Last week, I sat down to a project meeting. The project is implementing Sharepoint 2007. As I looked over the sprawling Gantt chart, one thing immediately struck my attention. No security tasks!
The first objective in securing web access is to get security integrated into the deployment project plan. The second objective is to get regular security reviews integrated into the change management process. That way, you can be reasonably assured that the system goes in secure and stays secure.
As a bonus, this approach means that security is not a roadblock but just another task. Often system owners and engineering want to avoid security review over concerns that it slows down the implementation. This can be avoided by baking it into the project. After all, a few hours pales when listed next to the hours the implementation team are spending. In this particular case, the InfoSec tasks are 48 hours out of 400, or 12%.
What am I doing with this time? First, securing the OS and web server. For that, I am looking at CIS (Center for Internet Security) and SCW (Security Configuration Wizard) templates. I am also using IISLockdown to further tighten up the system. Second, following vendor guidance to secure the application. Microsoft has excellent whitepapers that detail their security guidance. Finally, I am testing the implementation. This means using tools such as Webscarab and the skills I learned from the SANS AUD507 course.
In sum, I think it is important that network administrators include InfoSec as part of their project plans and ongoing maintenance. InfoSec professionals should use this time wisely to check the OS, web server, and application. The first time around, we play the part of the architect designing the locked down building. The second time around, during maintenance, we play the part of the night watchman, rattling the doors to make sure they are still closed and locked.
Center for Internet Security
Security Configuration Wizard
How To: Use IISLockdown.exe