STIGQter STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

An Application Configuration Guide must be created and included with the application.

DISA Rule

SV-222663r508029_rule

Vulnerability Number

V-222663

Group Title

SRG-APP-000516

Rule Version

APSC-DV-003285

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Create the application configuration guide in accordance with configuration examples provided in the vulnerability discussion and check.

Verify the application configuration guide is distributed along with the application.

Check Contents

Interview the application administrator. Request and review the Application Configuration Guide.

Verify the configuration guide at a minimum provides configuration details for the following examples. The examples provided herein are not intended to limit the configuration settings that are documented in the guide.

Configuration examples include but are not limited to:

- Encryption Settings
- PKI Certificate Configuration Settings
- Password Settings
- Auditing configuration
- AD configuration
- Backup and disaster recovery settings
- List of hosting enclaves and network connection requirements
- Deployment configuration settings
- Known security assumptions, implications, system level protections, best practices, and required permissions

Review the Application Configuration Guide and determine if development systems are documented. If no development is being performed where the application is hosted, this part of the requirement is NA.

Development systems, build systems, and test systems must operate in a standardized environment.

Examples include but are not limited to:

- List of development systems, build systems, and test systems.
- Versions of compilers used
- Build options when creating applications and components
- Versions of COTS software (used as part of the application)
- Operating systems and versions
- For web applications, which browsers and what versions are supported.

If there is no application configuration guide included with the application, this is a finding.

Vulnerability Number

V-222663

Documentable

False

Rule Version

APSC-DV-003285

Severity Override Guidance

Interview the application administrator. Request and review the Application Configuration Guide.

Verify the configuration guide at a minimum provides configuration details for the following examples. The examples provided herein are not intended to limit the configuration settings that are documented in the guide.

Configuration examples include but are not limited to:

- Encryption Settings
- PKI Certificate Configuration Settings
- Password Settings
- Auditing configuration
- AD configuration
- Backup and disaster recovery settings
- List of hosting enclaves and network connection requirements
- Deployment configuration settings
- Known security assumptions, implications, system level protections, best practices, and required permissions

Review the Application Configuration Guide and determine if development systems are documented. If no development is being performed where the application is hosted, this part of the requirement is NA.

Development systems, build systems, and test systems must operate in a standardized environment.

Examples include but are not limited to:

- List of development systems, build systems, and test systems.
- Versions of compilers used
- Build options when creating applications and components
- Versions of COTS software (used as part of the application)
- Operating systems and versions
- For web applications, which browsers and what versions are supported.

If there is no application configuration guide included with the application, this is a finding.

Check Content Reference

M

Target Key

4093

Comments