Understanding the importance of securing the technology stacks you’re using, apply secure configuration to stack elements, based on readily available guidance (e.g., open source projects, vendor documentation, blog articles). When your teams develop configuration guidance for their applications, based on trial-and-error and information gathered by team members, encourage them to share their learnings across the organization.

Identify key elements of common technology stacks, and establish configuration standards for those, based on teams’ experiences of what works.

At this level of maturity, you don’t yet have a formal process for managing configuration baselines. Configurations may not be applied consistently across applications and deployments, and monitoring of conformance is likely absent.

Question

Do you harden configurations for key components of your technology stacks?

Quality Criteria

You have identified the key components in each technology stack used
You have an established configuration standard for each key component

Answers

No
Yes, for some components
Yes, for at least half of the components
Yes, for most or all of the components

Benefit

Consistent hardening of technology stack components in your organization

Activity

Establish configuration hardening baselines for all components in each technology stack used. To assist with consistent application of the hardening baselines, develop configuration guides for the components. Require product teams to apply configuration baselines to all new systems, and to existing systems when practicable.

Place hardening baselines and configuration guides under change management, and assign an owner to each. Owners have ongoing responsibility to keep them up-to-date, based on evolving best practices or changes to the relevant components (e.g., version updates, new features).

In larger environments, derive configurations of instances from a locally maintained master, with relevant configuration baselines applied. Employ automated tools for hardening configurations.

Question

Do you have hardening baselines for your components?

Quality Criteria

You have assigned an owner for each baseline
The owner keeps their assigned baselines up to date
You store baselines in an accessible location
You train employees responsible for configurations in these baselines

Answers

No
Yes, for some components
Yes, for at least half of the components
Yes, for most or all of the components

Benefit

Clear view on component configurations to avoid non-conformities

Activity

Actively monitor the security configurations of deployed technology stacks, performing regular checks against established baselines. Ensure results of configuration checks are readily available, through published reports and dashboards.

When you detect non-conforming configurations, treat each occurrence as a security finding, and manage corrective actions within your established Defect Management practice.

Further gains may be realized using automated measures, such as “self-healing” configurations and security information and event management (SIEM) alerts.

As part of the process for updating components (e.g., new releases, vendor patches), review corresponding baselines and configuration guides, updating them as needed to maintain their relevance and accuracy. Review other baselines and configuration guides at least annually.

Periodically review your baseline management process, incorporating feedback and lessons learned from teams applying and maintaining configuration baselines and configuration guides.

Question

Do you monitor and enforce conformity with hardening baselines?

Quality Criteria

You perform conformity checks regularly, preferably using automation
You store conformity check results in an accessible location
You follow an established process to address reported non-conformities
You review each baseline at least annually, and update it when required

Answers

No
Yes, for some components
Yes, for at least half of the components
Yes, for most or all of the components

Stream Guidance

SAMM team guidance Google Doc
Be the first to add to the community guidance for this stream!

Want to contribute?

Complete this Google Form with guidance for this stream.

To learn more about stream guidance for the SAMM model, see the Stream guidance page.

This is an OWASP project. OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.

Navigation

About SAMM
The Model
Docs
Assessment

Help

FAQ
Contributing
Contact

Connect

GitHub
Slack
LinkedIn
YouTube
Meetup

OWASP SAMM is published under the CC BY-SA 4.0 license and we share the OWASP Privacy Policy.

We use analytics cookies to understand how visitors use this site. See our privacy policy.

Cookie preferences

Necessary

Required for the site to work. Cannot be disabled.

Always on

Analytics

Helps us understand how visitors use the site (Google Analytics and Scarf page-view pixels on SAMM model pages). No personally identifiable information is collected.