Test procedures must be created and at least annually executed to ensure system initialization, shutdown, and aborts are configured to verify the system remains in a secure state.

From Application Security and Development Security Technical Implementation Guide

Associated with: CCI-003182

SV-84995r1_rule Test procedures must be created and at least annually executed to ensure system initialization, shutdown, and aborts are configured to verify the system remains in a secure state.

Vulnerability discussion

Secure state assurance cannot be accomplished without testing the system state at least annually to ensure the system remains in a secure state upon initialization, shutdown, and aborts.

Check content

Review the process documentation and interview the admin staff. Identify if testing procedures exist and if they include annual testing to ensure the application remains in a secure state on initialization, shutdown, and aborts. Checks should include at a minimum, attempts to access the application and application configuration settings without credentials or with improper credentials both locally and remotely. Dates should be noted as to the last date of testing. If annual testing procedures do not exist, or if administrators are unable to provide testing dates that indicate the tests were conducted within the last year, this is a finding.

Fix text

Create test procedures to test the security state of the application and exercise test procedures annually.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.