16.7
IG2 IG3

Use Standard Hardening Configuration Templates for Application Infrastructure

Control Group: 16. Application Software Security
Asset Type: Applications
Security Function: Protect

Description

Use standard, industry-recommended hardening configuration templates for application infrastructure components. This includes underlying servers, databases, and web servers, and applies to cloud containers, Platform as a Service (PaaS) components, and SaaS components. Do not allow in-house developed software to weaken configuration hardening.

Implementation Checklist

1
Assess current protection controls in place
2
Configure and deploy required security controls
3
Test control effectiveness in non-production environment
4
Deploy to production and verify functionality
5
Document configuration and operational procedures
6
Select hardening benchmark (CIS Benchmarks, DISA STIGs)
7
Create baseline configuration templates
8
Deploy configurations using automation tools
9
Schedule compliance scanning to detect drift
10
Establish software authorization review process
11
Deploy application allowlisting technology
12
Maintain and update authorized software list

Tool Recommendations

CIS-CAT Pro CIS Official Benchmark Tool; Industry Standard

Automated CIS Benchmark assessment tool for configuration compliance scanning across OS, applications, and cloud

Center for Internet Security · CIS SecureSuite membership
Qualys Policy Compliance Gartner MQ Leader, Vulnerability Management 2024

Cloud-based configuration assessment and compliance platform with CIS Benchmark support and continuous monitoring

Qualys · Per-asset subscription
Tripwire Enterprise Gartner Peer Insights, Security Configuration Management 2024

Security configuration management and file integrity monitoring platform with policy compliance and drift detection

Fortra (Tripwire) · Per-node subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Default Credentials on Application Infrastructure Components

Confidentiality

An attacker gains access to a database server or web application platform using default credentials that were never changed because no hardening configuration templates were applied during deployment.

Exploitation of Unnecessary Services on Application Server

Integrity

An attacker exploits a vulnerability in an unnecessary service running on a web server that was deployed with a default configuration rather than a hardened template.

Cloud Container Running with Excessive Privileges

Confidentiality

A container deployed without a hardening template runs as root with all capabilities enabled, and an attacker exploits a container escape vulnerability to access the underlying host.

Vulnerabilities (When Safeguard Absent)

Application Infrastructure Deployed with Default Configurations

Without hardening templates, application infrastructure including servers, databases, and containers is deployed with default settings that include unnecessary services, default credentials, and excessive permissions.

No Standardized Security Baseline for Application Components

Absence of industry-recommended hardening templates means each deployment may have a different and often insufficient security configuration, creating inconsistent and unpredictable attack surfaces.

Evidence Requirements

Type Evidence Item Collection Frequency
Technical Configuration screenshots or exports showing protection controls enabled Captured quarterly
Document Procedure documentation for protection measures Reviewed annually
Technical Configuration compliance scan results against approved baseline Scanned monthly
Document Approved baseline configuration documentation Reviewed quarterly
Document Governing policy document (current, approved, communicated) Reviewed annually

Related Policy Templates

Secure Software Development Lifecycle Policy
Control 16

Related Safeguards in Control 16

16.1 Establish and Maintain a Secure Application DevelopmentĀ Process
16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities
16.3 Perform Root Cause Analysis on Security Vulnerabilities
16.4 Establish and Manage an Inventory of Third>Party Software Components
16.5 Use Up>to>Date and Trusted Third>Party Software Components
16.6 Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities
16.8 Separate Production and Non>Production Systems
16.9 Train Developers in Application Security Concepts and Secure Coding
16.10 Apply Secure Design Principles in Application Architectures
16.11 Leverage Vetted Modules or Services for Application Security Components
16.12 Implement Code>Level Security Checks
16.13 Conduct Application Penetration Testing
16.14 Conduct Threat Modeling
16.6 16.8