STIGQter STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

Application files must be cryptographically hashed prior to deploying to DoD operational networks.

DISA Rule

SV-222645r561278_rule

Vulnerability Number

V-222645

Group Title

SRG-APP-000516

Rule Version

APSC-DV-003140

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Developers/release managers create cryptographic hash values of application files and/or application packages prior to transitioning the application from test to a production environment. They protect cryptographic hash information so it cannot be altered and make a read copy of the hash information available to application Admins so they can validate application packages and files after they download the files.

Application Admins validate cryptographic hashes prior to deploying the application to production.

Check Contents

Ask the application representative to demonstrate their cryptographic hash validation process or provide process documentation. The validation process will vary based upon the operating system used as there are numerous clients available that will display a file's cryptographic hash for validation purposes.

Linux operating systems include the "sha256sum" utility. For Linux systems using sha256sum command syntax is: sha256sum [OPTION]... [FILE]...

Recent Windows PowerShell versions include the "get-filehash" PowerShell cmdlet. The default algorithm value used is SHA256.

Syntax is:
Get-FileHash
[-Path] <String[]>
[-Algorithm <String>]
[<CommonParameters>]

A validation process involves obtaining the application files’ cryptographic hash value from the programs author or other authoritative source such as the application's website. A utility like the "sha256sum" utility is then run using the downloaded application file name as the argument. The output is the files' hash value. The two hash values are compared and if they match, then file integrity is ensured.

If the application being reviewed is a COTS product and the vendor used a SHA1 or MD5 algorithm to generate a hash value, this is not a finding.

If the application being reviewed is a COTS product and the vendor did not provide a hash value for validating the package, this is not a finding.

If the integrity of the application files/code is not validated prior to deployment to DoD operational networks, this is a finding.

Vulnerability Number

V-222645

Documentable

False

Rule Version

APSC-DV-003140

Severity Override Guidance

Ask the application representative to demonstrate their cryptographic hash validation process or provide process documentation. The validation process will vary based upon the operating system used as there are numerous clients available that will display a file's cryptographic hash for validation purposes.

Linux operating systems include the "sha256sum" utility. For Linux systems using sha256sum command syntax is: sha256sum [OPTION]... [FILE]...

Recent Windows PowerShell versions include the "get-filehash" PowerShell cmdlet. The default algorithm value used is SHA256.

Syntax is:
Get-FileHash
[-Path] <String[]>
[-Algorithm <String>]
[<CommonParameters>]

A validation process involves obtaining the application files’ cryptographic hash value from the programs author or other authoritative source such as the application's website. A utility like the "sha256sum" utility is then run using the downloaded application file name as the argument. The output is the files' hash value. The two hash values are compared and if they match, then file integrity is ensured.

If the application being reviewed is a COTS product and the vendor used a SHA1 or MD5 algorithm to generate a hash value, this is not a finding.

If the application being reviewed is a COTS product and the vendor did not provide a hash value for validating the package, this is not a finding.

If the integrity of the application files/code is not validated prior to deployment to DoD operational networks, this is a finding.

Check Content Reference

M

Target Key

4093

Comments