STIGQter STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application development team must provide an application incident response plan.

DISA Rule

SV-222657r561287_rule

Vulnerability Number

V-222657

Group Title

SRG-APP-000516

Rule Version

APSC-DV-003236

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

The development team creates an application incident response plan documenting and establishing a process that at a minimum:

- Tracks reported vulnerabilities and bugs
- Confirms reported vulnerabilities and bugs
- Tracks remediation effort
- Notifies application users of available updates that address the reported issues.

Check Contents

If the application is a COTS application and the development team is not accessible to interview this requirement is not applicable.

Interview the application development team members. Request and review the application incident response plan.

Ensure the plan includes an implemented process that:

- Tracks reported vulnerabilities and bugs
- Confirms reported vulnerabilities and bugs
- Tracks remediation effort
- Notifies application users of available updates that address the reported issues.

If the application incident response plan does not exist and at a minimum does not implement the aforementioned processes, this is a finding.

Vulnerability Number

V-222657

Documentable

False

Rule Version

APSC-DV-003236

Severity Override Guidance

If the application is a COTS application and the development team is not accessible to interview this requirement is not applicable.

Interview the application development team members. Request and review the application incident response plan.

Ensure the plan includes an implemented process that:

- Tracks reported vulnerabilities and bugs
- Confirms reported vulnerabilities and bugs
- Tracks remediation effort
- Notifies application users of available updates that address the reported issues.

If the application incident response plan does not exist and at a minimum does not implement the aforementioned processes, this is a finding.

Check Content Reference

M

Target Key

4093

Comments