The application server must bind digital signatures to software components and applications in process.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35079	SRG-APP-000007-AS-000003	SV-46366r1_rule		Medium

Description
If the application server does not maintain the data security attributes while it processes the data, there is a risk of data compromise. Encryption, particularly digital signatures, is utilized to assure the validity of data. Digital signatures must be bound to AS processes or applications that utilize the AS when required as per data owner or classification level. Encryption is also resource intensive and sometimes only a particular sub-component may require encryption. Therefore the AS must also be capable of digitally signing the designated parts of components. For example, that would mean signing a portion of a web services message rather than the entire message.

Description

If the application server does not maintain the data security attributes while it processes the data, there is a risk of data compromise. Encryption, particularly digital signatures, is utilized to assure the validity of data. Digital signatures must be bound to AS processes or applications that utilize the AS when required as per data owner or classification level. Encryption is also resource intensive and sometimes only a particular sub-component may require encryption. Therefore the AS must also be capable of digitally signing the designated parts of components. For example, that would mean signing a portion of a web services message rather than the entire message.

STIG	Date
Application Server Security Requirements Guide	2013-01-08

Details

Check Text ( C-43466r2_chk )
Review system documentation to determine if the AS binds digital signatures to designated parts of messages when those messages are processed. If these bindings are not maintained, this is a finding.

Fix Text (F-39630r3_fix)
Configure the AS to bind digital signatures to designated parts of messages in process.