Domain 7: Secure Software Deployment, Operations, Maintenance

Secure Operations and Maintenance

If an organization suffers a security incident, a quick, correct response is essential to minimizing the cost and damage to the business and requires a well-defined incident response plan. After a potential incident has been identified (based on monitoring and threat detection), essential activities include:

  • Root Cause Analysis: Often, the events that cause an incident to be detected are symptoms, and addressing these will not solve the problem. Root cause analysis is necessary to identify why the incident occurred and ensure that it does not recur in the future.

  • Incident Triage: An organization may face many simultaneous incidents with varying levels of importance and impact on the organization. Triage ensures that incident investigation and response activities are properly prioritized and that each incident is managed at the appropriate level (i.e., not disabling critical functionality due to a minor bug).

  • Forensics: Digital forensics involves investigating an incident to support remediation, recovery, regulatory compliance, or legal action. Often, this involves analyzing log files, the file system, the Windows Registry, and other data sources.

When a business is maintaining continuity of operations, it has suffered a business-disrupting event and is attempting to continue functioning until it restores to normal operations. Business continuity planning includes identifying the criticality of applications to the business to prioritize their restoration. Some concepts related to business continuity/disaster recovery include:

  • Backup, Archiving, and Retention: If data is corrupted or destroyed during a security incident, backups are essential to restoring operations. These backups should be appropriately protected with encryption and access controls.

  • Disaster Recovery (DR): Disaster recovery is the process of moving from continuity operations during an incident back to normal operations. This requires careful planning and full knowledge of system dependencies to ensure that applications are brought back online only when they have the resources needed to operate.

  • Resiliency: Resiliency measures how well a system can survive a disruptive incident. Redundant systems and additional copies of vital data are examples of measures to boost resiliency.

Information Security Continuous Monitoring (ISCM) is the practice of continually monitoring an organization’s security threats, vulnerabilities, and security posture. Elements of ISCM include:

  • Collect and Analyze Security Observable Data: Security intelligence can come from log data, network traffic, events, and similar sources. Tools such as a Security Information and Event Management (SIEM) solution can help with collecting, processing, storing, and accessing this data.

  • Threat Intel: Threat intelligence is information about the risk that a company faces, such as new vulnerabilities, active attack campaigns, etc. This information can be used to help plan defenses and tune security solutions and application configurations.

  • Intrusion Detection and Response: Intrusion detection is the process of identifying potential threats to the organization based on known-malicious actions, anomalous activities, and other signifiers. Once a potential threat is identified, it can be investigated and managed by the security team.

  • Secure Configuration: The configuration of an application can impact its vulnerability to attack. Configurations should be implemented in line with best practice and monitored for unauthorized changes.

  • Regulation Changes: Corporate security and AppSec policies are often driven at least partly by external regulations. As regulatory requirements evolve, organizations need to monitor these changes and make appropriate policy updates.

If an organization suffers a security incident, a quick, correct response is essential to minimizing the cost and damage to the business and requires a well-defined incident response plan. After a potential incident has been identified (based on monitoring and threat detection), essential activities include:

  • Root Cause Analysis: Often, the events that cause an incident to be detected are symptoms, and addressing these will not solve the problem. Root cause analysis is necessary to identify why the incident occurred and ensure that it does not recur in the future.

  • Incident Triage: An organization may face many simultaneous incidents with varying levels of importance and impact on the organization. Triage ensures that incident investigation and response activities are properly prioritized and that each incident is managed at the appropriate level (i.e., not disabling critical functionality due to a minor bug).

  • Forensics: Digital forensics involves investigating an incident to support remediation, recovery, regulatory compliance, or legal action. Often, this involves analyzing log files, the file system, the Windows Registry, and other data sources.

Service level agreements (SLAs) define the minimum guaranteed level of service that a customer can expect from a service provider. These include a set of Service Level Objectives (SLOs) that define particular goals, such as maintenance, performance, service availability, or available personnel, and that have clear metrics for evaluating whether they have been met. If the SLOs and SLA are violated, then the service provider is legally liable.

Not all vulnerabilities are identified and fixed before applications reach production. Runtime protection systems help to mitigate this issue by protecting vulnerable applications against attempted exploitation or reducing the probability of a successful attack. Some examples include:

  • Runtime Application Self-Protection (RASP): RASP solutions are integrated with a protected application and monitor its inputs, output, and behavior for anomalies that could indicate a potential attack.

  • Web Application Firewall (WAF): A WAF sits between an application and the Internet and filters out traffic containing known exploits before it reaches the vulnerable application.

  • Address Space Layout Randomization (ASLR): ASLR randomizes the location of certain functions in memory, making it more difficult for an attacker to use these functions when exploiting a vulnerability.

Vulnerability management is the process of addressing the various vulnerabilities that may exist in an organization’s systems. Key components of vulnerability management include:

  • Scanning: Vulnerability scanning is a common way of identifying vulnerabilities. A vulnerability scanner identifies known vulnerabilities for running applications (based on CVEs) and common, unknown vulnerabilities (SQL injection, buffer overflow, etc.) in applications.

  • Tracking: After a vulnerability has been identified, it should be added to a bug tracking system. This helps with prioritizing vulnerability remediation and ensuring that it is addressed.

  • Triaging: Most organizations have more vulnerabilities than they can effectively remediate. Triage ensures that the most dangerous vulnerabilities are addressed first, reducing risk to the organization.

  • Patching: Vulnerabilities are corrected by applying patches. This includes finding, testing, and applying updates based on the priority order.

Patch management is the practice of applying updates to fix security and functionality issues. Key elements of patch management are ensuring that update code is secured against malicious modification and testing patches to ensure that they fix the issue and don’t break anything else (regression testing).

  • Dynamic Application Security Testing (DAST) is performed during the development process and involves sending malicious or malformed inputs to an application and monitoring its responses.

  • A hotfix or quick fix engineering (QFE) is a patch designed to fix a particular problem, often without adding any additional functionality.

  • A Service Pack bundles multiple hotfixes together and may also include new functionality.

\

Secure Deployment

Standard principles of system design include:

  • Abstraction

  • Modularity

  • Information hiding

Abstract modeling techniques include

  • Continuous system modeling

  • Agent-based modeling

  • Unified Modeling Language (UML)

Bootstrapping is the process by which an application loads itself into memory and begins execution. Important components of bootstrapping include:

  • Setting default configuration values

  • Verifying the correct operation of security features

  • Connecting to the key management, access control, and other security management systems

Risk assessments should be based on three factors:

  • Relationships between system assets

  • Threats to each asset

  • Business and technological risks associated with each threat

Software development teams must securely store and manage various types of security data. Examples include:

  • Credentials: Credentials manage access to code, development environments, and tools. Credentials should be defined based on the principle of least privilege, and each account/environment should have its own credentials.

  • Secrets: Applications may have access to encryption and API keys, user credentials, and other sensitive data. This information should be protected using access controls, encryption, and other data security best practices.

  • Keys/Certificates: Encryption keys and digital certificates should be properly managed. For example, keys should not be hardcoded into application code, and digital certificates should be verified before being trusted/used.

  • Configurations: An application’s configuration has a significant impact on its security. Application configuration information should be protected by access controls and integrity and authenticity checks.

The three main groups that personnel training should be designed for include:

  • Administrators: Define system and user configurations

  • Power Users: Are the go-to person for users with questions and need correct answers

  • Standard Users: Need to know how to do their jobs on the system

  • Continuous integration involves making frequent, small changes to the codebase, and testing each one before accepting it.

  • Continuous delivery automates the processing of testing small releases and rolling them out to production.

  • Continuous deployment uses automated scripts to roll updates out to customers.

  • Post-deployment testing can help to ensure that software continues to work after being delivered to the customer. Common examples include validating that updates are correct and properly installed and generating logs of significant events for debugging and regulatory compliance.

  • System-of-systems integration is primarily focused on ensuring concurrent interoperability.

  • Threat modeling identifies the potential risks faced by software, which can then be prioritized during risk assessment.

  • A threat picture describes known vulnerabilities at a particular point in time.

  • Most software needs to make changes to its environment to run, such as registering credentials with a credential management system, allowlisting application files with the antivirus, and network configuration. All of these requirements should be documented to ensure that they are correctly set up and that these changes persist.

  • Information Security Continuous Monitoring (ISCM) is the practice of continually monitoring an organization’s security threats, vulnerabilities, and security posture.

  • Security Information and Event Management (SIEM) solutions aggregate and analyze security data from multiple sources.

  • Build artifact verification is the process of ensuring the integrity and authenticity of the products developed during the build process. Common integrity verification techniques include checksums, hashes, and digital signatures.

    \

\

Last updated