A process must exist to ensure changes to a production web server’s software or a production web server’s configurable settings are tested and documented before being implemented.

From Web Policy STIG

Part of Documented testing of web server software.

Associated with IA controls: ECSD-2, ECSD-1

SV-28788r1_rule A process must exist to ensure changes to a production web server’s software or a production web server’s configurable settings are tested and documented before being implemented.

Vulnerability discussion

This requirement only addresses the physical web server software (e.g., IIS, Apache, etc.) and web server software configuration changes. It is not related to web site application code, web content, or changes to the OS that are governed by other vulnerabilities or STIGs.A significant threat to the production web server comes from the implementation of untested changes, which may risk compromising existing security controls with regard to availability, integrity, and confidentiality. The requirement for formal testing should be driven by the completion of a risk and security impact assessment. Although all changes should be tested, a DoD component may determine that formal testing may not be necessary, based on the recommendation of the assessment. However, in those cases where an assessment clearly indicates risk, a formal testing process should exist. This process should be followed and documented.

Check content

When the web server software is going to be changed, updated, or patched, or when the web server software configurable settings are going to be changed, a process must exist to document, test, and receive approval for the change prior to its implementation on the production web server. This check focuses on the review, testing, documentation, and approval aspects of the change management process. Ask the SA, or a member of the Change Control Board (CCB), to show proof that a documented Change Management (CM) process exists to test changes to a production web server, prior to implementation. Key requirements of the process should include the following: 1. A documented security impact assessment. 2. The names of those individuals who completed the security impact assessment. 3. A plan developed to test the change. 4. The names of those individuals who tested the change. These individuals should not be the same individuals who designed the test plan. 5. An indication of what was being tested. 6. A description of how the test was performed. 7. A summation of the testing results. 8. An indication of testing success or failure. 9. An indication of any residual IA concerns. 10. The names of the approving authority that reviewed and accepted the testing results, including their commentary and/or their concerns. The provided proofs of the CM process should include the CM policy and those documents required by the policy. The policy should substantially address the elements listed above. If proof that the CM process does not substantially include the elements listed above, particularly with regard to testing, this is a finding.

Fix text

Include testing documentation in the CM process.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer