Security check – Server and application life cycle

Here is a small overview on Servers and Applications life cycle, with the InfoSec view that focuses on Security aspect, from Project creation to its end-of-life.


1. SOLUTION – Project (High Level)

This must be delivered BEFORE the evaluation. It will permit to understand the goal and risks of the solution.

  • Owner of the solution
  • Custodian / Admins in charge.
  • Function and description of the solution (Business)
  • Network zone(s) concerned [DMZ/PROD/DEV/Backbone]
  • VM (y/n)
  • Expected Delivery date to PROD
  • Machines concerned (Diagram ?)
  • Project reference.
  • RTO / RPO

2. SYSTEM Security Check

The system has to be reviewed and approved. It can start from a validated template (VMWARE or Image) to reduce the time. If the initial ‘template’ is safe and already audited, perfect.

  • Services (or daemons) use must be reduced to the only needed ones;
  • Check of permission (users, groups and membership)
  • Check of security software and patches
    • Patching (auto updates ?)
    • AV (Windows)
    • Firewall configuration (if enabled)
    • Monitoring (CPU, Disk, Memory)
    • Event logs syslog forwarding.
  • Check network settings.
    • Layers and protocols
    • Options
    • DNS
    • IPV6 ?
  • Security and configuration check
    • MSBPA check (Windows)
    • Nessus Scan / Nmap Scan
    • Tiger, RootKit Check (Linux)
  • Remote access documentation and check (RDP, PowerShell, VNC, SSH, xORG)

3. SOFTWARE Security Check

After the OS validation,  and when the Development Team considers the solution ready to be released or delivered,

  • Each application package should be reviewed.
  • Software configurations file review.
  • Check about hard-coded authentication and passwords (Database, config file, …)
  • Applications users / admin / batch / authentication in place (Local/LDAP/AD/DB) .
  • Data flows (Input and Output (DCOM, MsMQ, SSH, RSync, CIFS, SCP, FTP, SMTP, …)
  • Database connections
  • Inventory of Shares & Mappings.
  • Strict software inventory (Windows) , high level in Linux.
  • License Compliance.

4. RELEASE Security Check

Some checks will have to be done before delivery to production.

  • Configurations review
  • Change review
  • Release note check.
  • Access rights review (access matrix required) – If Changed.
  • Scan Nessus / Nmap.
  • If Web services used or changed, a dedicated check to determine Web application vulnerabilities – XSS, SSL, Injection – (Skipfish/Nessus/Nikto/WebSecurify)
  • Documentation check
    • Configurations file must be described (updated)
    • Supports, FAQ, Workaround, Release note
  • Do a single AV scan (for Linux).

5. GO

If there is no blocking point or issue, the solution (or the release) can be delivered to Production.

6. Required for PRODUCTION

Some check will have to be done before delivery to production ( in case of release, some steps were already cover and can be skipped).

Some checks have to be done regularly, on the Production Infrastructure

  • Backups
  • Configurations
  • Security software and patches
    • Patching (auto updates ?)
    • AV (Windows)
    • Firewall configuration (if enabled)
    • Monitoring (CPU, Disk, Memory)
    • Event logs syslog forwarding.
  • Logs Management
  • Access rights (access matrix required).
  • Documentation review
    • Backups policy
    • Supports, FAQ, Workaround, Release note

7. Decommission

  • When the solution is no more needed
  • Data cleanup (Backups, systems, …)
  • Storage Clean-up (and destruction if required)
  • Remove remote access, groups and permission (AD, LDAP, Radius, …)
  • Remove potential VPN access

Be the first to comment

Leave a Reply

Your email address will not be published.