Secure configuration guidance is produced as part of application development.
Apply the secure default settings consistently and document each configuration for software administrators to support secure management practices. Verify that all configurations are approved, record the details of each setting, and use authoritative programmatic mechanisms to enforce configurations. Store these settings with change control to maintain security integrity. This ensures that administrators have clear, reliable guidance for securely configuring and managing the software.
Continuous configuration monitoring ensures that deployed technology stacks adhere to established security baselines. This involves regularly checking configurations for compliance and treating non-conformance as security defects. Corrective actions are managed through defect management practices. Automated measures, such as self-healing configurations and SIEM alerts, can enhance efficiency. Baselines and configuration guides must be regularly reviewed and updated, especially during component updates or at least annually, to ensure they remain accurate and effective. Feedback from teams maintaining these configurations should inform ongoing improvements.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-09-02-01-01 | Monitor configurations against baselines | Regularly check deployed configurations against established baselines using automated or manual methods. Publish results through dashboards or reports to ensure visibility and prompt action. | Deployment | IT Operations |
| SSS-02-09-02-01-02 | Treat non-conformance as security defects | Identify non-conforming configurations as security findings. Manage these findings through established defect management practices to ensure timely remediation and minimize security risks. | Deployment | Security Teams |
| SSS-02-09-02-01-03 | Leverage automation for self-healing | Implement automated measures such as self-healing configurations and SIEM alerts to detect and address non-conformance in real time, reducing manual effort and response time. | Post-deployment | DevOps Teams |
| SSS-02-09-02-01-04 | Review and update configuration baselines | As part of the update process (e.g., new releases, vendor patches), review and update corresponding baselines and configuration guides to maintain relevance. Perform annual reviews of all baselines and guides to ensure alignment with organizational needs and evolving threats. | Post-deployment | Compliance Teams |
| SSS-02-09-02-01-05 | Incorporate feedback for continuous improvement | Periodically review the baseline management process, incorporating feedback and lessons learned from teams managing and applying configuration baselines. Use this input to refine processes and improve overall efficiency and effectiveness. | Post-deployment | Configuration Management Teams |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1798) NIST Secure Software Development Framework (PW.9.2) OWASP SAMM: Software Assurance Maturity Model (O-EM-3-A) |