Secure configuration guidance is produced as part of application development.
Establish a secure configuration baseline by defining settings that impact security. Configure each setting to a secure default that supports the security functions of the platform, network infrastructure, and services, without weakening protections. Conduct thorough testing to verify that these secure defaults function correctly and do not introduce operational issues. This baseline provides a foundation for secure software deployments by ensuring security is upheld across all configurations.
Develop hardening baselines for all components across the technology stack, ensuring consistency in the application of secure configurations. Create comprehensive configuration guides for each component, detailing the required settings to uphold security. Mandate that product teams implement these baselines for all new deployments and update existing systems where feasible. Place these baselines and their associated configuration guides under strict change management processes, assigning ownership to designated individuals or teams responsible for maintaining them. Owners must ensure the baselines are kept current with evolving security best practices and updates to underlying technologies, such as new features or version changes. For larger-scale environments, use a centrally managed configuration master to derive and propagate settings to individual instances, ensuring uniform application of security standards. Leverage automated tools to streamline the hardening process and reduce human error. By implementing these measures, organizations establish a robust framework to safeguard systems and maintain operational integrity.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-09-01-01-01 | Develop hardening baselines and guides | Define hardening baselines for each component in the technology stack and provide configuration guides to ensure consistency. These guides should include step-by-step instructions for applying baselines to both new and existing systems whenever possible | Preparation | Security teams, Infrastructure teams |
| SSS-02-09-01-01-02 | Implement change management and ownership | Place hardening baselines and configuration guides under change management, and assign an owner for each. Owners are responsible for keeping these baselines up-to-date, incorporating updates as new best practices emerge or components change (e.g., version updates or new features). | Development | Product teams, Change management teams |
| SSS-02-09-01-01-03 | Apply baselines in large-scale environments | For larger environments, use a locally maintained master to derive configurations for instances, ensuring that relevant configuration baselines are applied consistently across the environment. | Deployment | Infrastructure teams, DevOps teams |
| SSS-02-09-01-01-04 | Automate hardening configurations | Use automation tools to enforce hardening configurations, reducing human error and ensuring consistent adherence to established baselines | Post-deployment | DevOps teams, Security teams |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1798) NIST Secure Software Development Framework (PW.9.1) OWASP SAMM: Software Assurance Maturity Model (O-EM-2-A) |
Apply the secure default settings consistently and document each configuration for software administrators to support secure management practices. Verify that all configurations are approved, record the details of each setting, and use authoritative programmatic mechanisms to enforce configurations. Store these settings with change control to maintain security integrity. This ensures that administrators have clear, reliable guidance for securely configuring and managing the software.
Continuous configuration monitoring ensures that deployed technology stacks adhere to established security baselines. This involves regularly checking configurations for compliance and treating non-conformance as security defects. Corrective actions are managed through defect management practices. Automated measures, such as self-healing configurations and SIEM alerts, can enhance efficiency. Baselines and configuration guides must be regularly reviewed and updated, especially during component updates or at least annually, to ensure they remain accurate and effective. Feedback from teams maintaining these configurations should inform ongoing improvements.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-09-02-01-01 | Monitor configurations against baselines | Regularly check deployed configurations against established baselines using automated or manual methods. Publish results through dashboards or reports to ensure visibility and prompt action. | Deployment | IT Operations |
| SSS-02-09-02-01-02 | Treat non-conformance as security defects | Identify non-conforming configurations as security findings. Manage these findings through established defect management practices to ensure timely remediation and minimize security risks. | Deployment | Security Teams |
| SSS-02-09-02-01-03 | Leverage automation for self-healing | Implement automated measures such as self-healing configurations and SIEM alerts to detect and address non-conformance in real time, reducing manual effort and response time. | Post-deployment | DevOps Teams |
| SSS-02-09-02-01-04 | Review and update configuration baselines | As part of the update process (e.g., new releases, vendor patches), review and update corresponding baselines and configuration guides to maintain relevance. Perform annual reviews of all baselines and guides to ensure alignment with organizational needs and evolving threats. | Post-deployment | Compliance Teams |
| SSS-02-09-02-01-05 | Incorporate feedback for continuous improvement | Periodically review the baseline management process, incorporating feedback and lessons learned from teams managing and applying configuration baselines. Use this input to refine processes and improve overall efficiency and effectiveness. | Post-deployment | Configuration Management Teams |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1798) NIST Secure Software Development Framework (PW.9.2) OWASP SAMM: Software Assurance Maturity Model (O-EM-3-A) |