PCoIP Management Console_STIG Questions_v2

Rate this Article
No votes yet

June 2, 2020

Last modified: 03/22/2023, 10:14 pm

Knowledge Base Article Internal Security Management Console


1)V-70255 Rule Title: The application must not store sensitive information in hidden fields. Discussion: Hidden fields allow developers to process application data without having to display it on the screen. Using hidden fields to pass data in forms is a common practice among web applications and by itself is not a security risk Check Text: Interview application administrator and review application documentation to identify and familiarize with the application features and functions.
Response: Teradici PCoIP Management Console does not store sensitive information in hidden fields. No customer information is stored in the Management Console’s database.
2) V-70261 Rule Title: The application must protect from command injection. Discussion: A command injection attack is an attack on a vulnerable application where improperly validated input is passed to a command shell setup in the application. The result is the ability of an attacker to execute OS commands via the application. Check Text: Review the application documentation and the system configuration settings.
Response: Our Security team has conducted manual penetration tests in-house against the Management Console specifically for command injection attacks.
While we have chosen other frameworks to compare ourselves against (OWASP, CIS Security Benchmark), these frameworks incorporate the same types of vulnerability checks and rules as STIG.  Teradici follows Microsoft Security Development Lifecycle (SDL), which is an industry recognized framework designed to integrate security into engineering teams practices at every stage of development.
We use threat models as a structured approach to identify, quantify, and address the security risks associated with our products. Formal attack surface analysis furthers this approach by taking an attacker-based view of our intended architectures.
From design reviews, to test cycles, to bug triage, security issues are closely tracked and monitored. Security issues are thoroughly researched, resolved, and then re-tested to ensure proper remediation activities have been completed.
As part of every major release cycle, we put our products through an extensive security testing and validation process. Our products are also routinely tested by both our in-house pentesting team and external third parties specializing in security testing.
For every new release of PCoIP Management Console, the code base is scanned with Veracode and Blackduck, and live test instances are tested by an enterprise web application vulnerability scanner, Burp Suite Enterprise, which scan and notify for command injection vulnerabilities.
3) V-70267 Rule Title: The application must not be vulnerable to SQL Injection. Discussion: SQL Injection is a code injection attack against database applications. Malicious SQL statements are inserted into an application data entry field where they are submitted to the database and executed. This is a direct result of not validating input that is used by the application to perform a command or execute an action. Check Text: Review the application documentation and interview the application administrator.
Response: Our Security team has conducted manual penetration tests in-house against the Management Console specifically for SQL injection attacks.
As mentioned in our response to 2) V-70261 Rule Title above, as part of every major release cycle, we put our products through an extensive security testing and validation process. Our products are also routinely tested by both our in-house pentesting team and external third parties specializing in security testing.
For every new release of PCoIP Management Console, the code base is scanned with Veracode and Blackduck, and live test instances are tested by Burp Suite, which scan and notify for SQL injection vulnerabilities.
4) V-70271 Rule Title: The application must not be subject to input handling vulnerabilities. Discussion: A common application vulnerability is unpredictable behavior due to improper input validation. This requirement guards against adverse or unintended system behavior caused by invalid inputs, where information system responses to the invalid input may be disruptive or cause the system to fail into an unsafe state.
Response: Our Security team has conducted manual penetration tests in-house against the Management Console specifically for input handling vulnerabilities.
As mentioned in our response to 2) V-70261 Rule Title above, as part of every major release cycle, we put our products through an extensive security testing and validation process. Our products are also routinely tested by both our in-house pentesting team and external third parties specializing in security testing.
For every new release of PCoIP Management Console, the code base is scanned with Veracode and Blackduck, and live test instances are tested by an enterprise web application vulnerability scanner, Burp Suite Enterprise. Veracode scans and notifies of any input handling vulnerabilities.
5) V-70277 Rule Title: The application must not be vulnerable to overflow attacks. Discussion: A buffer overflow occurs when a program exceeds the amount of data allocated to a buffer. The buffer is a sequential section of memory and when the data is written outside the memory bounds, the program can crash or malicious code can be executed. Check Text: Review the application documentation and architecture. Interview the application admin and identify the most recent code testing and analysis that has been conducted.
Response: Our Security team has conducted manual penetration tests in-house against the Management Console specifically for overflow attacks.
As mentioned in our response to 2) V-70261 Rule Title above, as part of every major release cycle, we put our products through an extensive security testing and validation process. Our products are also routinely tested by both our in-house pentesting team and external third parties specializing in security testing.
For every new release of PCoIP Management Console, the code base is scanned with Veracode and Blackduck, and live test instances are tested by Burp Suite Enterprise. Veracode scans and notifies of any overflow attack vulnerabilities.
6) V-70269 Rule Title: The application must not be vulnerable to XML-oriented attacks. Discussion: Extensible Markup Language (XML) is widely employed in web technology and applications like web services (SOAP, REST, and WSDL) and is also used for configuration files. XML vulnerability examples include XML injection, XML Spoofing, XML-based Denial of Service attacks and information disclosure attacks. Check Text: Review the application documentation, the application architecture and interview the application administrator.
Response: Our Security team has conducted manual penetration tests in-house against the Management Console specifically for XML-oriented attacks.
As mentioned in our response to 2) V-70261 Rule Title above, as part of every major release cycle, we put our products through an extensive security testing and validation process. Our products are also routinely tested by both our in-house pentesting team and external third parties specializing in security testing.
For every new release of PCoIP Management Console, the code base is scanned with Veracode and Blackduck, and live test instances are tested by Burp Suite Enterprise. Both Veracode and Burp Suite scan and notify of any XML-oriented vulnerabilities.