Model | Operations | Environment Management
The organization’s work on application security doesn’t end once the application becomes operational. New security features and patches are regularly released for the various elements of the technology stack you’re using, until they become obsolete or are no longer supported.
Most of the technologies in any application stack are not secure by default. This is frequently intentional, to enhance backwards compatibility or ease of setup. For this reason, ensuring the secure operation of the organization’s technology stack requires the consistent application of secure baseline configurations to all components. The Environment Management (EM) practice focuses on keeping your environment clean and secure.
Vulnerabilities are discovered throughout the lifecycles of the technologies on which your organization relies, and new versions addressing them are released on various schedules. This makes it essential to monitor vulnerability reports and perform orderly, timely patching across all affected systems.
|Maturity level||Stream AConfiguration Hardening||Stream BPatching and Updating|
|1||Best-effort patching and hardening||Perform best-effort hardening of configurations, based on readily available information.||Perform best-effort patching of system and application components.|
|2||Formal process with baselines in place||Perform consistent hardening of configurations, following established baselines and guidance.||Perform regular patching of system and application components, across the full stack. Ensure timely delivery of patches to customers.|
|3||Conformity with continuously improving process enforced||Actively monitor configurations for non-conformance to baselines, and handle detected occurrences as security defects.||Actively monitor update status and manage missing patches as security defects. Proactively obtain vulnerability and update information for components.|