Implementation -> Infrastructure Hardening: Usage of security by default for components
Risk and Opportunity
Risk: Components (images, libraries, applications) are not hardened.
Opportunity: Hardening of components is important, specially for image on which other teams base on. Hardening should be performed on the operation system and on the services inside (e.g. Nginx or a Java-Application).
Exploit details
Usefullness: Medium
Required knowledge: High (two disciplines)
Required time: Medium
Required resources (systems): Very Low
Additional Information
Dependencies: Defined build process
Implementation hints: For applications: Check default encoding, managing secrets, crypto, authentication
OWASP SAMM 2 Mapping: o-environment-management|A|1
ISO27001:2017 Controls Mapping:
- not explicitly covered by ISO 27001 - too specific