Mobile code technologies include Java, JavaScript, ActiveX, Postscript, PDF, Flash animations, and VBScript. Decisions regarding the use of mobile code in organizational systems are based on the potential for the code to cause damage to the systems if used maliciously. Usage restrictions and implementation guidance apply to the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations, notebook computers, and devices (e.g., smart phones). Mobile code policy and procedures address controlling or preventing the development, acquisition, or introduction of unacceptable mobile code in systems, including requiring mobile code to be digitally signed by a trusted source.  [SP 800-28] provides guidance on mobile code. 

Priority: Medium

Category: Baseline Security Configurations 

Services Associated with AWS:

  1. AWS WAF
  2. AWS Shield
  3. AWS CodeCommit
  4. Amazon Inspector
  5. AWS CloudTrail
  6. Amazon GuardDuty

Objective Evidence: 

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
  • Technical: screen shot of configuration settings 

Possible Technology Considerations :

  • Secure Baseline Configurations (SBC)
  • Intrusion Prevention System (IPS)
  • Antimalware Solution 

What needs to be answered?

Are there defined limits of mobile code usage, established usage restrictions, that specifically authorize use of mobile code within the information system? Is the use of mobile code documented, monitored, and managed? (Java, JavaScript, ActiveX, PDF, Flash, Shockwave, Postscript, VBScript, etc.)

  • Mobile Code Usage Restriction Check
    Description: This check ensures that there are appropriate usage restrictions in place for mobile code technologies in use within the system. The check verifies that there is a policy for controlling the use of mobile code and that these policies are adhered to, including the requirement for mobile code to be digitally signed by a trusted source.
  • Mobile Code Monitoring Check
    Description: This check ensures that all usage of mobile code within the system is properly monitored. The check verifies that monitoring tools are in place and functioning as expected to detect any unauthorized or malicious use of mobile code.

More Details:

Mobile code not used on systems containing CUI