Comments by: Tim Mackey, Principal Security Strategist, Synopsys Software Integrity Group
With the prevalence of misconfigured databases, it’s clear that some teams lack the ability to confirm they are using a secure configuration for their production systems. There are a number of potential remedies, but one of the simplest is to define an exception based update model for configuration settings. Under this model, an audit level review of configuration data is performed to create a set of approved configuration settings and files. Any update to those previously approved settings then requires that same audit level review for the changes, and current configuration is always validated against approved settings. While there are a number of technologies that can be used to implement exception based updates, this is a case where a well defined process with automated checks is far more valuable than the technology implementing the process.