STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The web service design must include redundancy mechanisms when used with high-availability systems.

DISA Rule

SV-222595r508029_rule

Vulnerability Number

V-222595

Group Title

SRG-APP-000247

Rule Version

APSC-DV-002410

Severity

CAT II

CCI(s)

• CCI-001095 - The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.

Weight

10

Fix Recommendation

Build the application to address issues that are found in a redundant environment and utilize redundancy mechanisms to provide high availability.

Check Contents

Interview the application administrator and review the system documentation to determine if the application has been designated as a high availability system and if the application is designed to operate in a high availability environment.

If the application has not been designated as a high availability system, this requirement is not applicable.

Review the application architecture documentation and identify solutions that provide application DoS protections.

Verify the application has been built to work in a clustered or otherwise high availability environment in accordance with documented availability requirements.

This includes:

- load balancers
- redundant systems such as multiple web, application servers or DB servers
- high bandwidth or redundant data circuits
- multiple data centers (geographic dispersal)
- server clusters

If the application has been designated as high availability but the architecture is not built to high availability standards, this is a finding.

Vulnerability Number

V-222595

Documentable

False

Rule Version

APSC-DV-002410

Severity Override Guidance

Interview the application administrator and review the system documentation to determine if the application has been designated as a high availability system and if the application is designed to operate in a high availability environment.

If the application has not been designated as a high availability system, this requirement is not applicable.

Review the application architecture documentation and identify solutions that provide application DoS protections.

Verify the application has been built to work in a clustered or otherwise high availability environment in accordance with documented availability requirements.

This includes:

- load balancers
- redundant systems such as multiple web, application servers or DB servers
- high bandwidth or redundant data circuits
- multiple data centers (geographic dispersal)
- server clusters

If the application has been designated as high availability but the architecture is not built to high availability standards, this is a finding.

Check Content Reference

M

Target Key

4093

Comments