View Source

The proper application of this standard would enable a system to comply with the following requirements from the Application Security and Development Security Technical Implementation Guide, Version 2, Release 1 \[[DISA 2008|AA. Bibliography#DISA 2008]\]:

(APP2060.1: CAT II) The Program Manager will ensure the development team follows a set of coding standards.

(APP2060.2: CAT II) The Program Manager will ensure the development team creates a list of unsafe functions to avoid and document this list in the coding standards.

(APP3550: CAT I) The Designer will ensure the application is not vulnerable to integer arithmetic issues.

(APP3560: CAT I) The Designer will ensure the application does not contain format string vulnerabilities.

(APP3570: CAT I) The Designer will ensure the application does not allow Command Injection.

(APP3590.1: CAT I) The Designer will ensure the application does not have buffer overflows.

(APP3590.2: CAT I) The Designer will ensure the application does not use functions known to be vulnerable to buffer overflows.

(APP3590.3: CAT II) The Designer will ensure the application does not use signed values for memory allocation where permitted by the programming language.

(APP3600: CAT II) The Designer will ensure the application has no canonical representation vulnerabilities.

(APP3630.1: CAT II) The Designer will ensure the application is not vulnerable to race conditions.

(APP3630.2: CAT III) The Designer will ensure the application does not use global variables when local variables could be used.

Training programmers and software testers on the standard will satisfy requirements:

(APP2120.3: CAT II) The Program Manager will ensure developers are provided with training on secure design and coding practices on at least an annual basis.

(APP2120.4: CAT II) The Program Manager will ensure testers are provided annual training.

(APP2060.3: CAT II) The Designer will follow the established coding standards established for the project.

(APP2060.4: CAT II) The Designer will not use unsafe functions documented in the project
coding standards.

(APP5010: CAT III) The Test Manager will ensure at least one tester is designated to test for security flaws in addition to functional testing.