STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
STIGs updated 2 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Application Server Security Requirements Guide

V-204749

CAT II (Medium)

The application server must provide security extensions to extend the SOAP protocol and provide secure authentication when accessing sensitive data.

Rule ID

SV-204749r960993_rule

STIG

Application Server Security Requirements Guide

Version

V4R4

CCIs

CCI-001941

Discussion

Application servers may provide a web services capability that could be leveraged to allow remote access to sensitive application data. A web service, which is a repeatable process used to make data available to remote clients, should not be confused with a web server. Many web services utilize SOAP, which in turn utilizes XML and HTTP as a transport. Natively, SOAP does not provide security protections. As such, the application server must provide security extensions to enhance SOAP capabilities to ensure that secure authentication mechanisms are employed to protect sensitive data. The WS_Security suite is a widely used and acceptable SOAP security extension.

Check Content

Review application server documentation to ensure the application server provides extensions to the SOAP protocol that provide secure authentication. These protocols include, but are not limited to, WS_Security suite.  Review policy and data owner protection requirements in order to identify sensitive data.

If secure authentication protocols are not utilized to protect data identified by data owner as requiring protection, this is a finding.

Fix Text

Configure the application server to utilize secure authentication when SOAP web services are used to access sensitive data.