modify the code so that the application does not execute unsigned DoD Mobile Code Policy Category 1A or 2 mobile code.

Additional Identifiers

Rule ID: SV-46549r1_rule

Vulnerability ID: V-35262

Group Title:

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001687

The organization ensures the use of mobile code to be deployed in information systems meets organization-defined mobile code requirements.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-18 (2)

Acquisition / Development / Use