Development and modification of software only takes place in development environments
Strengthen and protect all development environments including endpoints such as those used by software designers, developers, and testers, with a risk-based approach. Configure endpoints according to approved hardening guidelines, enforce least privilege, and maintain continuous monitoring of security posture. Implement multi-factor authentication, ensure dedicated endpoints operate solely on non-production networks, and apply zero-trust principles to endpoint configurations. These measures are designed to confine development activities to secure, designated environments, minimizing risk and enhancing overall system integrity.
Develop and maintain configuration hardening baselines for all components in each technology stack. Provide configuration guides to ensure consistent application of baselines. Require product teams to apply baselines to new systems and update existing ones when feasible. Assign ownership of configuration guides and baselines under change management to ensure they are up-to-date with evolving best practices. Use automated tools to streamline and maintain consistent application of hardening baselines.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-01-02-01-01-01 | Develop hardening baselines and guides | Define hardening baselines for each component in the technology stack and provide configuration guides to ensure consistency. These guides should include step-by-step instructions for applying baselines to both new and existing systems whenever possible | Preparation | Security teams, Infrastructure teams |
| SSS-01-02-01-01-02 | Implement change management and ownership | Place hardening baselines and configuration guides under change management, and assign an owner for each. Owners are responsible for keeping these baselines up-to-date, incorporating updates as new best practices emerge or components change (e.g., version updates or new features). | Development | Product teams, Change management teams |
| SSS-01-02-01-01-03 | Apply baselines in large-scale environments | For larger environments, use a locally maintained master to derive configurations for instances, ensuring that relevant configuration baselines are applied consistently across the environment. | Deployment | Infrastructure teams, DevOps teams |
| SSS-01-02-01-01-04 | Automate hardening configurations | Use automation tools to enforce hardening configurations, reducing human error and ensuring consistent adherence to established baselines | Post-deployment | DevOps teams, Security teams |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1419) NIST Secure Software Development Framework (PO.5.2) OWASP SAMM: Software Assurance Maturity Model (O-EM-2-A) |