The mobile application must associate security attributes with information exchanged between information systems.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35530	SRG-APP-000203-MAPP-00045	SV-46817r1_rule		Medium

Description
When data is exchanged between information systems, security attributes must be associated with this data. Security attributes are an abstraction representing the basic properties or characteristics of an entity with respect to safeguarding information, typically associated with internal data structures (e.g., records, buffers, files) within the information system, and used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy. Applying this control assures security attributes may be explicitly or implicitly associated with the information contained within the information system to support correct handling of the data according to its classification.

Description

When data is exchanged between information systems, security attributes must be associated with this data. Security attributes are an abstraction representing the basic properties or characteristics of an entity with respect to safeguarding information, typically associated with internal data structures (e.g., records, buffers, files) within the information system, and used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy. Applying this control assures security attributes may be explicitly or implicitly associated with the information contained within the information system to support correct handling of the data according to its classification.

STIG	Date
Mobile Application Security Requirements Guide	2013-01-04

Details

Check Text ( C-43870r1_chk )
Perform a static program analysis of the application software to assess if security attributes are associated with data in transit. If the static analysis is not possible or inconclusive, perform a dynamic analysis to assess if the remote end receives security attributes. If the static analysis reveals that supporting code is not present, or if the dynamic analysis reveals security attributes are not received, this is a finding.

Check Text ( C-43870r1_chk )

Perform a static program analysis of the application software to assess if security attributes are associated with data in transit. If the static analysis is not possible or inconclusive, perform a dynamic analysis to assess if the remote end receives security attributes. If the static analysis reveals that supporting code is not present, or if the dynamic analysis reveals security attributes are not received, this is a finding.

Fix Text (F-40071r1_fix)
Modify code to associate security attributes with information exchanged between systems.