The mobile application must assign the classification corresponding to the highest classification of its elements whenever it combines data elements classified at multiple levels.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-35087 | SRG-APP-000009-MAPP-00005 | SV-46374r1_rule | High |
| Description |
|---|
| A classification attribute assures the data is correctly handled and processed according to its sensitivity. Data of mixed classification is vulnerable to accidental exposure if it is combined with several other data elements and not properly reclassified. This control greatly reduces the risk of misclassification when data of multiple classifications are combined. |
| STIG | Date |
|---|---|
| Mobile Application Security Requirements Guide | 2013-01-04 |
Details
| Check Text ( C-43474r1_chk ) |
|---|
| For applications that combine classified data from multiple data elements, perform a dynamic program analysis to assess if the application assigns the highest classification of the combination's elements to the classification attribute of the combination whole. Examine each data file created and assess if the appropriate attribute is included. If the dynamic program analysis is inconclusive, or cannot be performed, carry out a static program analysis to assess if code is present that forces the application to assign the highest classification of the combination's elements to the classification attribute of the combination whole. If the static or dynamic program analysis reveals the application does not assign the highest classification of the combination's elements to the classification attribute of the combination whole, this is a finding. |
| Fix Text (F-39638r1_fix) |
|---|
| Modify code to ensure the application assigns the highest classification of the combination's elements to the classification attribute of the combination whole. |