WG260 A22 - Only web sites that have been fully reviewed and tested must exist on a production web server.

Information

In the case of a production web server, areas for content development and testing will not exist, as this type of content is only permissible on a development web site. The process of developing on a functional production web site entails a degree of trial and error and repeated testing. This process is often accomplished in an environment where debugging, sequencing, and formatting of content are the main goals. The opportunity for a malicious user to obtain files that reveal business logic and login schemes is high in this situation. The existence of such immature content on a web server represents a significant security risk that is totally avoidable.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

The presences of portions of the web site that proclaim Under Construction or Under Development are clear indications that a production web server is being used for development. The web administrator will ensure that all pages that are in development are not installed on a production web server.

See Also

https://iasecontent.disa.mil/stigs/zip/U_Apache_2-2_UNIX_V1R11_STIG.zip

Item Details

References: CAT|II, Rule-ID|SV-32830r2_rule, STIG-ID|WG260_A22, Vuln-ID|V-2254

Plugin: Unix

Control ID: cc16917e8217783549c12be3c728de2672d45c3b7dbb0f09ada60ff01be010eb