STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application password must not be changeable by users other than the administrator or the user with which the password is associated.

DISA Rule

SV-222548r561251_rule

Vulnerability Number

V-222548

Group Title

SRG-APP-000516

Rule Version

APSC-DV-001795

Severity

CAT II

CCI(s)

• CCI-000184 - The organization manages information system authenticators by requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators.
• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Use a CAC to authenticate users instead of using passwords. If application users are prohibited or prevented from obtaining a CAC due to DoD policy requirements and passwords are the only viable option, design the application to utilize a secure password change or password reset process.

Utilize out of band (OOB) communication techniques to communicate password change requests to users.

Ensure verification processes exist that allow users to validate the change request prior to implementing the password change.

Ensure users are only allowed to change their own passwords.

Check Contents

Review the application documentation and interview application administrator.

Determine if the application utilizes passwords. If the application does not utilize passwords, the requirement is NA.

Identify the processes, commands or web pages the application uses to allow application users to change their own passwords. This includes but is not limited to password resets.

If the application does not allow users to change or reset their passwords, the requirement is NA.

Obtain two application test accounts, referred to here as User A and User B. Access the application as User A. Utilize the application password reset or change processes and determine if User A is allowed to specify or otherwise force a password change for User B.

If User A is allowed to change or force a reset of User B's password, this is a finding.

Vulnerability Number

V-222548

Documentable

False

Rule Version

APSC-DV-001795

Severity Override Guidance

Review the application documentation and interview application administrator.

Determine if the application utilizes passwords. If the application does not utilize passwords, the requirement is NA.

Identify the processes, commands or web pages the application uses to allow application users to change their own passwords. This includes but is not limited to password resets.

If the application does not allow users to change or reset their passwords, the requirement is NA.

Obtain two application test accounts, referred to here as User A and User B. Access the application as User A. Utilize the application password reset or change processes and determine if User A is allowed to specify or otherwise force a password change for User B.

If User A is allowed to change or force a reset of User B's password, this is a finding.

Check Content Reference

M

Target Key

4093

Comments