STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must restrict the ability to launch Denial of Service (DoS) attacks against itself or other information systems.

DISA Rule

SV-222594r561257_rule

Vulnerability Number

V-222594

Group Title

SRG-APP-000246

Rule Version

APSC-DV-002400

Severity

CAT II

CCI(s)

• CCI-001094 - The information system restricts the ability of individuals to launch organization-defined denial of service attacks against other information systems.

Weight

10

Fix Recommendation

Design and deploy the application to utilize controls that will prevent the application from being affected by DoS attacks or being used to attack other systems. This includes but is not limited to utilizing throttling techniques for application traffic such as QoS or implementing logic controls within the application code itself that prevents application use that results in network or system capabilities being exceeded.

Check Contents

Review the application documentation and interview the application administrator.

Ask the application administrator if any anti-DoS technology or anti-DoS emergency response services are deployed to protect the application.

Check for code review, penetration or vulnerability test results that attempt to DoS the application or use the application as a DoS tool.

Examine test results and testing configuration to ensure that the application was tested and the application was not reported as being susceptible to DoS attacks either from external sources or from the application itself. Also verify the testing results show that the application cannot be weaponized to attack other systems.

If the test results indicate the application is susceptible to DoS attacks or can be weaponized to attack other applications or systems, this is a finding.

Vulnerability Number

V-222594

Documentable

False

Rule Version

APSC-DV-002400

Severity Override Guidance

Review the application documentation and interview the application administrator.

Ask the application administrator if any anti-DoS technology or anti-DoS emergency response services are deployed to protect the application.

Check for code review, penetration or vulnerability test results that attempt to DoS the application or use the application as a DoS tool.

Examine test results and testing configuration to ensure that the application was tested and the application was not reported as being susceptible to DoS attacks either from external sources or from the application itself. Also verify the testing results show that the application cannot be weaponized to attack other systems.

If the test results indicate the application is susceptible to DoS attacks or can be weaponized to attack other applications or systems, this is a finding.

Check Content Reference

M

Target Key

4093

Comments