STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

DISA Rule

SV-222425r508029_rule

Vulnerability Number

V-222425

Group Title

SRG-APP-000033

Rule Version

APSC-DV-000460

Severity

CAT I

CCI(s)

• CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Weight

10

Fix Recommendation

Design or configure the application to enforce access to application resources.

Check Contents

Review the application documentation and interview the application administrator.

Review application data protection requirements.

Identify application resources that require protection and authentication over and above the authentication required to access the application itself.

This can be access to a URL, a folder, a file, a process or a database record that should only be available to certain individuals.

Identify the access control methods utilized by the application in order to control access to the resource.

Examples include Role-Based Access Control policies (RBAC).

Using RBAC as an example, utilize a test account placed into a test role.

Set a protection control on a resource and explicitly deny access to the role assigned to the test user account.

Try to access an application resource that is not configured to allow access. Access should be denied.

If the enforcement of configured access restrictions is not performed, this is a finding.

Vulnerability Number

V-222425

Documentable

False

Rule Version

APSC-DV-000460

Severity Override Guidance

Review the application documentation and interview the application administrator.

Review application data protection requirements.

Identify application resources that require protection and authentication over and above the authentication required to access the application itself.

This can be access to a URL, a folder, a file, a process or a database record that should only be available to certain individuals.

Identify the access control methods utilized by the application in order to control access to the resource.

Examples include Role-Based Access Control policies (RBAC).

Using RBAC as an example, utilize a test account placed into a test role.

Set a protection control on a resource and explicitly deny access to the role assigned to the test user account.

Try to access an application resource that is not configured to allow access. Access should be denied.

If the enforcement of configured access restrictions is not performed, this is a finding.

Check Content Reference

M

Target Key

4093

Comments