STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The ISSO must ensure active vulnerability testing is performed.

DISA Rule

SV-222624r508029_rule

Vulnerability Number

V-222624

Group Title

SRG-APP-000516

Rule Version

APSC-DV-002930

Severity

CAT II

CCI(s)

• CCI-000256 - The organization includes, as part of security control assessments announced or unannounced, one or more of the following: in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; and organization-defined other forms of security assessment on an organization-defined frequency.
• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Perform active vulnerability and fuzz testing of the application.

Verify the vulnerability scanning tool is configured to test all application components and functionality.

Address discovered vulnerabilities.

Check Contents

Ask the application representative to provide vulnerability test procedures and vulnerability test results.

Ask the application representative to provide the settings that were used to conduct the vulnerability testing.

Verify the automated vulnerability scanning tool was appropriately configured to assure as complete a test as possible of the application architecture components. E.g., if the application includes a web server, web server tests must be included.

If the vulnerability scan report includes informational and/or non-critical results this is not a finding.

If previously identified vulnerabilities have subsequently been resolved, this is not a finding.

If the application test procedures and test results do not include active vulnerability and fuzz testing this is a finding.

If the vulnerability scan results include critical vulnerabilities, this is a finding.

If the vulnerability scanning tests are not relevant to the architecture of the application, this is a finding.

Vulnerability Number

V-222624

Documentable

False

Rule Version

APSC-DV-002930

Severity Override Guidance

Ask the application representative to provide vulnerability test procedures and vulnerability test results.

Ask the application representative to provide the settings that were used to conduct the vulnerability testing.

Verify the automated vulnerability scanning tool was appropriately configured to assure as complete a test as possible of the application architecture components. E.g., if the application includes a web server, web server tests must be included.

If the vulnerability scan report includes informational and/or non-critical results this is not a finding.

If previously identified vulnerabilities have subsequently been resolved, this is not a finding.

If the application test procedures and test results do not include active vulnerability and fuzz testing this is a finding.

If the vulnerability scan results include critical vulnerabilities, this is a finding.

If the vulnerability scanning tests are not relevant to the architecture of the application, this is a finding.

Check Content Reference

M

Target Key

4093

Comments