-
Sub-task
-
Resolution: Unresolved
-
Major
-
None
-
None
-
None
-
False
-
None
-
False
-
-
Provide details on how to validate the version of your software and clearly indicate for which versions of the software guidance is written.
Provide guidance on:
1) How to implement and operate the software securely.
- Detailed instructions on how to configure all available security options and parameters of the software.
- Where the software utilizes other systems for maintenance of tracking data, such as a log server, provide clear and sufficient guidance on the correct and complete setup and/or integration of the software with the log storage system.
- Where third-party or execution-environment features are relied upon for the security of the transmitted data, provide clear and sufficient guidance on how to configure such features are included in the software implementation guidance made available to stakeholders
- Where cryptographic methods provided by third-party software or aspects of the execution environment or platform on which the application is run are relied upon for the protection of sensitive data, provide clear and sufficient detail for correctly configuring these methods during the installation, initialization, or first use of the software in the implementation guidance.
2) How to set configuration options of the execution environment and system components.
- Clear and sufficient guidance for enabling any software security controls, features, or functions where user input or interaction is required to be mapped to this control correctly.
- Clear and sufficient guidance for disabling or changing any authentication credentials or keys for built-in accounts where user input or interaction is required.
- Clear and sufficient guidance for the process of configuring the retention period of sensitive data (transient and persistent) where user input or interaction is required.
- Clear and sufficient guidance on the process of configuring protection methods where user input or interaction is required.
- When any mitigation relies on features of the execution environment, provide guidance to the software users to enable those settings as part of the install process.
- Clear and sufficient guidance for configuring authentication mechanisms where the software recommends, suggests, relies on, or otherwise facilitates the use of additional mechanisms (such as third-party VPNs, remote desktop features, and so on) to facilitate secure non-console access to the system on which the software is executed or directly to the software itself.
3) How to implement security updates.
- Inform users of the software updates, and provide clear and sufficient guidance on how they may be obtained and installed.
4) How and where to report security issues.
This guidance is necessary even when the specific setting either:
- Cannot be controlled by the software once the software is installed by the customer.
- Is the responsibility of the customer and not the software vendor.
- Specifically outline that identification and authentication parameters must not be shared between individuals, programs, or in any way that prevents the unique identification of each access to a critical asset.
5) Does not instruct the user to disable security settings or parameters within the installed environment, such as anti-malware software or firewall or other network-level protection systems.
6) Does not instruct the user to execute the software in a privileged mode higher than what is required by the software.
Imported from SD Elements: https://redhat.sdelements.com/bunits/psse-secure-development/group-2-extended-functionality-offerings/amq-clients/tasks/phase/specifications/141-T1376/
