STIGQter STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 4 Release: 9 Benchmark Date: 25 Jan 2019: An application code review must be performed on the application.

DISA Rule

SV-84997r1_rule

Vulnerability Number

V-70375

Group Title

ASDV-PL-003170

Rule Version

APSC-DV-003170

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Conduct and document code reviews on the application during development and identify and remediate all known and potential security vulnerabilities prior to releasing the application.

Check Contents

This requirement is meant to apply to developers or organizations that are doing the application development work and have the responsibility for maintaining the application source code. Otherwise, the requirement is not applicable.

Review the system documentation and ask the application representative to describe the code review process or provide documentation outlining the organizations code review process.

If code reviews are conducted with software tools, have the application representative provide the latest code review report for the application.

Ensure the code review looks for all known security flaws including but not limited to:

- format string exploits
- memory leaks
- buffer overflows
- race conditions
- sql injection
- dead/unused/commented code
- input validation exploits

If the organization does not conduct code reviews on the application that attempt to identify all known and potential security issues, or if code review results are not available for review, this is a finding.

Vulnerability Number

V-70375

Documentable

False

Rule Version

APSC-DV-003170

Severity Override Guidance

This requirement is meant to apply to developers or organizations that are doing the application development work and have the responsibility for maintaining the application source code. Otherwise, the requirement is not applicable.

Review the system documentation and ask the application representative to describe the code review process or provide documentation outlining the organizations code review process.

If code reviews are conducted with software tools, have the application representative provide the latest code review report for the application.

Ensure the code review looks for all known security flaws including but not limited to:

- format string exploits
- memory leaks
- buffer overflows
- race conditions
- sql injection
- dead/unused/commented code
- input validation exploits

If the organization does not conduct code reviews on the application that attempt to identify all known and potential security issues, or if code review results are not available for review, this is a finding.

Check Content Reference

M

Target Key

3009

Comments