CA IDMS must limit the use of dynamic statements in applications, procedures, and exits to circumstances determined by the organization.

Severity
Group ID
Group Title
Version
Rule ID
Date
STIG Version
mediumV-251621SRG-APP-000251-DB-000391IDMS-DB-000500SV-251621r961158_rule2024-09-132
Description
Dynamic SQL statements are compiled at runtime and, if manipulated by an unauthorized user, can produce an innumerable array of undesired results. These statements should not be used casually.
ℹ️ Check
If EXECUTE IMMEDIATE, PREPARE, and EXECUTE statements are found while reviewing source code in applications, procedures, and exits in code that does not require it, this is a finding.
✔️ Fix
Modify the code to remove the dynamic statements EXECUTE IMMEDIATE, PREPARE, and EXECUTE. If these statements must be used, use other measures to eliminate possible code injection success by securing resources (databases, access modules, tasks, programs, etc.). Since security checks are issued by CA IDMS as it executes the commands and the authorization permissions are cached for the life of the transaction or task, whichever ends first. The use of strongly typing parameters and validating inputs are other ways to guard against code injection when dynamic statement execution must be used.