Deployment: Software Environment (SE)
The overall goal of the Software Environment practice is change management. Those responsible for the software environment must ensure their ability to make authorized changes and to detect unauthorized changes and activity. Managers must enforce adherence to corporate policy.
|
DEPLOYMENT: SOFTWARE ENVIRONMENT OS and platform patching, Web application firewalls, installation and configuration documentation, application monitoring, change management, code signing. |
|||
|---|---|---|---|
| Objective | Activity | Level | |
| SE1.1 | watch software | use application input monitoring | 1 |
| SE1.2 | provide a solid host/network foundation for software | ensure host/network security basics in place | |
| SE2.2 | guide operations on application needs | publish installation guides created by SSDL | 2 |
| SE2.3 | watch software | use application behavior monitoring and diagnostics | |
| SE2.4 | protect apps (or parts of apps) that are published over trust boundaries | use code signing | |
| SE3.2 | protect IP and make exploit development harder | use code protection | 3 |
SE Level 1: Ensure the application environment supports software security. The operations group ensures required host and network security controls are functioning and proactively monitors software, including application inputs.
SE1.1
Use application input monitoring. The organization monitors the input to software it runs in order to spot attacks. For Web code, a Web application firewall can do the job. The SSG could be responsible for the care and feeding of the system. Responding to attack is not part of this activity. Defanged Web application firewalls that write log files can be useful if somebody reviews the logs periodically.
SE1.2
Ensure host and network security basics are in place. The organization provides a solid foundation for software by ensuring that host and network security basics are in place. It is common for operations security teams to be responsible for duties such as patching operating systems and maintaining firewalls. Doing software security before network security is like putting on your pants before putting on your underwear.
SE Level 2: Use published installation guides and actively monitor software behavior. The SSG must ensure software development processes account for the need to protect code intellectual property and for the need to produce application installation and maintenance guides for the operations group. The operations group must monitor software behavior.
SE2.2
Publish installation guides created by SSDL. The software development lifecycle requires the creation of an installation guide to help operators install and configure the software. If special steps are required in order to ensure a deployment is secure, the steps are outlined in the installation guide. The guide should include discussion of COTS components. In some cases, installation guides are distributed to customers who buy the software. Of course, secure by default is the best way to go.
SE2.3
Use application behavior monitoring and diagnostics. The organization monitors the behavior of production software looking for misbehavior and signs of attack. This activity goes beyond host and network monitoring to look for problems that are specific to the software, such as indications of fraud. Intrusion detection and anomaly detection systems at the application level may focus on an application’s interaction with operating system (through system calls) or with the kinds of data that an application consumes, originates, and manipulates.
SE2.4
Use code signing. The organization uses code signing for software published across trust boundaries. Code signing is particularly useful for protecting the integrity of software that leaves the organization’s control, such as shrink-wrapped applications or thick clients. The fact that some mobile platforms require app code to be signed does not indicate institutional use of code signing.
SE Level 3: Protect client-side code. The SSG must ensure that all code leaving the organization is protected.
SE3.2
Use code protection. In order to protect intellectual property and make exploit development harder, the organization erects barriers to reverse engineering. Obfuscation techniques could be applied as part of the production build and release process. Employing platform-specific controls such as Data Execution Prevention (DEP), Safe Structured Error Handling (SafeSEH), and Address Space Layout Randomization (ASLR) can make exploit development more difficult.