Securing Software in the Cloud
- CCSP focuses on 3 areas to securing software:
- third-party software management
- validated open-source software
- OS hardening, baselines, monitoring, and remediation
Third-Party Software Management
- Start software selection processes
- ensure software is fit-to-business need and that it follows secure software practices
- Identify software’s configuration requirements
- understand security implications and capabilities
- vendors provide best practice configuration guidelines
- Update and patch software
- test software before deployment
- use test environments
- leverage vulnerability scans
- ensure you are receiving important customer notifications
- open-source software may have different support models for updates, patches, and notifications
- Many software packages use third party code libraries and other dependencies
- these are a risk too
- software composition analysis (SCA) and package management tools help ensure software package security
Validating Open-Source Software
- Need to identify a trusted source for the software
- then need to ensure the packages are trusted too
- some software provides cryptographic hashes for integrity checks
- software can:
- be signed with developer certificate
- include a PGP/GPG signature
- verify dev’s public key is actually theirs
- baseline is an organization’s standard for how a system should be configured to meet functional and security goals
- E.g.,
- CIS Benchmarks
- Microsoft Security Compliance Toolkit
- Azure specific Linux security baselines
- RedHat’s security guides
- VMware’s hardening guides
- Monitoring involves ensuring the OS remains configured to meet the baseline and that changes are caught and restored
- CIS Controls Self-Assessment Tool (CSAT) is a web application that tracks implementation of CIS controls
- Remediation is conducted based on monitoring and baseline implementation processes
- seeks to align systems and software to the baseline