Secure configuration guidance is produced as part of application development.
Establish a secure configuration baseline by defining settings that impact security. Configure each setting to a secure default that supports the security functions of the platform, network infrastructure, and services, without weakening protections. Conduct thorough testing to verify that these secure defaults function correctly and do not introduce operational issues. This baseline provides a foundation for secure software deployments by ensuring security is upheld across all configurations.
Develop hardening baselines for all components across the technology stack, ensuring consistency in the application of secure configurations. Create comprehensive configuration guides for each component, detailing the required settings to uphold security. Mandate that product teams implement these baselines for all new deployments and update existing systems where feasible. Place these baselines and their associated configuration guides under strict change management processes, assigning ownership to designated individuals or teams responsible for maintaining them. Owners must ensure the baselines are kept current with evolving security best practices and updates to underlying technologies, such as new features or version changes. For larger-scale environments, use a centrally managed configuration master to derive and propagate settings to individual instances, ensuring uniform application of security standards. Leverage automated tools to streamline the hardening process and reduce human error. By implementing these measures, organizations establish a robust framework to safeguard systems and maintain operational integrity.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-09-01-01-01 | Develop hardening baselines and guides | Define hardening baselines for each component in the technology stack and provide configuration guides to ensure consistency. These guides should include step-by-step instructions for applying baselines to both new and existing systems whenever possible | Preparation | Security teams, Infrastructure teams |
| SSS-02-09-01-01-02 | Implement change management and ownership | Place hardening baselines and configuration guides under change management, and assign an owner for each. Owners are responsible for keeping these baselines up-to-date, incorporating updates as new best practices emerge or components change (e.g., version updates or new features). | Development | Product teams, Change management teams |
| SSS-02-09-01-01-03 | Apply baselines in large-scale environments | For larger environments, use a locally maintained master to derive configurations for instances, ensuring that relevant configuration baselines are applied consistently across the environment. | Deployment | Infrastructure teams, DevOps teams |
| SSS-02-09-01-01-04 | Automate hardening configurations | Use automation tools to enforce hardening configurations, reducing human error and ensuring consistent adherence to established baselines | Post-deployment | DevOps teams, Security teams |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1798) NIST Secure Software Development Framework (PW.9.1) OWASP SAMM: Software Assurance Maturity Model (O-EM-2-A) |