Data vulnerabilities can be major threats to national security. Government agencies and contractors who work with the federal government and the military must maintain strict security policies and standards with respect to data, the information systems that process that data, and the applications that ingest and produce the data. Regulations and guidelines now address vulnerabilities in digital access to data, applications and systems, above and beyond limiting access to physical file locations.
The Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) is one of the most important sets of standards with which government agencies and contractors must comply. The STIGs provide configuration standards and guidance for locking down information systems and software to make them less vulnerable to attack.
Compliance with the standards found in the DISA STIG is often handled by IT managers tightening their network security, and indeed many of the individual regulations require such measures. However, firewalls and limited remote access are not enough. The DISA STIG covers application security alongside network security. When your software is released, the number of potential access points to sensitive data increases exponentially—and so does the potential for abuse, misuse, neglect, or other malicious activity. The DISA STIG seeks to provide a framework to secure the application itself against threats, not just the network.
The aptly named Application Security and Development STIG, for example, provides security standards for all enterprise applications connected to Department of Defense networks. It covers both desktop and web-based applications—any piece of software used to “assist in the execution of the organization’s missions or meeting organizational goals or tasks,” which is very broad and inclusive by design. The STIG can be applied to both software under development by the agency and third-party applications. Ensuring that the applications developed by these government agencies and contractors meet the standards outlined in this—and the rest of the DISA STIG—is an important first step in protecting critical federal information systems.
Unfortunately, ensuring compliance with the DISA STIG—which is a good idea to do whether you work with the federal government or not, because better security makes safer applications regardless of industry or market sector—can be complicated and time-consuming. The latest release of the DISA STIG, version 4.0, is nearly two hundred pages, and is filled with complex regulations and standards. Making sure that your application complies with each one of those standards is a painstaking process, because the only way to truly ensure compliance is by testing your application against these standards.
That’s why, after countless requests, Code Dx version 2.3 has simplified that process. Code Dx’s mission is to make application vulnerabilities easier to find and fix, regardless of programming language or industry sector. When many of our customers inquired about providing a means to track DISA STIG compliance, we decided to integrate it directly into Code Dx version 2.3. Now Code Dx will check your applications directly for DISA STIG compliance, and we map your software vulnerabilities to both the newest DISA STIG version 4.0 as well as the older version 3.1.
In Code Dx version 2.3, your application’s base code will be compared against the DISA STIG requirements. You’re able to filter specific sections of the standards as well, and triage them based on severity. For example, with Code Dx you are able to rapidly see which vulnerabilities are associated with Severity Category Codes (called “CATs”) I, II, and III. A CAT I vulnerability will directly and immediately result in loss of Confidentiality, Availability, or Integrity; CAT II has the potential to result in such losses; and CAT III degrades measures to protect against such losses. Here is an example of what that looks like in Code Dx:
Pinpointing these compliance issues reduces time, effort, and expense during quality assurance tests, and allows engineers and quality assurance managers to prioritize appropriately. Naturally, this compliance testing is included alongside all the other standards we support. Between DISA STIG, HIPAA, PCI, OWASP top 10, SANS 25, and a wide range of other security and compliance standards, our customers can produce applications that are as secure as possible.
If you’d like to try out how Code Dx supports the DISA STIG, or learn more about Code Dx’s application vulnerability correlation and management capabilities, please contact us.