STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

Threat models must be documented and reviewed for each application release and updated as required by design and functionality changes or when new threats are discovered.

DISA Rule

SV-222655r508029_rule

Vulnerability Number

V-222655

Group Title

SRG-APP-000516

Rule Version

APSC-DV-003230

Severity

CAT II

CCI(s)

• CCI-003256 - The organization requires that developers perform threat modeling for the information system at an organization-defined breadth/depth.
• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Establish and maintain threat models and review for each application release and when new threats are discovered. Identify potential mitigations to identified threats. Verify mitigations are implemented to threats based on their risk analysis.

Check Contents

This requirement is meant to apply to developers or organizations that are doing application development work.

If the organization operating the application is not doing the development or is not managing the development of the application, the requirement is not applicable.

Review the threat model document and identify the following sections are present:

- Identified threats
- Potential vulnerabilities
- Counter measures taken
- Potential mitigations
- Mitigations selected based on risk analysis

Review the identified threats, vulnerabilities, and countermeasures.
Countermeasures could include implementing application firewalls or IDS/IPS and configuring certain IDS filters.

Review the application documentation.
Verify the architecture and components of the application match with the components in the threat model document.
Verify identified threats and vulnerabilities are addressed or mitigated and the ISSO and ISSM have reviewed and approved the document.

If the described threat model documentation does not exist, this is a finding.

Vulnerability Number

V-222655

Documentable

False

Rule Version

APSC-DV-003230

Severity Override Guidance

This requirement is meant to apply to developers or organizations that are doing application development work.

If the organization operating the application is not doing the development or is not managing the development of the application, the requirement is not applicable.

Review the threat model document and identify the following sections are present:

- Identified threats
- Potential vulnerabilities
- Counter measures taken
- Potential mitigations
- Mitigations selected based on risk analysis

Review the identified threats, vulnerabilities, and countermeasures.
Countermeasures could include implementing application firewalls or IDS/IPS and configuring certain IDS filters.

Review the application documentation.
Verify the architecture and components of the application match with the components in the threat model document.
Verify identified threats and vulnerabilities are addressed or mitigated and the ISSO and ISSM have reviewed and approved the document.

If the described threat model documentation does not exist, this is a finding.

Check Content Reference

M

Target Key

4093

Comments