Hardening with Scapolite: A DevOps-based Approach for Improved Authoring and Testing of Security-Configuration Guides in Large-Scale Organizations

Patrick Stöckle, Ionut Pruteanu, Bernd Grobauer, Alexander Pretschner

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

2 Scopus citations

Abstract

Security Hardening is the process of configuring IT systems to ensure the security of the systems' components and data they process or store. In many cases, so-called security-configuration guides are used as a basis for security hardening. These guides describe secure configuration settings for components such as operating systems and standard applications. Rigorous testing of security-configuration guides and automated mechanisms for their implementation and validation are necessary since erroneous implementations or checks of hardening guides may severely impact systems' security and functionality. At Siemens, centrally maintained security-configuration guides carry machine-readable information specifying both the implementation and validation of each required configuration step. The guides are maintained within git repositories; automated pipelines generate the artifacts for implementation and checking, e.g., PowerShell scripts for Windows, and carry out testing of these artifacts on AWS images. This paper describes our experiences with our DevOps-inspired approach for authoring, maintaining, and testing security-configuration guides. We want to share these experiences to help other organizations with their security hardening and increase their systems' security.

Original languageEnglish
Title of host publicationCODASPY 2022 - Proceedings of the 12th ACM Conference on Data and Application Security and Privacy
PublisherAssociation for Computing Machinery, Inc
Pages137-142
Number of pages6
ISBN (Electronic)9781450392204
DOIs
StatePublished - 14 Apr 2022
Event12th ACM Conference on Data and Application Security and Privacy, CODASPY 2022 - Virtual, Online, United States
Duration: 24 Apr 202227 Apr 2022

Publication series

NameCODASPY 2022 - Proceedings of the 12th ACM Conference on Data and Application Security and Privacy

Conference

Conference12th ACM Conference on Data and Application Security and Privacy, CODASPY 2022
Country/TerritoryUnited States
CityVirtual, Online
Period24/04/2227/04/22

Keywords

  • hardening
  • security configuration

Fingerprint

Dive into the research topics of 'Hardening with Scapolite: A DevOps-based Approach for Improved Authoring and Testing of Security-Configuration Guides in Large-Scale Organizations'. Together they form a unique fingerprint.

Cite this