DISA STIG Compliance

Ensure that your development processes and resulting code meet the Defense Information System Agency's (DISA) Security Technical Information Guides (STIG), which defines how applications should be developed to meet the U.S. governments cybersecurity standards.

Partial List of Rules for Secure Application Development

  • Protect against injections
  • Prevent exposure of sensitive data
  • Protect against XSS vulnerabilities
  • Encapsulate all dangerous data returning methods with a validation function
  • Do not stop the JVM in a web component
  • Avoid using insecure algorithms for cryptography
  • Use ‘post’ instead of ‘get’ for credential transfers

Out-of-the-box Templates for Application Security

In addition to enforcing organizations’ unique security policies, Parasoft’s static code analysis automatically identifies common security vulnerabilities with the most comprehensive static analysis rule set in the industry. The rules span the industry’s most popular technologies and platforms, including Apache Axis, WebSphere, Hibernate, servlets, Struts, and EJB 3. The following partial list includes some of the ready-to-use test configurations for rapidly analyzing code for application security defects:
  • CWE-SANS Top 25
  • Cigital
  • HIPAA Security Assessment
  • OWASP Top 10
  • Security Assessment
  • Secure Coding Best Practices
  • Sun Secure Coding Guidelines

Policy Enforcement

For security, Parasoft’s core static analysis capability can easily be configured to automatically monitor adherence to custom security policies. The rule library includes hundreds of rules that deliver “out-of-the-box” monitoring of many common policy requirements. These static analysis rules can be customized as needed to match specific policy requirements, and the rule set can be rapidly extended to address even the most complex and unique requirements. Moreover, rule names, descriptions, and severities can be mapped to the organization’s policies, establishing a fully-customized policy management and reporting interface.

Comprehensive Reporting

Parasoft’s centralized reporting system provides real-time visibility into overall security status and processes. Reports include links to documentation to help development teams understand programming best practices. With references to standards, such as Common Weakness Enumeration (CWE), reports outline and document improvements–helping you determine what additional actions are needed to safeguard security. Customizable dashboards give you the flexibility to create reports that help your organization create safe, secure, and reliable applications.

Establish, Apply, and Monitor Adherence to Policies

Parasoft’s policy-driven approach defines the organization’s expectations around quality while ensuring consistent, unobtrusive policy application. The automated infrastructure automatically monitors policy compliance for visibility and auditability.
  • Drives expected behavior throughout the SDLC to promote predictable outcomes
  • Delivers an actionable set of tasks that are measurable through completion
  • Provides the control needed to continuously improve the process of delivering business applications