STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

An application code review must be performed on the application.

DISA Rule

SV-222648r508029_rule

Vulnerability Number

V-222648

Group Title

SRG-APP-000516

Rule Version

APSC-DV-003170

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.
• CCI-003187 - The organization requires the developer of the information system, system component, or information system service to perform a manual code review of organization-defined specific code using organization-defined processes, procedures, and/or techniques.

Weight

10

Fix Recommendation

Conduct and document code reviews on the application during development and identify and remediate all known and potential security vulnerabilities prior to releasing the application.

Check Contents

This requirement is meant to apply to developers or organizations that are doing the application development work and have the responsibility for maintaining the application source code. Otherwise, the requirement is not applicable.

Review the system documentation and ask the application representative to describe the code review process or provide documentation outlining the organizations code review process.

If code reviews are conducted with software tools, have the application representative provide the latest code review report for the application.

Ensure the code review looks for all known security flaws including but not limited to:

- format string exploits
- memory leaks
- buffer overflows
- race conditions
- sql injection
- dead/unused/commented code
- input validation exploits

If the organization does not conduct code reviews on the application that attempt to identify all known and potential security issues, or if code review results are not available for review, this is a finding.

Vulnerability Number

V-222648

Documentable

False

Rule Version

APSC-DV-003170

Severity Override Guidance

This requirement is meant to apply to developers or organizations that are doing the application development work and have the responsibility for maintaining the application source code. Otherwise, the requirement is not applicable.

Review the system documentation and ask the application representative to describe the code review process or provide documentation outlining the organizations code review process.

If code reviews are conducted with software tools, have the application representative provide the latest code review report for the application.

Ensure the code review looks for all known security flaws including but not limited to:

- format string exploits
- memory leaks
- buffer overflows
- race conditions
- sql injection
- dead/unused/commented code
- input validation exploits

If the organization does not conduct code reviews on the application that attempt to identify all known and potential security issues, or if code review results are not available for review, this is a finding.

Check Content Reference

M

Target Key

4093

Comments