TY - GEN
T1 - Hardening with Scapolite
T2 - 12th ACM Conference on Data and Application Security and Privacy, CODASPY 2022
AU - Stöckle, Patrick
AU - Pruteanu, Ionut
AU - Grobauer, Bernd
AU - Pretschner, Alexander
N1 - Publisher Copyright:
© 2022 ACM.
PY - 2022/4/14
Y1 - 2022/4/14
N2 - Security Hardening is the process of configuring IT systems to ensure the security of the systems' components and data they process or store. In many cases, so-called security-configuration guides are used as a basis for security hardening. These guides describe secure configuration settings for components such as operating systems and standard applications. Rigorous testing of security-configuration guides and automated mechanisms for their implementation and validation are necessary since erroneous implementations or checks of hardening guides may severely impact systems' security and functionality. At Siemens, centrally maintained security-configuration guides carry machine-readable information specifying both the implementation and validation of each required configuration step. The guides are maintained within git repositories; automated pipelines generate the artifacts for implementation and checking, e.g., PowerShell scripts for Windows, and carry out testing of these artifacts on AWS images. This paper describes our experiences with our DevOps-inspired approach for authoring, maintaining, and testing security-configuration guides. We want to share these experiences to help other organizations with their security hardening and increase their systems' security.
AB - Security Hardening is the process of configuring IT systems to ensure the security of the systems' components and data they process or store. In many cases, so-called security-configuration guides are used as a basis for security hardening. These guides describe secure configuration settings for components such as operating systems and standard applications. Rigorous testing of security-configuration guides and automated mechanisms for their implementation and validation are necessary since erroneous implementations or checks of hardening guides may severely impact systems' security and functionality. At Siemens, centrally maintained security-configuration guides carry machine-readable information specifying both the implementation and validation of each required configuration step. The guides are maintained within git repositories; automated pipelines generate the artifacts for implementation and checking, e.g., PowerShell scripts for Windows, and carry out testing of these artifacts on AWS images. This paper describes our experiences with our DevOps-inspired approach for authoring, maintaining, and testing security-configuration guides. We want to share these experiences to help other organizations with their security hardening and increase their systems' security.
KW - hardening
KW - security configuration
UR - http://www.scopus.com/inward/record.url?scp=85130624686&partnerID=8YFLogxK
U2 - 10.1145/3508398.3511525
DO - 10.1145/3508398.3511525
M3 - Conference contribution
AN - SCOPUS:85130624686
T3 - CODASPY 2022 - Proceedings of the 12th ACM Conference on Data and Application Security and Privacy
SP - 137
EP - 142
BT - CODASPY 2022 - Proceedings of the 12th ACM Conference on Data and Application Security and Privacy
PB - Association for Computing Machinery, Inc
Y2 - 24 April 2022 through 27 April 2022
ER -