STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must not be vulnerable to race conditions.

DISA Rule

SV-222567r508029_rule

Vulnerability Number

V-222567

Group Title

SRG-APP-000516

Rule Version

APSC-DV-001995

Severity

CAT II

CCI(s)

CCI-000366 - The organization implements the security configuration settings.
CCI-003178 - The organization requires the developer of the information system, system component, or information system service to correct flaws identified during security testing/evaluation.

Weight

Fix Recommendation

Be aware of potential timing issues related to application programming calls when designing and building the application.

Validate that variable values do not change while a switch event is occurring.

Check Contents

Review the application documentation and architecture.

If the application is a COTS application and the vendor will not provide code review test results that demonstrate the application has been tested and is not susceptible to race conditions, the requirement is NA.

Interview the application admin and identify the most recent code testing and analysis that has been conducted.

Review the test results; verify configuration of analysis tools are set to check for the existence of race conditions.

If race conditions are identified in the test results, verify the latest test results are being used, if not, ensure remediation has been completed.

If the test results show race conditions exist and no remediation evidence is presented, or if test results are not available, this is a finding.

The application must not be vulnerable to race conditions.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments