STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

Messages protected with WS_Security must use time stamps with creation and expiration times.

DISA Rule

SV-222399r508029_rule

Vulnerability Number

V-222399

Group Title

SRG-APP-000014

Rule Version

APSC-DV-000190

Severity

CAT I

CCI(s)

• CCI-000068 - The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions.

Weight

10

Fix Recommendation

Design and configure applications using WS-Security messages to use time stamps with creation and expiration times and sequence numbers.

Check Contents

Ask the application representative for the design document. Review the design document for web services using WS-Security tokens.

If the application does not utilize WS-Security tokens, this check is not applicable.

Examine the contents of a SOAP message using WS Security; all messages should contain time stamps, sequence numbers, and expiration.

If messages using WS Security do not contain time stamps, sequence numbers, and expiration, this is a finding.

Vulnerability Number

V-222399

Documentable

False

Rule Version

APSC-DV-000190

Severity Override Guidance

Ask the application representative for the design document. Review the design document for web services using WS-Security tokens.

If the application does not utilize WS-Security tokens, this check is not applicable.

Examine the contents of a SOAP message using WS Security; all messages should contain time stamps, sequence numbers, and expiration.

If messages using WS Security do not contain time stamps, sequence numbers, and expiration, this is a finding.

Check Content Reference

M

Target Key

4093

Comments