V-278954

Discussion

If security attributes are not associated with the information being transmitted between components, then access control policies and information flows that depend on these security attributes will not function and unauthorized access may result. When data is exchanged, the security attributes associated with this data must be validated to ensure the data has not been changed. Security attributes are values associated with data content/structure and source/destination objects. These attributes are bound to the user and data objects and may include information about the data's purpose, creator, origin, access restrictions, access permissions, or classification. Specific security attributes used depend on the application or technology context. However, these attributes are used in information systems to implement security policy for access control and flow control for users, data, and traffic. Security attributes may be explicitly or implicitly associated with the information contained within the information system. Validation checking can be performed by various means, such as using a cryptographic hash function, boundary checking of values, checksums, or message authentication code. This requirement also applies to Zero Trust initiatives.

Check Content

Verify that the ALG is configured to validate the integrity of transmitted security attributes.

If the ALG does not  validate the integrity of transmitted security attributes, this is a finding.