0% found this document useful (0 votes)

286 views

JMS Github 1

The document is a scan report for the JMS Github 1 project. It scanned 4635 lines of code in 57 files. A total of 180 vulnerabilities were found, with the top vulnerabilities being injection issues, broken access control, and security misconfiguration. The most vulnerable files were Customer.java, Billing.java, Vendor.java, Inventory.java, and JobCard.java.

Uploaded by

BB Singh

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

286 views

JMS Github 1

Uploaded by

BB Singh

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 258

JMS Github 1 Scan Report

Project Name JMS Github 1

Scan Start Tuesday, August 22, 2023 7:28:48 AM
Preset Checkmarx Default
Scan Time 00h:01m:23s
Lines Of Code Scanned 4635
Files Scanned 57
Report Creation Time Tuesday, August 22, 2023 8:01:13 AM
https://cxapactrial.checkmarx.net/CxWebClient/ViewerMain.aspx?scanid=1011394
Online Results
&projectid=4260
Team ME
Checkmarx Version 9.5.5.1004 HF11
Scan Type Full
Source Origin GIT
Scanned Branch /refs/heads/master
Density 6/100 (Vulnerabilities/LOC)
Visibility Public

Filter Settings
Severity
Included: High, Medium, Low, Information
Excluded: None
Result State
Included: To Verify, Not Exploitable, Confirmed, Urgent, Proposed Not Exploitable
Excluded: None
Assigned to
Included: All
Categories
Included:
Uncategorized All
Custom All
PCI DSS v3.2.1 All
OWASP Top 10 2013 All
FISMA 2014 All
NIST SP 800-53 All
OWASP Top 10 2017 All
OWASP Mobile Top 10 All
2016
ASD STIG 4.10 All
OWASP Top 10 API All
OWASP Top 10 2010 All
OWASP Top 10 2021 All
MOIS(KISA) Secure All

PAGE 1 OF 258
Coding 2021
SANS top 25 All
CWE top 25 All
OWASP ASVS All
ASA Mobile Premium All
ASA Premium All
Top Tier All
ASD STIG 5.2 All
Excluded:
Uncategorized None
Custom None
PCI DSS v3.2.1 None
OWASP Top 10 2013 None
FISMA 2014 None
NIST SP 800-53 None
OWASP Top 10 2017 None
OWASP Mobile Top 10 None
2016
ASD STIG 4.10 None
OWASP Top 10 API None
OWASP Top 10 2010 None
OWASP Top 10 2021 None
MOIS(KISA) Secure None
Coding 2021
SANS top 25 None
CWE top 25 None
OWASP ASVS None
ASA Mobile Premium None
ASA Premium None
Top Tier None
ASD STIG 5.2 None
Results Limit
A limit was not defined
Selected Queries
Selected queries are listed in Result Summary

PAGE 2 OF 258
Result Summary Most Vulnerable Files

Customer.java

Billing.java
High
Medium Vendor.java
Low
Inventory.java

JobCard.java

Top 5 Vulnerabilities

PAGE 3 OF 258
Scan Summary - OWASP Top 10 2017
Further details and elaboration about vulnerabilities and risks can be found at: OWASP Top 10 2017

Threat Weakness Weakness Technical Business Issues Best Fix

Category Exploitability
Agent Prevalence Detectability Impact Impact Found Locations
App. App.
A1-Injection* EASY COMMON EASY SEVERE 121 32
Specific Specific

A2-Broken App. App.

EASY COMMON AVERAGE SEVERE 4 1
Authentication* Specific Specific

A3-Sensitive App. App.

AVERAGE WIDESPREAD AVERAGE SEVERE 0 0
Data Exposure* Specific Specific

A4-XML External App. App.

AVERAGE COMMON EASY SEVERE 0 0
Entities (XXE) Specific Specific

A5-Broken App. App.

AVERAGE COMMON AVERAGE SEVERE 20 8
Access Control* Specific Specific

A6-Security
App. App.
Misconfiguration EASY WIDESPREAD EASY MODERATE 34 34
Specific Specific
*

A7-Cross-Site App. App.

EASY WIDESPREAD EASY MODERATE 0 0
Scripting (XSS) Specific Specific

A8-Insecure App. App.

DIFFICULT COMMON AVERAGE SEVERE 0 0
Deserialization Specific Specific

A9-Using
Components App. App.
AVERAGE WIDESPREAD AVERAGE MODERATE 1 1
with Known Specific Specific
Vulnerabilities*

A10-Insufficient
App. App.
Logging & AVERAGE WIDESPREAD DIFFICULT MODERATE 0 0
Specific Specific
Monitoring

* Project scan results do not include all relevant queries. Presets and\or Filters should be changed to include all relevant standard queries.

PAGE 4 OF 258
Scan Summary - OWASP Top 10 2021

Issues Best Fix

Category
Found Locations
A1-Broken Access Control* 71 34

A2-Cryptographic Failures 8 8

A3-Injection* 118 30

A4-Insecure Design* 45 42

A5-Security Misconfiguration* 0 0

A6-Vulnerable and Outdated Components* 0 0

A7-Identification and Authentication Failures* 2 2

A8-Software and Data Integrity Failures* 1 1

A9-Security Logging and Monitoring Failures 16 15

A10-Server-Side Request Forgery 0 0

* Project scan results do not include all relevant queries. Presets and\or Filters should be changed to include all relevant standard queries.

PAGE 5 OF 258
Scan Summary - OWASP Top 10 2013
Further details and elaboration about vulnerabilities and risks can be found at: OWASP Top 10 2013

Threat Attack Weakness Weakness Technical Business Issues Best Fix

Category
Agent Vectors Prevalence Detectability Impact Impact Found Locations
EXTERNAL,
A1-Injection* INTERNAL, EASY COMMON AVERAGE SEVERE ALL DATA 118 30
ADMIN USERS

A2-Broken
EXTERNAL, AFFECTED
Authentication
INTERNAL AVERAGE WIDESPREAD AVERAGE SEVERE DATA AND 4 1
and Session
USERS FUNCTIONS
Management*

EXTERNAL, AFFECTED
A3-Cross-Site VERY
INTERNAL, AVERAGE EASY MODERATE DATA AND 0 0
Scripting (XSS) WIDESPREAD
ADMIN USERS SYSTEM

A4-Insecure
SYSTEM EXPOSED
Direct Object EASY COMMON EASY MODERATE 20 8
USERS DATA
References*

A5-Security EXTERNAL,
ALL DATA
Misconfiguration INTERNAL, EASY COMMON EASY MODERATE 33 33
AND SYSTEM
* ADMIN USERS

EXTERNAL,
INTERNAL,
A6-Sensitive EXPOSED
ADMIN DIFFICULT UNCOMMON AVERAGE SEVERE 7 7
Data Exposure* DATA
USERS, USERS
BROWSERS

A7-Missing EXTERNAL, EXPOSED

Function Level INTERNAL EASY COMMON AVERAGE MODERATE DATA AND 0 0
Access Control* USERS FUNCTIONS

A8-Cross-Site AFFECTED
USERS
Request Forgery AVERAGE COMMON EASY MODERATE DATA AND 35 10
BROWSERS
(CSRF) FUNCTIONS

A9-Using EXTERNAL
AFFECTED
Components USERS,
AVERAGE WIDESPREAD DIFFICULT MODERATE DATA AND 1 1
with Known AUTOMATED
FUNCTIONS
Vulnerabilities* TOOLS

A10-Unvalidated AFFECTED
USERS
Redirects and AVERAGE WIDESPREAD DIFFICULT MODERATE DATA AND 0 0
BROWSERS
Forwards FUNCTIONS

* Project scan results do not include all relevant queries. Presets and\or Filters should be changed to include all relevant standard queries.

PAGE 6 OF 258
Scan Summary - PCI DSS v3.2.1

Issues Best Fix

Category
Found Locations
PCI DSS (3.2.1) - 6.5.1 - Injection flaws - particularly SQL injection 138 38

PCI DSS (3.2.1) - 6.5.2 - Buffer overflows 0 0

PCI DSS (3.2.1) - 6.5.3 - Insecure cryptographic storage* 0 0

PCI DSS (3.2.1) - 6.5.4 - Insecure communications* 0 0

PCI DSS (3.2.1) - 6.5.5 - Improper error handling* 33 33

PCI DSS (3.2.1) - 6.5.7 - Cross-site scripting (XSS) 0 0

PCI DSS (3.2.1) - 6.5.8 - Improper access control* 0 0

PCI DSS (3.2.1) - 6.5.9 - Cross-site request forgery 35 10

PCI DSS (3.2.1) - 6.5.10 - Broken authentication and session management* 4 1

* Project scan results do not include all relevant queries. Presets and\or Filters should be changed to include all relevant standard queries.

PAGE 7 OF 258
Scan Summary - FISMA 2014

Issues Best Fix

Category Description
Found Locations
Organizations must limit information system access
to authorized users, processes acting on behalf of
authorized users, or devices (including other
Access Control* 14 2
information systems) and to the types of
transactions and functions that authorized users are
permitted to exercise.

Organizations must: (i) create, protect, and retain

information system audit records to the extent
needed to enable the monitoring, analysis,
investigation, and reporting of unlawful,
Audit And Accountability* unauthorized, or inappropriate information system 0 0
activity; and (ii) ensure that the actions of individual
information system users can be uniquely traced to
those users so they can be held accountable for
their actions.

Organizations must: (i) establish and maintain

baseline configurations and inventories of
organizational information systems (including
hardware, software, firmware, and documentation)
Configuration Management* throughout the respective system development life 33 33
cycles; and (ii) establish and enforce security
configuration settings for information technology
products employed in organizational information
systems.

Organizations must identify information system

users, processes acting on behalf of users, or
devices and authenticate (or verify) the identities of
Identification And Authentication* 20 20
those users, processes, or devices, as a prerequisite
to allowing access to organizational information
systems.

Organizations must: (i) protect information system

media, both paper and digital; (ii) limit access to
information on information system media to
Media Protection 4 1
authorized users; and (iii) sanitize or destroy
information system media before disposal or release
for reuse.

Organizations must: (i) monitor, control, and protect

organizational communications (i.e., information
transmitted or received by organizational
information systems) at the external boundaries and
System And Communications Protection key internal boundaries of the information systems; 1 1
and (ii) employ architectural designs, software
development techniques, and systems engineering
principles that promote effective information
security within organizational information systems.

Organizations must: (i) identify, report, and correct

information and information system flaws in a
timely manner; (ii) provide protection from
System And Information Integrity* malicious code at appropriate locations within 121 32
organizational information systems; and (iii) monitor
information system security alerts and advisories
and take appropriate actions in response.

* Project scan results do not include all relevant queries. Presets and\or Filters should be changed to include all relevant standard queries.

PAGE 8 OF 258
Scan Summary - NIST SP 800-53

Issues Best Fix

Category
Found Locations
AC-12 Session Termination (P2) 0 0

AC-3 Access Enforcement (P1)* 34 22

AC-4 Information Flow Enforcement (P1) 0 0

AC-6 Least Privilege (P1) 0 0

AU-9 Protection of Audit Information (P1) 3 2

CM-6 Configuration Settings (P2) 0 0

IA-5 Authenticator Management (P1) 0 0

IA-6 Authenticator Feedback (P2) 0 0

IA-8 Identification and Authentication (Non-Organizational Users) (P1) 0 0

SC-12 Cryptographic Key Establishment and Management (P1) 0 0

SC-13 Cryptographic Protection (P1) 0 0

SC-17 Public Key Infrastructure Certificates (P1) 0 0

SC-18 Mobile Code (P2) 0 0

SC-23 Session Authenticity (P1)* 36 11

SC-28 Protection of Information at Rest (P1)* 0 0

SC-4 Information in Shared Resources (P1) 0 0

SC-5 Denial of Service Protection (P1)* 19 19

SC-8 Transmission Confidentiality and Integrity (P1) 5 2

SI-10 Information Input Validation (P1)* 118 30

SI-11 Error Handling (P2)* 33 33

SI-15 Information Output Filtering (P0) 0 0

SI-16 Memory Protection (P1)* 0 0

* Project scan results do not include all relevant queries. Presets and\or Filters should be changed to include all relevant standard queries.

PAGE 9 OF 258
Scan Summary - OWASP Mobile Top 10 2016

Issues Best Fix

Category Description
Found Locations
This category covers misuse of a platform feature or
failure to use platform security controls. It might
include Android intents, platform permissions,
M1-Improper Platform Usage* misuse of TouchID, the Keychain, or some other 0 0
security control that is part of the mobile operating
system. There are several ways that mobile apps can
experience this risk.

This category covers insecure data storage and

M2-Insecure Data Storage* 0 0
unintended data leakage.

This category covers poor handshaking, incorrect

M3-Insecure Communication* SSL versions, weak negotiation, cleartext 0 0
communication of sensitive assets, etc.

This category captures notions of authenticating the

end user or bad session management. This can
include:
-Failing to identify the user at all when that should
M4-Insecure Authentication* 0 0
be required
-Failure to maintain the user's identity when it is
required
-Weaknesses in session management

The code applies cryptography to a sensitive

information asset. However, the cryptography is
insufficient in some way. Note that anything and
everything related to TLS or SSL goes in M3. Also, if
M5-Insufficient Cryptography* 0 0
the app fails to use cryptography at all when it
should, that probably belongs in M2. This category
is for issues where cryptography was attempted, but
it wasnt done correctly.

This is a category to capture any failures in

authorization (e.g., authorization decisions in the
client side, forced browsing, etc.). It is distinct from
authentication issues (e.g., device enrolment, user
identification, etc.).
M6-Insecure Authorization* If the app does not authenticate users at all in a 0 0
situation where it should (e.g., granting anonymous
access to some resource or service when
authenticated and authorized access is required),
then that is an authentication failure not an
authorization failure.

This category is the catch-all for code-level

implementation problems in the mobile client.
That's distinct from server-side coding mistakes.
M7-Client Code Quality* This would capture things like buffer overflows, 59 15
format string vulnerabilities, and various other code-
level mistakes where the solution is to rewrite some
code that's running on the mobile device.

This category covers binary patching, local resource

modification, method hooking, method swizzling,
and dynamic memory modification. Once the
application is delivered to the mobile device, the
M8-Code Tampering* 0 0
code and data resources are resident there. An
attacker can either directly modify the code, change
the contents of memory dynamically, change or
replace the system APIs that the application uses, or

PAGE 10 OF 258
modify the application's data and resources. This
can provide the attacker a direct method of
subverting the intended use of the software for
personal or monetary gain.

This category includes analysis of the final core

binary to determine its source code, libraries,
algorithms, and other assets. Software such as IDA
Pro, Hopper, otool, and other binary inspection
tools give the attacker insight into the inner
M9-Reverse Engineering* 0 0
workings of the application. This may be used to
exploit other nascent vulnerabilities in the
application, as well as revealing information about
back end servers, cryptographic constants and
ciphers, and intellectual property.

Often, developers include hidden backdoor

functionality or other internal development security
controls that are not intended to be released into a
M10-Extraneous Functionality* production environment. For example, a developer 0 0
may accidentally include a password as a comment
in a hybrid app. Another example includes disabling
of 2-factor authentication during testing.

* Project scan results do not include all relevant queries. Presets and\or Filters should be changed to include all relevant standard queries.

PAGE 11 OF 258
Scan Summary - Custom

Issues Best Fix

Category
Found Locations
Must audit 0 0

Check 0 0

Optional 0 0

PAGE 12 OF 258
Scan Summary - ASD STIG 4.10

Issues Best Fix

Category
Found Locations
APSC-DV-000640 - CAT II The application must provide audit record generation capability for the renewal
0 0
of session IDs.

APSC-DV-000650 - CAT II The application must not write sensitive data into the application logs. 0 0

APSC-DV-000660 - CAT II The application must provide audit record generation capability for session
0 0
timeouts.

APSC-DV-000670 - CAT II The application must record a time stamp indicating when the event occurred. 0 0

APSC-DV-000680 - CAT II The application must provide audit record generation capability for HTTP
0 0
headers including User-Agent, Referer, GET, and POST.

APSC-DV-000690 - CAT II The application must provide audit record generation capability for connecting
0 0
system IP addresses.

APSC-DV-000700 - CAT II The application must record the username or user ID of the user associated with
0 0
the event.

APSC-DV-000710 - CAT II The application must generate audit records when successful/unsuccessful
0 0
attempts to grant privileges occur.

APSC-DV-000720 - CAT II The application must generate audit records when successful/unsuccessful
0 0
attempts to access security objects occur.

APSC-DV-000730 - CAT II The application must generate audit records when successful/unsuccessful
0 0
attempts to access security levels occur.

APSC-DV-000740 - CAT II The application must generate audit records when successful/unsuccessful
0 0
attempts to access categories of information (e.g., classification levels) occur.

APSC-DV-000750 - CAT II The application must generate audit records when successful/unsuccessful
0 0
attempts to modify privileges occur.

APSC-DV-000760 - CAT II The application must generate audit records when successful/unsuccessful
0 0
attempts to modify security objects occur.

APSC-DV-000770 - CAT II The application must generate audit records when successful/unsuccessful
0 0
attempts to modify security levels occur.

APSC-DV-000780 - CAT II The application must generate audit records when successful/unsuccessful
0 0
attempts to modify categories of information (e.g., classification levels) occur.

APSC-DV-000790 - CAT II The application must generate audit records when successful/unsuccessful
0 0
attempts to delete privileges occur.

APSC-DV-000800 - CAT II The application must generate audit records when successful/unsuccessful
0 0
attempts to delete security levels occur.

APSC-DV-000810 - CAT II The application must generate audit records when successful/unsuccessful
0 0
attempts to delete application database security objects occur.

APSC-DV-000820 - CAT II The application must generate audit records when successful/unsuccessful
0 0
attempts to delete categories of information (e.g., classification levels) occur.

APSC-DV-000830 - CAT II The application must generate audit records when successful/unsuccessful
0 0
logon attempts occur.

APSC-DV-000840 - CAT II The application must generate audit records for privileged activities or other
0 0
system-level access.

APSC-DV-000850 - CAT II The application must generate audit records showing starting and ending time
0 0
for user access to the system.

APSC-DV-000860 - CAT II The application must generate audit records when successful/unsuccessful
0 0
accesses to objects occur.

PAGE 13 OF 258
APSC-DV-000870 - CAT II The application must generate audit records for all direct access to the
0 0
information system.

APSC-DV-000880 - CAT II The application must generate audit records for all account creations,
0 0
modifications, disabling, and termination events.

APSC-DV-000910 - CAT II The application must initiate session auditing upon startup. 0 0

APSC-DV-000940 - CAT II The application must log application shutdown events. 0 0

APSC-DV-000950 - CAT II The application must log destination IP addresses. 0 0

APSC-DV-000960 - CAT II The application must log user actions involving access to data. 0 0

APSC-DV-000970 - CAT II The application must log user actions involving changes to data. 0 0

APSC-DV-000980 - CAT II The application must produce audit records containing information to establish
0 0
when (date and time) the events occurred.

APSC-DV-000990 - CAT II The application must produce audit records containing enough information to
0 0
establish which component, feature or function of the application triggered the audit event.

APSC-DV-001000 - CAT II When using centralized logging; the application must include a unique identifier
0 0
in order to distinguish itself from other application logs.

APSC-DV-001010 - CAT II The application must produce audit records that contain information to
0 0
establish the outcome of the events.

APSC-DV-001020 - CAT II The application must generate audit records containing information that
0 0
establishes the identity of any individual or process associated with the event.

APSC-DV-001030 - CAT II The application must generate audit records containing the full-text recording
0 0
of privileged commands or the individual identities of group account users.

APSC-DV-001040 - CAT II The application must implement transaction recovery logs when transaction
0 0
based.

APSC-DV-001050 - CAT II The application must provide centralized management and configuration of the
0 0
content to be captured in audit records generated by all application components.

APSC-DV-001070 - CAT II The application must off-load audit records onto a different system or media
0 0
than the system being audited.

APSC-DV-001080 - CAT II The application must be configured to write application logs to a centralized log
0 0
repository.

APSC-DV-001090 - CAT II The application must provide an immediate warning to the SA and ISSO (at a
minimum) when allocated audit record storage volume reaches 75% of repository maximum audit record 0 0
storage capacity.

APSC-DV-001100 - CAT II Applications categorized as having a moderate or high impact must provide an
0 0
immediate real-time alert to the SA and ISSO (at a minimum) for all audit failure events.

APSC-DV-001110 - CAT II The application must alert the ISSO and SA (at a minimum) in the event of an
0 0
audit processing failure.

APSC-DV-001120 - CAT II The application must shut down by default upon audit failure (unless availability
0 0
is an overriding concern).

APSC-DV-001130 - CAT II The application must provide the capability to centrally review and analyze audit
0 0
records from multiple components within the system.

APSC-DV-001140 - CAT II The application must provide the capability to filter audit records for events of
0 0
interest based upon organization-defined criteria.

APSC-DV-001150 - CAT II The application must provide an audit reduction capability that supports on-
0 0
demand reporting requirements.

APSC-DV-001160 - CAT II The application must provide an audit reduction capability that supports on-
0 0
demand audit review and analysis.

APSC-DV-001170 - CAT II The application must provide an audit reduction capability that supports after-
0 0
the-fact investigations of security incidents.

APSC-DV-001180 - CAT II The application must provide a report generation capability that supports on-
0 0
demand audit review and analysis.

PAGE 14 OF 258
APSC-DV-001190 - CAT II The application must provide a report generation capability that supports on-
0 0
demand reporting requirements.

APSC-DV-001200 - CAT II The application must provide a report generation capability that supports after-
0 0
the-fact investigations of security incidents.

APSC-DV-001210 - CAT II The application must provide an audit reduction capability that does not alter
0 0
original content or time ordering of audit records.

APSC-DV-001220 - CAT II The application must provide a report generation capability that does not alter
0 0
original content or time ordering of audit records.

APSC-DV-001250 - CAT II The applications must use internal system clocks to generate time stamps for
0 0
audit records.

APSC-DV-001260 - CAT II The application must record time stamps for audit records that can be mapped
0 0
to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).

APSC-DV-001270 - CAT II The application must record time stamps for audit records that meet a
0 0
granularity of one second for a minimum degree of precision.

APSC-DV-001280 - CAT II The application must protect audit information from any type of unauthorized
0 0
read access.

APSC-DV-001290 - CAT II The application must protect audit information from unauthorized modification. 0 0

APSC-DV-001300 - CAT II The application must protect audit information from unauthorized deletion. 0 0

APSC-DV-001310 - CAT II The application must protect audit tools from unauthorized access. 0 0

APSC-DV-001320 - CAT II The application must protect audit tools from unauthorized modification. 0 0

APSC-DV-001330 - CAT II The application must protect audit tools from unauthorized deletion. 0 0

APSC-DV-001340 - CAT II The application must back up audit records at least every seven days onto a
0 0
different system or system component than the system or component being audited.

APSC-DV-001570 - CAT II The application must electronically verify Personal Identity Verification (PIV)
0 0
credentials.

APSC-DV-001350 - CAT II The application must use cryptographic mechanisms to protect the integrity of
0 0
audit information.

APSC-DV-001360 - CAT II Application audit tools must be cryptographically hashed. 0 0

APSC-DV-001370 - CAT II The integrity of the audit tools must be validated by checking the files for
0 0
changes in the cryptographic hash value.

APSC-DV-001390 - CAT II The application must prohibit user installation of software without explicit
0 0
privileged status.

APSC-DV-001410 - CAT II The application must enforce access restrictions associated with changes to
0 0
application configuration.

APSC-DV-001420 - CAT II The application must audit who makes configuration changes to the application. 0 0

APSC-DV-001430 - CAT II The application must have the capability to prevent the installation of patches,
service packs, or application components without verification the software component has been digitally 0 0
signed using a certificate that is recognized and approved by the orga

APSC-DV-001440 - CAT II The applications must limit privileges to change the software resident within
0 0
software libraries.

APSC-DV-001460 - CAT II An application vulnerability assessment must be conducted. 0 0

APSC-DV-001480 - CAT II The application must prevent program execution in accordance with
organization-defined policies regarding software program usage and restrictions, and/or rules authorizing 0 0
the terms and conditions of software program usage.

APSC-DV-001490 - CAT II The application must employ a deny-all, permit-by-exception (whitelist) policy
0 0
to allow the execution of authorized software programs.

APSC-DV-001500 - CAT II The application must be configured to disable non-essential capabilities. 0 0

APSC-DV-001510 - CAT II The application must be configured to use only functions, ports, and protocols
0 0
permitted to it in the PPSM CAL.

PAGE 15 OF 258
APSC-DV-001520 - CAT II The application must require users to reauthenticate when organization-defined
0 0
circumstances or situations require reauthentication.

APSC-DV-001530 - CAT II The application must require devices to reauthenticate when organization-
0 0
defined circumstances or situations requiring reauthentication.

APSC-DV-001540 - CAT I The application must uniquely identify and authenticate organizational users (or
0 0
processes acting on behalf of organizational users).

APSC-DV-001550 - CAT II The application must use multifactor (Alt. Token) authentication for network
0 0
access to privileged accounts.

APSC-DV-001560 - CAT II The application must accept Personal Identity Verification (PIV) credentials. 0 0

APSC-DV-001580 - CAT II The application must use multifactor (e.g., CAC, Alt. Token) authentication for
0 0
network access to non-privileged accounts.

APSC-DV-001590 - CAT II The application must use multifactor (Alt. Token) authentication for local access
0 0
to privileged accounts.

APSC-DV-001600 - CAT II The application must use multifactor (e.g., CAC, Alt. Token) authentication for
0 0
local access to non-privileged accounts.

APSC-DV-001610 - CAT II The application must ensure users are authenticated with an individual
0 0
authenticator prior to using a group authenticator.

APSC-DV-001620 - CAT II The application must implement replay-resistant authentication mechanisms for
0 0
network access to privileged accounts.

APSC-DV-001630 - CAT II The application must implement replay-resistant authentication mechanisms for
0 0
network access to non-privileged accounts.

APSC-DV-001640 - CAT II The application must utilize mutual authentication when endpoint device non-
0 0
repudiation protections are required by DoD policy or by the data owner.

APSC-DV-001650 - CAT II The application must authenticate all network connected endpoint devices
0 0
before establishing any connection.

APSC-DV-001660 - CAT II Service-Oriented Applications handling non-releasable data must authenticate

0 0
endpoint devices via mutual SSL/TLS.

APSC-DV-001670 - CAT II The application must disable device identifiers after 35 days of inactivity unless
0 0
a cryptographic certificate is used for authentication.

APSC-DV-001680 - CAT I The application must enforce a minimum 15-character password length. 0 0

APSC-DV-001690 - CAT II The application must enforce password complexity by requiring that at least one
0 0
upper-case character be used.

APSC-DV-001700 - CAT II The application must enforce password complexity by requiring that at least one
0 0
lower-case character be used.

APSC-DV-001710 - CAT II The application must enforce password complexity by requiring that at least one
0 0
numeric character be used.

APSC-DV-001720 - CAT II The application must enforce password complexity by requiring that at least one
0 0
special character be used.

APSC-DV-001730 - CAT II The application must require the change of at least 8 of the total number of
0 0
characters when passwords are changed.

APSC-DV-001740 - CAT I The application must only store cryptographic representations of passwords. 0 0

APSC-DV-001850 - CAT I The application must not display passwords/PINs as clear text. 0 0

APSC-DV-001750 - CAT I The application must transmit only cryptographically-protected passwords. 0 0

APSC-DV-001760 - CAT II The application must enforce 24 hours/1 day as the minimum password lifetime. 0 0

APSC-DV-001770 - CAT II The application must enforce a 60-day maximum password lifetime restriction. 0 0

APSC-DV-001780 - CAT II The application must prohibit password reuse for a minimum of five
0 0
generations.

APSC-DV-001790 - CAT II The application must allow the use of a temporary password for system logons
0 0
with an immediate change to a permanent password.

PAGE 16 OF 258
APSC-DV-001795 - CAT II The application password must not be changeable by users other than the
0 0
administrator or the user with which the password is associated.

APSC-DV-001800 - CAT II The application must terminate existing user sessions upon account deletion. 0 0

APSC-DV-001820 - CAT I The application, when using PKI-based authentication, must enforce authorized
0 0
access to the corresponding private key.

APSC-DV-001830 - CAT II The application must map the authenticated identity to the individual user or
0 0
group account for PKI-based authentication.

APSC-DV-001870 - CAT II The application must uniquely identify and authenticate non-organizational
0 0
users (or processes acting on behalf of non-organizational users).

APSC-DV-001810 - CAT I The application, when utilizing PKI-based authentication, must validate
certificates by constructing a certification path (which includes status information) to an accepted trust 0 0
anchor.

APSC-DV-001840 - CAT II The application, for PKI-based authentication, must implement a local cache of
revocation data to support path discovery and validation in case of the inability to access revocation 0 0
information via the network.

APSC-DV-001860 - CAT II The application must use mechanisms meeting the requirements of applicable
federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication 0 0
to a cryptographic module.

APSC-DV-001880 - CAT II The application must accept Personal Identity Verification (PIV) credentials from
0 0
other federal agencies.

APSC-DV-001890 - CAT II The application must electronically verify Personal Identity Verification (PIV)
0 0
credentials from other federal agencies.

APSC-DV-002050 - CAT II Applications making SAML assertions must use FIPS-approved random numbers
0 0
in the generation of SessionIndex in the SAML element AuthnStatement.

APSC-DV-001900 - CAT II The application must accept FICAM-approved third-party credentials. 0 0

APSC-DV-001910 - CAT II The application must conform to FICAM-issued profiles. 0 0

APSC-DV-001930 - CAT II Applications used for non-local maintenance sessions must audit non-local
0 0
maintenance and diagnostic sessions for organization-defined auditable events.

APSC-DV-000310 - CAT III The application must have a process, feature or function that prevents removal
0 0
or disabling of emergency accounts.

APSC-DV-001940 - CAT II Applications used for non-local maintenance sessions must implement
cryptographic mechanisms to protect the integrity of non-local maintenance and diagnostic 0 0
communications.

APSC-DV-001950 - CAT II Applications used for non-local maintenance sessions must implement
cryptographic mechanisms to protect the confidentiality of non-local maintenance and diagnostic 0 0
communications.

APSC-DV-001960 - CAT II Applications used for non-local maintenance sessions must verify remote
0 0
disconnection at the termination of non-local maintenance and diagnostic sessions.

APSC-DV-001970 - CAT II The application must employ strong authenticators in the establishment of non-
0 0
local maintenance and diagnostic sessions.

APSC-DV-001980 - CAT II The application must terminate all sessions and network connections when non-
0 0
local maintenance is completed.

APSC-DV-001995 - CAT II The application must not be vulnerable to race conditions. 0 0

APSC-DV-002000 - CAT II The application must terminate all network connections associated with a
0 0
communications session at the end of the session.

APSC-DV-002010 - CAT II The application must implement NSA-approved cryptography to protect

classified information in accordance with applicable federal laws, Executive Orders, directives, policies, 0 0
regulations, and standards.

APSC-DV-002020 - CAT II The application must utilize FIPS-validated cryptographic modules when signing
0 0
application components.

APSC-DV-002030 - CAT II The application must utilize FIPS-validated cryptographic modules when
0 0
generating cryptographic hashes.

PAGE 17 OF 258
APSC-DV-002040 - CAT II The application must utilize FIPS-validated cryptographic modules when
0 0
protecting unclassified information that requires cryptographic protection.

APSC-DV-002150 - CAT II The application user interface must be either physically or logically separated
0 0
from data storage and management interfaces.

APSC-DV-002210 - CAT II The application must set the HTTPOnly flag on session cookies. 0 0

APSC-DV-002220 - CAT II The application must set the secure flag on session cookies. 0 0

APSC-DV-002230 - CAT I The application must not expose session IDs. 0 0

APSC-DV-002240 - CAT I The application must destroy the session ID value and/or cookie on logoff or
0 0
browser close.

APSC-DV-002250 - CAT II Applications must use system-generated session identifiers that protect against
0 0
session fixation.

APSC-DV-002260 - CAT II Applications must validate session identifiers. 0 0

APSC-DV-002270 - CAT II Applications must not use URL embedded session IDs. 0 0

APSC-DV-002280 - CAT II The application must not re-use or recycle session IDs. 0 0

APSC-DV-002290 - CAT II The application must use the Federal Information Processing Standard (FIPS)
140-2-validated cryptographic modules and random number generator if the application implements 0 0
encryption, key exchange, digital signature, and hash functionality.

APSC-DV-002300 - CAT II The application must only allow the use of DoD-approved certificate authorities
0 0
for verification of the establishment of protected sessions.

APSC-DV-002310 - CAT I The application must fail to a secure state if system initialization fails, shutdown
0 0
fails, or aborts fail.

APSC-DV-002320 - CAT II In the event of a system failure, applications must preserve any information
necessary to determine cause of failure and any information necessary to return to operations with least 0 0
disruption to mission processes.

APSC-DV-002330 - CAT II The application must protect the confidentiality and integrity of stored
0 0
information when required by DoD policy or the information owner.

APSC-DV-002340 - CAT II The application must implement approved cryptographic mechanisms to

prevent unauthorized modification of organization-defined information at rest on organization-defined 0 0
information system components.

APSC-DV-002350 - CAT II The application must use appropriate cryptography in order to protect stored
0 0
DoD information when required by the information owner or DoD policy.

APSC-DV-002360 - CAT II The application must isolate security functions from non-security functions. 0 0

APSC-DV-002370 - CAT II The application must maintain a separate execution domain for each executing
0 0
process.

APSC-DV-002380 - CAT II Applications must prevent unauthorized and unintended information transfer
0 0
via shared system resources.

APSC-DV-002390 - CAT II XML-based applications must mitigate DoS attacks by using XML filters, parser
0 0
options, or gateways.

APSC-DV-002400 - CAT II The application must restrict the ability to launch Denial of Service (DoS) attacks
0 0
against itself or other information systems.

APSC-DV-002410 - CAT II The web service design must include redundancy mechanisms when used with
0 0
high-availability systems.

APSC-DV-002420 - CAT II An XML firewall function must be deployed to protect web services when
0 0
exposed to untrusted networks.

APSC-DV-002610 - CAT II The application must remove organization-defined software components after
0 0
updated versions have been installed.

APSC-DV-002440 - CAT I The application must protect the confidentiality and integrity of transmitted
0 0
information.

APSC-DV-002450 - CAT II The application must implement cryptographic mechanisms to prevent

unauthorized disclosure of information and/or detect changes to information during transmission unless 0 0
otherwise protected by alternative physical safeguards, such as, at a minimum, a Prot

PAGE 18 OF 258
APSC-DV-002460 - CAT II The application must maintain the confidentiality and integrity of information
0 0
during preparation for transmission.

APSC-DV-002470 - CAT II The application must maintain the confidentiality and integrity of information
0 0
during reception.

APSC-DV-002480 - CAT II The application must not disclose unnecessary information to users. 0 0

APSC-DV-002485 - CAT I The application must not store sensitive information in hidden fields. 0 0

APSC-DV-002490 - CAT I The application must protect from Cross-Site Scripting (XSS) vulnerabilities. 0 0

APSC-DV-002500 - CAT II The application must protect from Cross-Site Request Forgery (CSRF)
0 0
vulnerabilities.

APSC-DV-002510 - CAT I The application must protect from command injection. 0 0

APSC-DV-002520 - CAT II The application must protect from canonical representation vulnerabilities. 0 0

APSC-DV-002530 - CAT II The application must validate all input. 0 0

APSC-DV-002540 - CAT I The application must not be vulnerable to SQL Injection. 0 0

APSC-DV-002550 - CAT I The application must not be vulnerable to XML-oriented attacks. 0 0

APSC-DV-002560 - CAT I The application must not be subject to input handling vulnerabilities. 0 0

APSC-DV-002570 - CAT II The application must generate error messages that provide information
0 0
necessary for corrective actions without revealing information that could be exploited by adversaries.

APSC-DV-002580 - CAT II The application must reveal error messages only to the ISSO, ISSM, or SA. 0 0

APSC-DV-002590 - CAT I The application must not be vulnerable to overflow attacks. 0 0

APSC-DV-002630 - CAT II Security-relevant software updates and patches must be kept up to date. 0 0

APSC-DV-002760 - CAT II The application performing organization-defined security functions must verify
0 0
correct operation of security functions.

APSC-DV-002900 - CAT II The ISSO must ensure application audit trails are retained for at least 1 year for
0 0
applications without SAMI data, and 5 years for applications including SAMI data.

APSC-DV-002770 - CAT II The application must perform verification of the correct operation of security
functions: upon system startup and/or restart; upon command by a user with privileged access; and/or 0 0
every 30 days.

APSC-DV-002780 - CAT III The application must notify the ISSO and ISSM of failed security verification
0 0
tests.

APSC-DV-002870 - CAT II Unsigned Category 1A mobile code must not be used in the application in
0 0
accordance with DoD policy.

APSC-DV-002880 - CAT II The ISSO must ensure an account management process is implemented,
verifying only authorized users can gain access to the application, and individual accounts designated as 0 0
inactive, suspended, or terminated are promptly removed.

APSC-DV-002890 - CAT I Application web servers must be on a separate network segment from the
0 0
application and database servers if it is a tiered application operating in the DoD DMZ.

APSC-DV-002910 - CAT II The ISSO must review audit trails periodically based on system documentation
0 0
recommendations or immediately upon system security events.

APSC-DV-002920 - CAT II The ISSO must report all suspected violations of IA policies in accordance with
0 0
DoD information system IA procedures.

APSC-DV-002930 - CAT II The ISSO must ensure active vulnerability testing is performed. 0 0

APSC-DV-002980 - CAT II New IP addresses, data services, and associated ports used by the application
must be submitted to the appropriate approving authority for the organization, which in turn will be 0 0
submitted through the DoD Ports, Protocols, and Services Management (DoD PPS

APSC-DV-002950 - CAT II Execution flow diagrams and design documents must be created to show how
0 0
deadlock and recursion issues in web services are being mitigated.

APSC-DV-002960 - CAT II The designer must ensure the application does not store configuration and
0 0
control files in the same directory as user data.

APSC-DV-002970 - CAT II The ISSO must ensure if a DoD STIG or NSA guide is not available, a third-party 0 0

PAGE 19 OF 258
product will be configured by following available guidance.

APSC-DV-002990 - CAT II The application must be registered with the DoD Ports and Protocols Database. 0 0

APSC-DV-002995 - CAT II The Configuration Management (CM) repository must be properly patched and
0 0
STIG compliant.

APSC-DV-003000 - CAT II Access privileges to the Configuration Management (CM) repository must be
0 0
reviewed every three months.

APSC-DV-003010 - CAT II A Software Configuration Management (SCM) plan describing the configuration
control and change management process of application objects developed by the organization and the 0 0
roles and responsibilities of the organization must be created and maintained.

APSC-DV-003020 - CAT II A Configuration Control Board (CCB) that meets at least every release cycle, for
0 0
managing the Configuration Management (CM) process must be established.

APSC-DV-003030 - CAT II The application services and interfaces must be compatible with and ready for
0 0
IPv6 networks.

APSC-DV-003040 - CAT II The application must not be hosted on a general purpose machine if the
0 0
application is designated as critical or high availability by the ISSO.

APSC-DV-003050 - CAT II A disaster recovery/continuity plan must exist in accordance with DoD policy
0 0
based on the applications availability requirements.

APSC-DV-003060 - CAT II Recovery procedures and technical system features must exist so recovery is
performed in a secure and verifiable manner. The ISSO will document circumstances inhibiting a trusted 0 0
recovery.

APSC-DV-003070 - CAT II Data backup must be performed at required intervals in accordance with DoD
0 0
policy.

APSC-DV-003080 - CAT II Back-up copies of the application software or source code must be stored in a
0 0
fire-rated container or stored separately (offsite).

APSC-DV-003090 - CAT II Procedures must be in place to assure the appropriate physical and technical
0 0
protection of the backup and restoration of the application.

APSC-DV-003100 - CAT II The application must use encryption to implement key exchange and
0 0
authenticate endpoints prior to establishing a communication channel for key exchange.

APSC-DV-003110 - CAT I The application must not contain embedded authentication data. 0 0

APSC-DV-003120 - CAT I The application must have the capability to mark sensitive/classified output
0 0
when required.

APSC-DV-003130 - CAT III Prior to each release of the application, updates to system, or applying patches;
0 0
tests plans and procedures must be created and executed.

APSC-DV-003150 - CAT II At least one tester must be designated to test for security flaws in addition to
0 0
functional testing.

APSC-DV-003140 - CAT II Application files must be cryptographically hashed prior to deploying to DoD
0 0
operational networks.

APSC-DV-003160 - CAT III Test procedures must be created and at least annually executed to ensure
0 0
system initialization, shutdown, and aborts are configured to verify the system remains in a secure state.

APSC-DV-003170 - CAT II An application code review must be performed on the application. 0 0

APSC-DV-003180 - CAT III Code coverage statistics must be maintained for each release of the
0 0
application.

APSC-DV-003190 - CAT II Flaws found during a code review must be tracked in a defect tracking system. 0 0

APSC-DV-003200 - CAT II The changes to the application must be assessed for IA and accreditation
0 0
impact prior to implementation.

APSC-DV-003210 - CAT II Security flaws must be fixed or addressed in the project plan. 0 0

APSC-DV-003215 - CAT III The application development team must follow a set of coding standards. 0 0

APSC-DV-003220 - CAT III The designer must create and update the Design Document for each release of
0 0
the application.

PAGE 20 OF 258
APSC-DV-003230 - CAT II Threat models must be documented and reviewed for each application release
0 0
and updated as required by design and functionality changes or when new threats are discovered.

APSC-DV-003235 - CAT II The application must not be subject to error handling vulnerabilities. 0 0

APSC-DV-003250 - CAT I The application must be decommissioned when maintenance or support is no

0 0
longer available.

APSC-DV-003236 - CAT II The application development team must provide an application incident
0 0
response plan.

APSC-DV-003240 - CAT I All products must be supported by the vendor or the development team. 0 0

APSC-DV-003260 - CAT III Procedures must be in place to notify users when an application is
0 0
decommissioned.

APSC-DV-003270 - CAT II Unnecessary built-in application accounts must be disabled. 0 0

APSC-DV-003280 - CAT I Default passwords must be changed. 0 0

APSC-DV-003330 - CAT II The system must alert an administrator when low resource conditions are
0 0
encountered.

APSC-DV-003285 - CAT II An Application Configuration Guide must be created and included with the
0 0
application.

APSC-DV-003290 - CAT II If the application contains classified data, a Security Classification Guide must
0 0
exist containing data elements and their classification.

APSC-DV-003300 - CAT II The designer must ensure uncategorized or emerging mobile code is not used
0 0
in applications.

APSC-DV-003310 - CAT II Production database exports must have database administration credentials and
0 0
sensitive data removed before releasing the export.

APSC-DV-003320 - CAT II Protections against DoS attacks must be implemented. 0 0

APSC-DV-003340 - CAT III At least one application administrator must be registered to receive update
0 0
notifications, or security alerts, when automated alerts are available.

APSC-DV-003360 - CAT III The application must generate audit records when concurrent logons from
0 0
different workstations occur.

APSC-DV-003345 - CAT III The application must provide notifications or alerts when product update and
0 0
security related patches are available.

APSC-DV-003350 - CAT II Connections between the DoD enclave and the Internet or other public or
0 0
commercial wide area networks must require a DMZ.

APSC-DV-003400 - CAT II The Program Manager must verify all levels of program management, designers,
0 0
developers, and testers receive annual security training pertaining to their job function.

APSC-DV-000010 - CAT II The application must provide a capability to limit the number of logon sessions
0 0
per user.

APSC-DV-000060 - CAT II The application must clear temporary storage and cookies when the session is
0 0
terminated.

APSC-DV-000070 - CAT II The application must automatically terminate the non-privileged user session
0 0
and log off non-privileged users after a 15 minute idle time period has elapsed.

APSC-DV-000080 - CAT II The application must automatically terminate the admin user session and log off
0 0
admin users after a 10 minute idle time period is exceeded.

APSC-DV-000090 - CAT II Applications requiring user access authentication must provide a logoff
0 0
capability for user initiated communication session.

APSC-DV-000100 - CAT III The application must display an explicit logoff message to users indicating the
0 0
reliable termination of authenticated communications sessions.

APSC-DV-000110 - CAT II The application must associate organization-defined types of security attributes
0 0
having organization-defined security attribute values with information in storage.

APSC-DV-000120 - CAT II The application must associate organization-defined types of security attributes
0 0
having organization-defined security attribute values with information in process.

APSC-DV-000130 - CAT II The application must associate organization-defined types of security attributes 0 0

PAGE 21 OF 258
having organization-defined security attribute values with information in transmission.

APSC-DV-000160 - CAT II The application must implement DoD-approved encryption to protect the
0 0
confidentiality of remote access sessions.

APSC-DV-000170 - CAT II The application must implement cryptographic mechanisms to protect the
0 0
integrity of remote access sessions.

APSC-DV-000190 - CAT I Messages protected with WS_Security must use time stamps with creation and
0 0
expiration times.

APSC-DV-000180 - CAT II Applications with SOAP messages requiring integrity must include the following
message elements:-Message ID-Service Request-Timestamp-SAML Assertion (optionally included in 0 0
messages) and all elements of the message must be digitally signed.

APSC-DV-000200 - CAT I Validity periods must be verified on all application messages using WS-Security
0 0
or SAML assertions.

APSC-DV-000210 - CAT II The application must ensure each unique asserting party provides unique
0 0
assertion ID references for each SAML assertion.

APSC-DV-000220 - CAT II The application must ensure encrypted assertions, or equivalent confidentiality
protections are used when assertion data is passed through an intermediary, and confidentiality of the 0 0
assertion data is required when passing through the intermediary.

APSC-DV-000230 - CAT I The application must use the NotOnOrAfter condition when using the
0 0
SubjectConfirmation element in a SAML assertion.

APSC-DV-000240 - CAT I The application must use both the NotBefore and NotOnOrAfter elements or
0 0
OneTimeUse element when using the Conditions element in a SAML assertion.

APSC-DV-000250 - CAT II The application must ensure if a OneTimeUse element is used in an assertion,
0 0
there is only one of the same used in the Conditions element portion of an assertion.

APSC-DV-000260 - CAT II The application must ensure messages are encrypted when the SessionIndex is
0 0
tied to privacy data.

APSC-DV-000290 - CAT II Shared/group account credentials must be terminated when members leave the
0 0
group.

APSC-DV-000280 - CAT II The application must provide automated mechanisms for supporting account
0 0
management functions.

APSC-DV-000300 - CAT II The application must automatically remove or disable temporary user accounts
0 0
72 hours after account creation.

APSC-DV-000320 - CAT III The application must automatically disable accounts after a 35 day period of
0 0
account inactivity.

APSC-DV-000330 - CAT II Unnecessary application accounts must be disabled, or deleted. 0 0

APSC-DV-000420 - CAT II The application must automatically audit account enabling actions. 0 0

APSC-DV-000340 - CAT II The application must automatically audit account creation. 0 0

APSC-DV-000350 - CAT II The application must automatically audit account modification. 0 0

APSC-DV-000360 - CAT II The application must automatically audit account disabling actions. 0 0

APSC-DV-000370 - CAT II The application must automatically audit account removal actions. 0 0

APSC-DV-000380 - CAT III The application must notify System Administrators and Information System
0 0
Security Officers when accounts are created.

APSC-DV-000390 - CAT III The application must notify System Administrators and Information System
0 0
Security Officers when accounts are modified.

APSC-DV-000400 - CAT III The application must notify System Administrators and Information System
0 0
Security Officers of account disabling actions.

APSC-DV-000410 - CAT III The application must notify System Administrators and Information System
0 0
Security Officers of account removal actions.

APSC-DV-000430 - CAT III The application must notify System Administrators and Information System
0 0
Security Officers of account enabling actions.

APSC-DV-000440 - CAT II Application data protection requirements must be identified and documented. 0 0

PAGE 22 OF 258
APSC-DV-000520 - CAT II The application must audit the execution of privileged functions. 0 0

APSC-DV-000450 - CAT II The application must utilize organization-defined data mining detection
0 0
techniques for organization-defined data storage objects to adequately detect data mining attempts.

APSC-DV-000460 - CAT I The application must enforce approved authorizations for logical access to
0 0
information and system resources in accordance with applicable access control policies.

APSC-DV-000470 - CAT II The application must enforce organization-defined discretionary access control
0 0
policies over defined subjects and objects.

APSC-DV-000480 - CAT II The application must enforce approved authorizations for controlling the flow
0 0
of information within the system based on organization-defined information flow control policies.

APSC-DV-000490 - CAT II The application must enforce approved authorizations for controlling the flow
of information between interconnected systems based on organization-defined information flow control 0 0
policies.

APSC-DV-000500 - CAT II The application must prevent non-privileged users from executing privileged
functions to include disabling, circumventing, or altering implemented security 0 0
safeguards/countermeasures.

APSC-DV-000510 - CAT I The application must execute without excessive account permissions. 0 0

APSC-DV-000530 - CAT I The application must enforce the limit of three consecutive invalid logon
0 0
attempts by a user during a 15 minute time period.

APSC-DV-000560 - CAT III The application must retain the Standard Mandatory DoD Notice and Consent
Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for 0 0
further access.

APSC-DV-000540 - CAT II The application administrator must follow an approved process to unlock locked
0 0
user accounts.

APSC-DV-000550 - CAT III The application must display the Standard Mandatory DoD Notice and Consent
0 0
Banner before granting access to the application.

APSC-DV-000570 - CAT III The publicly accessible application must display the Standard Mandatory DoD
0 0
Notice and Consent Banner before granting access to the application.

APSC-DV-000580 - CAT III The application must display the time and date of the users last successful
0 0
logon.

APSC-DV-000630 - CAT II The application must provide audit record generation capability for the
0 0
destruction of session IDs.

APSC-DV-000590 - CAT II The application must protect against an individual (or process acting on behalf
of an individual) falsely denying having performed organization-defined actions to be covered by non- 0 0
repudiation.

APSC-DV-000600 - CAT II For applications providing audit record aggregation, the application must
compile audit records from organization-defined information system components into a system-wide 0 0
audit trail that is time-correlated with an organization-defined level of tolerance

APSC-DV-000610 - CAT II The application must provide the capability for organization-identified
individuals or roles to change the auditing to be performed on all application components, based on all 0 0
selectable event criteria within organization-defined time thresholds.

APSC-DV-000620 - CAT II The application must provide audit record generation capability for the creation
0 0
of session IDs.

PAGE 23 OF 258
Scan Summary - ASD STIG 5.2