...
DoD acquisition programs are specifying The Application Security and Development Security Technical Implementation Guide (STIG), Version 34, Release 10 1 [DISA 2016] in requests for proposal (RFPs). Section 2.1.5, "Coding Standards,Security Assessment Information" requires that "the Program Manager will ensure the development team follows a set of coding standards...coding standards... are all part of the suite of system documentation that is expected to be available for review when conducting a security assessment of an application."
The proper application of this standard would enable a system to comply with the following requirements from the Application Security and Development Security Technical Implementation Guide, Version 34, Release 10 1 [DISA 2016]:
- (APP2060.1ASDV-PL-001995: CAT II) The Program Manager will ensure the development team follows a set of coding standards.
- (APP2060.2: CAT II) The Program Manager will ensure the development team creates a list of unsafe functions to avoid and document this list in the coding standards.
- application must not be vulnerable to race conditions.
- (APSC-DV-002510(APP3550: CAT I) The Designer will ensure the application is not vulnerable to integer arithmetic issuesapplication must protect from command injection.
- (APP3560APSC-DV-002520: CAT III) The Designer will ensure the application does not contain format string application must protect from canonical representation vulnerabilities.
- (APP3570APSC-DV-002530: CAT III) The Designer will ensure the application does not allow command injectionapplication must validate all input.
- (APP3590.1APSC-DV-002560: CAT I) The Designer will ensure the application does not have buffer overflowsmust not be subject to input handling vulnerabilities.
- (APP3590.2APSC-DV-002590: CAT I) The Designer will ensure the application does must not use functions known to be vulnerable to buffer overflowsoverflow attacks.
- (APP3590.3APSC-DV-003215: CAT IIIII) The Designer will ensure the application does not use signed values for memory allocation where permitted by the programming language.application development team must follow a set of coding standards.
- (APSC-DV-003235(APP3600: CAT II) The Designer will ensure the application has no canonical representation vulnerabilities.
- (APP3630.1: CAT II) The Designer will ensure the application is not vulnerable to race conditions.
- (APP3630.2: CAT III) The Designer will ensure the application does not use global variables when local variables could be usedapplication must not be subject to error handling vulnerabilities.
Training programmers and software testers on the standard will satisfy the following requirements:
- (APP2120.3APSC-DV-003150: CAT II) The Program Manager will ensure developers are provided with training on secure design and coding practices on at least an annual basis.
- (APP2120.4: CAT II) The Program Manager will ensure testers are provided training on an annual basis.
- (APP2060.3: CAT II) The Designer will follow the established coding standards established for the project.
- (APP2060.4: CAT II) The Designer will not use unsafe functions documented in the project
coding standards.
- At least one tester must be designated to test for security flaws in addition to functional testing.
- (APSC-DV-003170: CAT II) An application code review must be performed on the application.
- (APSC-DV-003210: CAT II) Security flaws must be fixed or addressed in the project plan.
- (APSC-DV-003400: CAT II) The Program Manager must verify all levels of program management, designers, developers, and testers receive annual security training pertaining to their job function(APP5010: CAT III) The Test Manager will ensure at least one tester is designated to test for security flaws in addition to functional testing.
...