From Application Security and Development Security Technical Implementation Guide
Part of SRG-APP-000206
Associated with: CCI-001166
Use of un-trusted Level 1A mobile code technologies can introduce security vulnerabilities and malicious code into the client system.
Review the application documentation and interview the application administrator to identify any mobile code that is provided by the application for client consumption. If the application does not contain mobile code, or if the mobile code executes within the client browser, this is not applicable. The URL of the application must be added to the Trusted Sites zone. This is accomplished via the Tools, Internet Options, and “Security” Tab. Select the “Trusted Sites” zone. Click the “sites” button. Enter the URL into the text box below the “Add this site to this zone” message. Click "Add”. Click “OK”. Note: This requires administrator privileges to add URL to sites on a STIG compliant workstation. Next, test the application. This testing should include functional testing from all major components of the application. If mobile code is in use, the browser will prompt to download the control. At the download prompt, the browser will indicate that code has been digitally signed. If the code has not been signed or the application warns that a control cannot be invoked due to security settings, this is a finding.
Configure the application so Category 1A mobile code is signed.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer