Uploaded image for project: 'OpenShift Cloud'
  1. OpenShift Cloud
  2. OCPCLOUD-2642 Setup OCP build of Azure Service Operator
  3. OCPCLOUD-2799

T1376: Provide and maintain guidance on secure installation, maintenance, and configuration of all software components

XMLWordPrintable

    • Icon: Sub-task Sub-task
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • None
    • False
    • None
    • False
    • CLOUD Sprint 255, CLOUD Sprint 256, CLOUD Sprint 257, CLOUD Sprint 258, CLOUD Sprint 259, CLOUD Sprint 260, CLOUD Sprint 261, CLOUD Sprint 263, CLOUD Sprint 264, CLOUD Sprint 262

      Provide details on how to validate the version of your software and clearly indicate for which versions of the software guidance is written.

      Provide guidance on:

      1) How to implement and operate the software securely.

      • Detailed instructions on how to configure all available security options and parameters of the software.
      • Information on user account requirements and recommendations associated with the use of the product.
      • Where the software utilizes other systems for maintenance of tracking data, such as a log server, provide clear and sufficient guidance on the correct and complete setup and/or integration of the software with the log storage system.
      • Where third-party or execution-environment features are relied upon for the security of the transmitted data, provide clear and sufficient guidance on how to configure such features are included in the software implementation guidance made available to stakeholders
      • Where cryptographic methods provided by third-party software or aspects of the execution environment or platform on which the application is run are relied upon for the protection of sensitive data, provide clear and sufficient detail for correctly configuring these methods during the installation, initialization, or first use of the software in the implementation guidance.

      2) How to set configuration options of the execution environment and system components.

      • Clear and sufficient guidance for enabling any software security controls, features, or functions where user input or interaction is required to be mapped to this control correctly.
      • Clear and sufficient guidance for disabling or changing any authentication credentials or keys for built-in accounts where user input or interaction is required.
      • Clear and sufficient guidance for the process of configuring the retention period of sensitive data (transient and persistent) where user input or interaction is required.
      • Clear and sufficient guidance on the process of configuring protection methods where user input or interaction is required.
      • When any mitigation relies on features of the execution environment, provide guidance to the software users to enable those settings as part of the install process.
      • Clear and sufficient guidance for configuring authentication mechanisms where the software recommends, suggests, relies on, or otherwise facilitates the use of additional mechanisms (such as third-party VPNs, remote desktop features, and so on) to facilitate secure non-console access to the system on which the software is executed or directly to the software itself.

      3) How to implement security updates.

      • Inform users of the software updates, and provide clear and sufficient guidance on how they may be obtained and installed.

      4) How and where to report security issues.

      This guidance is necessary even when the specific setting either:

      • Cannot be controlled by the software once the software is installed by the customer.
      • Is the responsibility of the customer and not the software vendor.
        - Specifically outline that identification and authentication parameters must not be shared between individuals, programs, or in any way that prevents the unique identification of each access to a critical asset.
        

      5) Does not instruct the user to disable security settings or parameters within the installed environment, such as anti-malware software or firewall or other network-level protection systems.

      6) Does not instruct the user to execute the software in a privileged mode higher than what is required by the software.

      7) The security defence-in-depth strategy for the product to support installation, operation and maintenance.

      • This includes security capabilities implemented by the product and their role in the defence-in-depth strategy, threats addressed by the defence-in-depth strategy, product user mitigation strategies for known security risks associated with the product, including risks associated with legacy code and the security defence in depth measures expected to be provided by the external environment in which the product is to be used.

      Imported from SD Elements: https://redhat.sdelements.com/bunits/psse-secure-development/group-1-foundational-platform-offering-openshift/azure-service/tasks/phase/specifications/261-T1376/

      Training Modules

      Opsec Fundamentals
      PCI SSF Compliance
      PCI Secure Software Lifecycle

              Unassigned Unassigned
              sdelements Jira-SD-Elements-Integration Bot
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Created:
                Updated: