Cain
Posts: 86
|
| Posted: 03/17/2006, 11:59 AM |
|
Is Code Charge Studio DOD compliant?
Does Code Charge Studio do any input validation to prevent malicious code from being entered into the system or is that pretty much handled by the developer?
|
 |
 |
mamboBROWN
Posts: 1713
|
| Posted: 03/20/2006, 11:29 AM |
|
Cain
Here is a link that may answer your second questions?
http://forums.codecharge.com/posts.php?post_id=27232
As for the first question, I would recommend that you contact support and ask them about it.
|
|
|
|
Benjamin Krajmalnik
|
| Posted: 03/20/2006, 12:51 PM |
|
CCS is not STIG compliant. Per definition, the tool cannot be STIG
compliant.
There are various aspects to being STIG compliant, as you probably are
already aware of.
For those who are not, see:
http://iase.disa.mil/stigs/stig/web-stig-v6r0.pdf
I assume you are mostly referring to input validation. CCS provides the
facilities to valiodate either client or server side, but the scope is up to
you, the developer, to do so. Another item which you may want to do is
encript the value of a URL parameter with a strong cryptographic algorith,
such as blowfish, and decrypt upon retrieval.
That way, you can prevent URL hacking attempts, or even go one step further
and eliminate URL passing by using Ajax and setting server side, encrypted
sessio variables.
It all depends how much security you really want.
|
|
|
|
|
