Hardening with Scapolite: a DevOps-based Approach for Improved Authoring and Testing of Security-Configuration Guides in Large-Scale Organizations
Patrick St\"ockle, Ionut Pruteanu, Bernd Grobauer, Alexander, Pretschner
TL;DR
This paper presents a DevOps-inspired approach for creating, maintaining, and testing security-configuration guides in large organizations, enhancing security hardening processes through automation and continuous validation.
Contribution
It introduces a systematic DevOps-based methodology for security guide authoring, maintenance, and testing, demonstrated through Siemens' implementation.
Findings
Automated pipelines generate implementation and validation artifacts.
Guides are maintained within git repositories for version control.
Testing is performed on AWS images to ensure correctness.
Abstract
Security Hardening is the process of configuring IT systems to ensure the security of the systems' components and data they process or store. In many cases, so-called security-configuration guides are used as a basis for security hardening. These guides describe secure configuration settings for components such as operating systems and standard applications. Rigorous testing of security-configuration guides and automated mechanisms for their implementation and validation are necessary since erroneous implementations or checks of hardening guides may severely impact systems' security and functionality. At Siemens, centrally maintained security-configuration guides carry machine-readable information specifying both the implementation and validation of each required configuration step. The guides are maintained within git repositories; automated pipelines generate the artifacts for…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.