Implementation -> Infrastructure Hardening: Usage of security by default for components

Risk and Opportunity

Risk: Components (images, libraries, applications) are not hardened.

Opportunity: Hardening of components is important, specially for image on which other teams base on. Hardening should be performed on the operation system and on the services inside (e.g. Nginx or a Java-Application).

Exploit details

Usefullness: Medium

Required knowledge: High (two disciplines)

Required time: Medium

Required resources (systems): Very Low

Additional Information

Dependencies: Defined build process

Implementation hints: For applications: Check default encoding, managing secrets, crypto, authentication

OWASP SAMM 2 Mapping: o-environment-management|A|1

ISO27001:2017 Controls Mapping:

not explicitly covered by ISO 27001 - too specific