Benchmark: 3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems
Description
Organizations apply systems security engineering principles to new development systems or systems undergoing major upgrades. For legacy systems, organizations apply systems security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems. The application of systems security engineering concepts and principles helps to develop trustworthy, secure, and resilient systems and system components and reduce the susceptibility of organizations to disruptions, hazards, and threats. Examples of these concepts and principles include developing layered protections; establishing security policies, architecture, and controls as the foundation for design; incorporating security requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk. Organizations that apply security engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk-management decisions.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-azure-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.
Run this benchmark in your terminal:
powerpipe benchmark run azure_compliance.benchmark.nist_sp_800_171_rev_2_3_13_2
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run azure_compliance.benchmark.nist_sp_800_171_rev_2_3_13_2 --share
Controls
- API Management services should use a virtual network
- App Configuration should use private link
- Web Application Firewall (WAF) should be enabled for Application Gateway
- Cognitive Services should use private link
- Cognitive Services accounts should have local authentication methods disabled
- Disk access resources should use private link
- Management ports of virtual machines should be protected with just-in-time network access control
- All network ports should be restricted on network security groups associated to your virtual machine
- Internet-facing virtual machines should be protected with network security groups
- Container registries should not allow unrestricted network access
- Container registries should use private link
- CosmosDB accounts should use private link
- Azure Cosmos DB accounts should have firewall rules
- Azure Data Factory should use private link
- Azure Event Grid domains should use private link
- Azure Event Grid topics should use private link
- Event Hub namespaces should use private link
- Web Application Firewall (WAF) should be enabled for Azure Front Door Service
- Azure API for FHIR should use private link
- IoT Hub device provisioning service instances should use private link
- Azure Key Vault should have firewall enabled
- Azure Key Vaults should use private link
- Authorized IP ranges should be defined on Kubernetes Services
- Private endpoint should be enabled for MariaDB servers
- Public network access should be disabled for MariaDB servers
- Private endpoint should be enabled for MySQL servers
- Public network access should be disabled for MySQL servers
- IP Forwarding on your virtual machine should be disabled
- Management ports should be closed on your virtual machines
- Subnets should be associated with a Network Security Group
- Private endpoint should be enabled for PostgreSQL servers
- Public network access should be disabled for PostgreSQL servers
- Azure Cache for Redis should use private link
- Azure Cognitive Search services should disable public network access
- Azure Cognitive Search services should use private link
- Azure Cognitive Search service should use a SKU that supports private link
- Azure Service Bus namespaces should use private link
- Azure SignalR Service should use private link
- Public network access on Azure SQL Database should be disabled
- Private endpoint connections on Azure SQL Database should be enabled
- Storage account public access should be disallowed
- Storage accounts should restrict network access
- Storage accounts should restrict network access using virtual network rules
- Storage accounts should use private link
- Azure File Sync should use private link
- Azure Synapse workspaces should use private link