Title

The mobile application must associate security attributes with information exchanged between information systems. (Cat II impact)

Discussion

When data is exchanged between information systems, security attributes must be associated with this data. Security attributes are an abstraction representing the basic properties or characteristics of an entity with respect to safeguarding information, typically associated with internal data structures (e.g., records, buffers, files) within the information system, and used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy. Applying this control assures security attributes may be explicitly or implicitly associated with the information contained within the information system to support correct handling of the data according to its classification.

Check Content

Perform a static program analysis of the application software to assess if security attributes are associated with data in transit. If the static analysis is not possible or inconclusive, perform a dynamic analysis to assess if the remote end receives security attributes. If the static analysis reveals that supporting code is not present, or if the dynamic analysis reveals security attributes are not received, this is a finding.

Fix Text

Modify code to associate security attributes with information exchanged between systems.

Additional Identifiers

Rule ID: SV-46817r1_rule

Vulnerability ID: V-35530

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.