0 76 b monitor baseline environment configuration

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: fication should be reviewed and updated at least every 6 months for active projects or more often if changes are being made to the software design or the expected operating environment. Results ✦✦Clear understanding of operational expectations within the development team ✦✦High-priority risks from underlying infrastructure mitigated on a well-understood timeline ✦Software operators with a highlevel plan for security-critical maintenance of infrastructure Success Metrics ✦✦>50% project with updated operational environment specification in past 6 months ✦✦>50% of projects with updated list of relevant critical security patches in past 6 months B. Identify and install critical security upgrades and patches As such, regular research or ongoing monitoring of high-risk dependencies should be performed to stay abreast of the latest fixes to security flaws. Upon identification of a critical upgrade or patch that would impact the security posture of the software project, plans should be made to get affected users and operators to update their installations. Depending on the type of software project, details on doing this can vary. Costs ✦✦Ongoing project overhead from buildout and maintenance of operational environment specification ✦✦Ongoing project overhead from monitoring and installing critical security updates Personnel ✦✦Developers (1-2 day/yr) ✦✦Architects (1-2 day/yr) ✦✦Managers (2-4 day/yr) ✦✦Support/Operators (3-4 days/yr) Related Levels ✦✦Operational Enablement - 2 SAMM / The Security Practices - v1.0 Most applications are software that runs on top of another large stack of software composed of built-in programming language libraries, third-party components and development frameworks, base operating systems, etc. Because security flaws contained in any module in that large software stack affect the overall security of the organization’s software, critical security updates for elements of the technology stack must be installed. 75 EH 2 Environment Hardening Improve confidence in application operations by hardening the operating environment Results ✦✦Granular verification of security characteristics of systems in operations ✦✦Formal expectations on timelines for infrastructure risk mitigation ✦✦Stakeholders consistently aware of current operations status of software projects Add’l Success Metrics ✦✦>80% of project teams briefed on patch management process in past 12 months ✦✦>80% of stakeholders aware of current patch status in past 6 months Activities A. Establish routine patch management process Moving to a more formal process than ad hoc application of critical upgrades and patches, an ongoing process should be created in the organization to consistently apply updates to software dependencies in the operating environment. In the most basic form, the process should aim to make guarantees for time lapse between release and application of security upgrades and patches.To make this process efficient, organizations typically accept high latency on lower priority updates, e.g. maximum of 2 days for critical patches spanning to a...
View Full Document

This homework help was uploaded on 03/31/2014 for the course GEN ED IS taught by Professor 3445 during the Spring '14 term at ITT Tech Flint.

Ask a homework question - tutors are online