Phase 5: Release for LOB After deployment, several activities need to occur, including regular verification of patch management, compliance, network and host scanning, and responding to any incremental releases for hotfixes and service packs. For the SDL-LOB, these tasks are associated with the post-production assessment.

On This Page

Post-Production Assessment
Security Requirements
Security Recommendations
Resources

Post-Production Assessment

The post-production assessment is conducted by the operations team, and the service level is not dictated by the risk level. All applications/hosts/network devices are in scope for assessment on a regular basis. That is, for most organizations, these tasks take place continuously and have existing management processes in place. In which case the application “plugs-in” to those existing processes that monitor changes to the organizational infrastructure rather than occurring as a discrete post-production assessment.

Security Requirements

• The actual list of servers deployed in production will likely vary dramatically from what was initially recorded in the application portfolio at the beginning of the SDL-LOB process. Post-production, operations may own both the servers and routine scanning of those servers for vulnerabilities, patch management, and similar activities. It is a best practice to segregate the duties between the server owners and the compliance organization. The compliance organization owns scanning in a timely manner, and the application team follows the processes established by the compliance team for moving into production.
• Host-level security. Providing security for the host computer involves the following items that are audited on a regular basis on production servers:
  • Patch management. The security subject-matter expert verifies that servers have the latest applicable security updates, including updates from every software manufacturer that has software running on the server.
  • Appropriate configuration. The servers are reviewed for compliance with established baselines. For example, all unused services that are not required for the application are disabled and blocked instead of running with default settings.
  • Antivirus. Servers have antivirus software running and actively scanning all system file areas, in addition to all shared directories. All systems must have their antivirus application or signature files examined at logon to ensure that the latest antivirus application or current virus signature files are present.
  • Compliance. Verify compliance with internal business policies and external legal requirements, in addition to standards such as PCI.
• Review access control/permissions. The access control list (ACL) permission settings on all file shares and other system, database, and COM+ objects are reviewed to help prevent unauthorized access. Regular review, for example, of administrator privileges on a given server should be performed.
• Server auditing and logging. Ensuring that auditing with appropriate logging procedures for all system objects that contain business-sensitive information is enabled. Logging procedures include collecting log files and protecting access to log data to only appropriate users (members of security, internal audit, or systems management teams) with the appropriate ACLs. Even more critical is ensuring that the logs are reviewed on a regular basis and that there is some guidance for filtering critical logs from regular operational "noise."
• Network level security. The network infrastructure should be scanned for compliance with baselines (just like servers). This evaluates configuration, vulnerabilities, patch management, and other similar concerns.
• Application retirement. At some point the application will need to be retired gracefully. Are there adequate controls, contact information, and operational awareness to ensure that this can happen at the appropriate time?

Security Recommendations

• Vulnerabilities identified in production should be remediated per operational processes defined by the compliance team.
• Frequently, application teams have a variety of post-production changes to the application, ranging from a hotfix, service pack, or entirely new features. Depending on the scope, the application team either needs to start over by updating the application portfolio (which kicks off a new iteration of the SDL-LOB life cycle), or perform a subset of the SDL-LOB tasks. At a minimum, this subset should include a review/update of the threat model and selected tasks from the Internal Review conducting during the Implementation phase.

Resources

• Microsoft Baseline Security Analyzer.
• Microsoft Operation Framework Deliver Phase provides guidance for getting operational concerns reflected during the Requirements phase of project development as well as getting release readiness in place as a validation step prior to production.
• Governance, Risk, and Compliance Service Management.

Content Disclaimer

This documentation is not an exhaustive reference on the SDL process as practiced at Microsoft. Additional assurance work may be performed by product teams (but not necessarily documented) at their discretion. As a result, this example should not be considered as the exact process that Microsoft follows to secure all products. This documentation is provided “as-is.” Information and views expressed in this document, including URL and other Internet website references, may change without notice. You bear the risk of using it. This documentation does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. © 2012 Microsoft Corporation. All rights reserved. Licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported