DATASHEET
DISA STIG Rule Enforcement
Application Security and Development Security Technical Implementation Guide
MAC-III Sensitive Version 5
https://www.stigviewer.com/stig/application_security_and_development/
ENFORCEMENT FOR KW 2023.4
Total | C/C++ | C# | Java | ||
|---|---|---|---|---|---|
a | Total Number of Rules | 286 | 286 | 286 | 286 |
b | Total Number of ‘Not Statically Enforceable’ Rules (Assisted/Unassisted) | 8 | 8 | 8 | 8 |
c | Total Number of Enforceable Rules (a-b) | 278 | 278 | 278 | 278 |
d | Total Number of Enforced Rules | 51 | 36 | 22 | 46 |
e | Total Number of Unenforced Rules | 227 | 242 | 256 | 232 |
f | Enforce Rules Percentage (d/c) | 18% | 13% | 8% | 17% |
g | Unenforced Rules Percentage (e/c) | 82% | 87% | 92% | 83% |
Total | C/C++ | C# | Java | ||
|---|---|---|---|---|---|
Severity High — Overview | |||||
a | Total Number of Rules | 31 | 31 | 31 | 31 |
b | Total Number of ‘Not Statically Enforceable’ Rules (Assisted/Unassisted) | 8 | 8 | 8 | 8 |
c | Total Number of Enforceable Rules (a-b) | 23 | 23 | 23 | 23 |
d | Total Number of Enforced Rules | 21 | 15 | 7 | 21 |
e | Total Number of Unenforced Rules | 2 | 8 | 16 | 2 |
f | Enforce Rules Percentage (d/c) | 91% | 65% | 30% | 91% |
g | Unenforced Rules Percentage (e/c) | 9% | 35% | 70% | 9% |
Finding ID | Version ID | Title | C/C++ | C# | Java |
|---|---|---|---|---|---|
Severity High | |||||
V-222399 | APSC-DV-000190 | Messages protected with WS_Security must use time stamps with creation and expiration times. | NSE | NSE | NSE |
V-222400 | APSC-DV-000200 | Validity periods must be verified on all application messages using WS-Security or SAML assertions. | NSE | NSE | NSE |
V-222403 | APSC-DV-000230 | The application must use the NotOnOrAfter condition when using the SubjectConfirmation element in a SAML assertion. | NSE | NSE | NSE |
V-222404 | APSC-DV-000240 | The application must use both the NotBefore and NotOnOrAfter elements or OneTimeUse element when using the Conditions element in a SAML assertion. | NSE | NSE | NSE |
V-222425 | APSC-DV-000460 | The application must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. | Yes | No | Yes |
V-222430 | APSC-DV-000510 | The application must execute without excessive account permissions. | Yes | No | Yes |
V-222432 | APSC-DV-000530 | The application must enforce the limit of three consecutive invalid logon attempts by a user during a 15 minute time period. | No | No | No |
V-222522 | APSC-DV-001540 | The application must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). | No | No | Yes |
V-222536 | APSC-DV-001680 | The application must enforce a minimum 15-character password length. | No | No | Yes |
V-222542 | APSC-DV-001740 | The application must only store cryptographic representations of passwords. | Yes | Yes | Yes |
V-222543 | APSC-DV-001750 | The application must transmit only cryptographically-protected passwords. | Yes | Yes | Yes |
V-222550 | APSC-DV-001810 | The application, when utilizing PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | No | No | Yes |
V-222551 | APSC-DV-001820 | The application, when using PKI-based authentication, must enforce authorized access to the corresponding private key. | No | No | Yes |
V-222554 | APSC-DV-001850 | The application must not display passwords/PINs as clear text. | No | No | Yes |
V-222577 | APSC-DV-002230 | The application must not expose session IDs. | Yes | No | Yes |
V-222578 | APSC-DV-002240 | The application must destroy the session ID value and/or cookie on logoff or browser close. | Yes | No | Yes |
V-222585 | APSC-DV-002310 | The application must fail to a secure state if system initialization fails, shutdown fails, or aborts fail. | No | No | Yes |
V-222596 | APSC-DV-002500 | The application must protect the confidentiality and integrity of transmitted information. | Yes | No | Yes |
V-222601 | APSC-DV-002485 | The application must not store sensitive information in hidden fields. | No | No | No |
V-222602 | APSC-DV-002490 | The application must protect from Cross-Site Scripting (XSS) vulnerabilities. | Yes | Yes | Yes |
V-222604 | APSC-DV-002510 | The application must protect from command injection. | Yes | Yes | Yes |
V-222607 | APSC-DV-002540 | The application must not be vulnerable to SQL Injection. | Yes | Yes | Yes |
V-222608 | APSC-DV-002490 | The application must not be vulnerable to XML-oriented attacks. | Yes | No | Yes |
V-222609 | APSC-DV-002560 | The application must not be subject to input handling vulnerabilities. | Yes | Yes | Yes |
V-222612 | APSC-DV-002590 | The application must not be vulnerable to overflow attacks. | Yes | Yes | Yes |
V-222620 | APSC-DV-002890 | Application web servers must be on a separate network segment from the application and database servers if it is a tiered application operating in the DoD DMZ. | NSE | NSE | NSE |
V-222642 | APSC-DV-003110 | The application must not contain embedded authentication data. | Yes | No | Yes |
V-222643 | APSC-DV-003120 | The application must have the capability to mark sensitive/classified output when required. | NSE | NSE | NSE |
V-222658 | APSC-DV-003240 | All products must be supported by the vendor or the development team. | NSE | NSE | NSE |
V-222659 | APSC-DV-003250 | The application must be decommissioned when maintenance or support is no longer available. | NSE | NSE | NSE |
V-222662 | APSC-DV-003280 | Default passwords must be changed. | Yes | No | Yes |
Total | C/C++ | C# | Java | ||
|---|---|---|---|---|---|
Severity Medium — Overview | |||||
a | Total Number of Rules | 233 | 233 | 233 | 233 |
b | Total Number of ‘Not Statically Enforceable’ Rules (Assisted/Unassisted) | 0 | 0 | 0 | 0 |
c | Total Number of Enforceable Rules (a-b) | 233 | 233 | 233 | 233 |
d | Total Number of Enforced Rules | 29 | 21 | 15 | 24 |
e | Total Number of Unenforced Rules | 204 | 212 | 218 | 209 |
f | Enforce Rules Percentage (d/c) | 12% | 9% | 7% | 10% |
g | Unenforced Rules Percentage (e/c) | 88% | 91% | 93% | 90% |
Finding ID | Version ID | Title | C/C++ | C# | Java |
|---|---|---|---|---|---|
Severity Medium | |||||
V-222388 | APSC-DV-000060 | The application must clear temporary storage and cookies when the session is terminated. | No | No | Yes |
V-222396 | APSC-DV-000160 | The application must implement DoD-approved encryption to protect the confidentiality of remote access sessions. | Yes | Yes | Yes |
V-222397 | APSC-DV-000170 | The application must implement cryptographic mechanisms to protect the integrity of remote access sessions. | Yes | Yes | Yes |
V-222427 | APSC-DV-000480 | The application must enforce approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies. | No | No | Yes |
V-222444 | APSC-DV-000650 | The application must not write sensitive data into the application logs. | No | No | Yes |
V-222501 | APSC-DV-001290 | The application must protect audit information from unauthorized modification. | No | No | Yes |
V-222511 | APSC-DV-001410 | The application must enforce access restrictions associated with changes to application configuration. | Yes | No | No |
V-222515 | APSC-DV-001460 | An application vulnerability assessment must be conducted. | No | No | Yes |
V-222555 | APSC-DV-001860 | The application must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. | Yes | Yes | Yes |
V-222566 | APSC-DV-001980 | The application must terminate all sessions and network connections when non-local maintenance is completed. | Yes | Yes | No |
V-222567 | APSC-DV-001995 | The application must not be vulnerable to race conditions. | Yes | No | Yes |
V-222568 | APSC-DV-002000 | The application must terminate all network connections associated with a communications session at the end of the session. | Yes | Yes | Yes |
V-254803 | APSC-DV-002010 | The application must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | Yes | Yes | Yes |
V-222571 | APSC-DV-002030 | The application must utilize FIPS-validated cryptographic modules when generating cryptographic hashes. | Yes | Yes | Yes |
V-222572 | APSC-DV-002040 | The application must utilize FIPS-validated cryptographic modules when protecting unclassified information that requires cryptographic protection. | Yes | Yes | Yes |
V-222583 | APSC-DV-002290 | The application must use the Federal Information Processing Standard (FIPS) 140-2-validated cryptographic modules and random number generator if the application implements encryption, key exchange, digital signature, and hash functionality. | Yes | Yes | Yes |
V-222589 | APSC-DV-002350 | The application must use appropriate cryptography in order to protect stored DoD information when required by the information owner or DoD policy. | Yes | Yes | Yes |
V-222590 | APSC-DV-002360 | The application must isolate security functions from non-security functions. | No | No | Yes |
V-222592 | APSC-DV-002380 | Applications must prevent unauthorized and unintended information transfer via shared system resources. | Yes | No | No |
V-222594 | APSC-DV-002400 | The application must restrict the ability to launch Denial of Service (DoS) attacks against itself or other information systems. | Yes | Yes | Yes |
V-222600 | APSC-DV-002480 | The application must not disclose unnecessary information to users. | No | No | Yes |
V-222603 | APSC-DV-002500 | The application must protect from Cross-Site Request Forgery (CSRF) vulnerabilities. | No | Yes | Yes |
V-222605 | APSC-DV-002520 | The application must protect from canonical representation vulnerabilities. | Yes | No | No |
V-222606 | APSC-DV-002530 | The application must validate all input. | Yes | Yes | Yes |
V-222625 | APSC-DV-002950 | Execution flow diagrams and design documents must be created to show how deadlock and recursion issues in web services are being mitigated. | Yes | Yes | Yes |
V-222641 | APSC-DV-003100 | The application must use encryption to implement key exchange and authenticate endpoints prior to establishing a communication channel for key exchange. | Yes | Yes | Yes |
V-222648 | APSC-DV-003170 | An application code review must be performed on the application. | Yes | No | No |
V-222656 | APSC-DV-003235 | The application must not be subject to error handling vulnerabilities. | Yes | No | Yes |
V-222667 | APSC-DV-003320 | Protections against DoS attacks must be implemented. | Yes | No | Yes |
Total | C/C++ | C# | Java | ||
|---|---|---|---|---|---|
Severity Low — Overview | |||||
a | Total Number of Rules | 22 | 22 | 22 | 22 |
b | Total Number of ‘Not Statically Enforceable’ Rules (Assisted/Unassisted) | 0 | 0 | 0 | 0 |
c | Total Number of Enforceable Rules (a-b) | 22 | 22 | 22 | 22 |
d | Total Number of Enforced Rules | 1 | 0 | 0 | 1 |
e | Total Number of Unenforced Rules | 21 | 22 | 22 | 21 |
f | Enforce Rules Percentage (d/c) | 5% | 0% | 0% | 5% |
g | Unenforced Rules Percentage (e/c) | 95% | 100% | 100% | 95% |
Finding ID | Version ID | Title | C/C++ | C# | Java |
|---|---|---|---|---|---|
Severity Low | |||||
V-222653 | APSC-DV-003215 | The application development team must follow a set of coding standards. | No | No | Yes |