STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

Unsigned Category 1A mobile code must not be used in the application in accordance with DoD policy.

DISA Rule

SV-222618r508029_rule

Vulnerability Number

V-222618

Group Title

SRG-APP-000206

Rule Version

APSC-DV-002870

Severity

CAT II

CCI(s)

• CCI-001166 - The information system identifies organization-defined unacceptable mobile code.

Weight

10

Fix Recommendation

Configure the application so Category 1A mobile code is signed.

Check Contents

Review the application documentation and interview the application administrator to identify any mobile code that is provided by the application for client consumption.

If the application does not contain mobile code, or if the mobile code executes within the client browser, this is not applicable.

The URL of the application must be added to the Trusted Sites zone. This is accomplished via the Tools, Internet Options, and “Security” Tab.

Select the “Trusted Sites” zone.
Click the “sites” button.
Enter the URL into the text box below the “Add this site to this zone” message.
Click "Add”.
Click “OK”.

Note: This requires administrator privileges to add URL to sites on a STIG compliant workstation.

Next, test the application. This testing should include functional testing from all major components of the application.

If mobile code is in use, the browser will prompt to download the control. At the download prompt, the browser will indicate that code has been digitally signed.

If the code has not been signed or the application warns that a control cannot be invoked due to security settings, this is a finding.

Vulnerability Number

V-222618

Documentable

False

Rule Version

APSC-DV-002870

Severity Override Guidance

Review the application documentation and interview the application administrator to identify any mobile code that is provided by the application for client consumption.

If the application does not contain mobile code, or if the mobile code executes within the client browser, this is not applicable.

The URL of the application must be added to the Trusted Sites zone. This is accomplished via the Tools, Internet Options, and “Security” Tab.

Select the “Trusted Sites” zone.
Click the “sites” button.
Enter the URL into the text box below the “Add this site to this zone” message.
Click "Add”.
Click “OK”.

Note: This requires administrator privileges to add URL to sites on a STIG compliant workstation.

Next, test the application. This testing should include functional testing from all major components of the application.

If mobile code is in use, the browser will prompt to download the control. At the download prompt, the browser will indicate that code has been digitally signed.

If the code has not been signed or the application warns that a control cannot be invoked due to security settings, this is a finding.

Check Content Reference

M

Target Key

4093

Comments