Implementation -> Infrastructure Hardening: Infrastructure as Code
Risk and Opportunity
Risk: No tracking of changes in systems might lead to errors in the configuration. In additions, it might lead to unauthorized changes. An examples is jenkins.
Opportunity: Systems are setup by code. A full environment can be provisioned. In addition, software like Jenkins 2 can be setup and configured in in code too. The code should be stored in a version control system.
Required knowledge: Medium (two disciplines)
Required time: Very High
Required resources (systems): High
Implementation hints: GitOps, Ansible, Chef, Puppet, Jenkinsfile
OWASP SAMM 2 Mapping: o-environment-management|A|1
ISO27001:2017 Controls Mapping:
- not explicitly covered by ISO 27001 - too specific