You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Developing software to secure coding rules is a good idea and is increasingly a requirement. The National Defense Authorization Act for Fiscal Year 2013, Section 933, "Improvements in Assurance of Computer Software Procured by the Department of Defense," requires evidence that government software development and maintenance organizations and contractors are conforming, in computer software coding, to approved secure coding standards of the Department of Defense (DoD) during software development, upgrade, and maintenance activities, including through the use of inspection and appraisals.

DoD acquisition programs are specifying The Application Security and Development Security Technical Implementation Guide (STIG), Version 4, Release 1 [DISA 2016] in requests for proposal (RFPs). Section 2.1, "Security Assessment Information" requires that "...coding standards... are all part of the suite of system documentation that is expected to be available for review when conducting a security assessment of an application."

The proper application of this standard would enable a system to comply with the following requirements from the Application Security and Development Security Technical Implementation Guide, Version 4, Release 1 [DISA 2016]:

  • (APSC-DV-001995: CAT II) The application must not be vulnerable to race conditions.
  • (APSC-DV-002510: CAT I) The application must protect from command injection.
  • (APSC-DV-002520: CAT II) The application must protect from canonical representation vulnerabilities.
  • (APSC-DV-002530: CAT II) The application must validate all input.
  • (APSC-DV-002560: CAT I) The application must not be subject to input handling vulnerabilities.
  • (APSC-DV-002590: CAT I) The application must not be vulnerable to overflow attacks.
  • (APSC-DV-003215: CAT III) The application development team must follow a set of coding standards.
  • (APSC-DV-003235: CAT II) The application must not be subject to error handling vulnerabilities.

Training programmers and software testers on the standard will satisfy the following requirements:

  • (APSC-DV-003150: CAT II) At least one tester must be designated to test for security flaws in addition to functional testing.
  • (APSC-DV-003170: CAT II) An application code review must be performed on the application.
  • (APSC-DV-003210: CAT II) Security flaws must be fixed or addressed in the project plan.
  • (APSC-DV-003400: CAT II) The Program Manager must verify all levels of program management, designers, developers, and testers receive annual security training pertaining to their job function.

 


  Deprecations

  • No labels