STIGQter STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 4 Release: 9 Benchmark Date: 25 Jan 2019: Service-Oriented Applications handling non-releasable data must authenticate endpoint devices via mutual SSL/TLS.

DISA Rule

SV-84173r1_rule

Vulnerability Number

V-69551

Group Title

SRG-APP-000395

Rule Version

APSC-DV-001660

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the application to utilize mutual authentication when the application is processing non-releasable data.

Check Contents

Review application documentation and interview application administrator.

Identify application data elements and determine if the application is handling/processing non-releasable data.

Review the application architecture and design documents.

Identify endpoint devices that interact with the application. These can be SOA gateways, VOIP phones, or other devices that are used to connect to and exchange data with the application.

If the design documentation specifies it, this could also include remote client workstations. However, this requirement is usually reserved for system-oriented endpoints rather than client workstations.

In order for two way SSL/TLS mutual authentication to work properly, the server must be configured to request client certificates.

Access the applications management console and navigate to the SSL/TLS management utility or web page that is used to configure two-way mutual authentication.

Verify endpoints are configured for client authentication (mutual authentication).

Some application architectures configure their settings in text/xml formatted files; in that case, have the application administrator identify the configuration files used by the application (e.g., web.xml stored in WEB-INF/ sub directory of the application root folder).

Open the web.xml file using a text editor and verify the application deployment descriptor for the application and the resource requiring protection under the "login-config" element is set to CLIENT-CERT.

If SSL/TLS mutual authentication is required due to the application processing non-releasable data and SSL/TLS mutual authentication not being utilized, this is a finding.

Vulnerability Number

V-69551

Documentable

False

Rule Version

APSC-DV-001660

Severity Override Guidance

Review application documentation and interview application administrator.

Identify application data elements and determine if the application is handling/processing non-releasable data.

Review the application architecture and design documents.

Identify endpoint devices that interact with the application. These can be SOA gateways, VOIP phones, or other devices that are used to connect to and exchange data with the application.

If the design documentation specifies it, this could also include remote client workstations. However, this requirement is usually reserved for system-oriented endpoints rather than client workstations.

In order for two way SSL/TLS mutual authentication to work properly, the server must be configured to request client certificates.

Access the applications management console and navigate to the SSL/TLS management utility or web page that is used to configure two-way mutual authentication.

Verify endpoints are configured for client authentication (mutual authentication).

Some application architectures configure their settings in text/xml formatted files; in that case, have the application administrator identify the configuration files used by the application (e.g., web.xml stored in WEB-INF/ sub directory of the application root folder).

Open the web.xml file using a text editor and verify the application deployment descriptor for the application and the resource requiring protection under the "login-config" element is set to CLIENT-CERT.

If SSL/TLS mutual authentication is required due to the application processing non-releasable data and SSL/TLS mutual authentication not being utilized, this is a finding.

Check Content Reference

M

Target Key

3009

Comments