STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

At least one tester must be designated to test for security flaws in addition to functional testing.

DISA Rule

SV-222646r508029_rule

Vulnerability Number

V-222646

Group Title

SRG-APP-000516

Rule Version

APSC-DV-003150

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.
• CCI-003182 - The organization requires the developer of the information system, system component, or information system service to perform testing/evaluation of the as-built system, component, or service subsequent to threat and vulnerability analysis.

Weight

10

Fix Recommendation

Designate personnel to conduct security testing on the applications.

Check Contents

Review the organization chart and interview the admin staff.

Identify personnel designated as application security testers.

If the organization operating the application is not doing development work, this requirement is not applicable.

If the organization has not designated personnel to conduct security testing, this is a finding.

Vulnerability Number

V-222646

Documentable

False

Rule Version

APSC-DV-003150

Severity Override Guidance

Review the organization chart and interview the admin staff.

Identify personnel designated as application security testers.

If the organization operating the application is not doing development work, this requirement is not applicable.

If the organization has not designated personnel to conduct security testing, this is a finding.

Check Content Reference

M

Target Key

4093

Comments