STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020: STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:SV-222645r561278_rule
V-222645
SRG-APP-000516
APSC-DV-003140
CAT II
10
Developers/release managers create cryptographic hash values of application files and/or application packages prior to transitioning the application from test to a production environment. They protect cryptographic hash information so it cannot be altered and make a read copy of the hash information available to application Admins so they can validate application packages and files after they download the files.
Application Admins validate cryptographic hashes prior to deploying the application to production.
Ask the application representative to demonstrate their cryptographic hash validation process or provide process documentation. The validation process will vary based upon the operating system used as there are numerous clients available that will display a file's cryptographic hash for validation purposes.
Linux operating systems include the "sha256sum" utility. For Linux systems using sha256sum command syntax is: sha256sum [OPTION]... [FILE]...
Recent Windows PowerShell versions include the "get-filehash" PowerShell cmdlet. The default algorithm value used is SHA256.
Syntax is:
Get-FileHash
[-Path] <String[]>
[-Algorithm <String>]
[<CommonParameters>]
A validation process involves obtaining the application files’ cryptographic hash value from the programs author or other authoritative source such as the application's website. A utility like the "sha256sum" utility is then run using the downloaded application file name as the argument. The output is the files' hash value. The two hash values are compared and if they match, then file integrity is ensured.
If the application being reviewed is a COTS product and the vendor used a SHA1 or MD5 algorithm to generate a hash value, this is not a finding.
If the application being reviewed is a COTS product and the vendor did not provide a hash value for validating the package, this is not a finding.
If the integrity of the application files/code is not validated prior to deployment to DoD operational networks, this is a finding.
V-222645
False
APSC-DV-003140
Ask the application representative to demonstrate their cryptographic hash validation process or provide process documentation. The validation process will vary based upon the operating system used as there are numerous clients available that will display a file's cryptographic hash for validation purposes.
Linux operating systems include the "sha256sum" utility. For Linux systems using sha256sum command syntax is: sha256sum [OPTION]... [FILE]...
Recent Windows PowerShell versions include the "get-filehash" PowerShell cmdlet. The default algorithm value used is SHA256.
Syntax is:
Get-FileHash
[-Path] <String[]>
[-Algorithm <String>]
[<CommonParameters>]
A validation process involves obtaining the application files’ cryptographic hash value from the programs author or other authoritative source such as the application's website. A utility like the "sha256sum" utility is then run using the downloaded application file name as the argument. The output is the files' hash value. The two hash values are compared and if they match, then file integrity is ensured.
If the application being reviewed is a COTS product and the vendor used a SHA1 or MD5 algorithm to generate a hash value, this is not a finding.
If the application being reviewed is a COTS product and the vendor did not provide a hash value for validating the package, this is not a finding.
If the integrity of the application files/code is not validated prior to deployment to DoD operational networks, this is a finding.
M
4093