STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must validate all input.

DISA Rule

SV-222606r508029_rule

Vulnerability Number

V-222606

Group Title

SRG-APP-000251

Rule Version

APSC-DV-002530

Severity

CAT II

CCI(s)

CCI-001310 - The information system checks the validity of organization-defined inputs.

Weight

Fix Recommendation

Design and configure the application to validate input prior to executing commands.

Check Contents

Review the application documentation, the code review reports and the vulnerability assessment scan results from automated vulnerability assessment tools.

Verify scan configuration settings include input validation and fuzzing tests.

Test data entry fields on all pages/screens of the application.

Procedures on testing input are relevant to the architecture of the application.

A reference on input validation testing is included at the OWASP website. The site includes testing procedures for input validation that affect many different technologies.

Identify the relevant testing procedures based upon the application architecture and components being tested.

https://www.owasp.org/index.php/Testing_for_Input_Validation

If test results include input validation errors, or if no test results exist, this is a finding.

The application must validate all input.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments