Skip to content

PW.9: Configure Software to Have Secure Settings by Default

Help improve the security of the software at the time of installation to reduce the likelihood of the software being deployed with weak security settings, putting it at greater risk of compromise.

PW.9.1

Define a secure baseline by determining how to configure each setting that has an effect on security or a security-related setting so that the default settings are secure and do not weaken the security functions provided by the platform, network infrastructure, or services.

Implementation Examples
  • Example 1: Conduct testing to ensure that the settings, including the default settings, are working as expected and are not inadvertently causing any security weaknesses, operational issues, or other problems.
References
  • BSAFSS: CF.1
  • BSIMM: SE2.2
  • EO14028: 4e(iv), 4e(ix)
  • IDASOAR: 23
  • IEC62443: SD-4, SVV-1, SG-1
  • ISO27034: 7.3.5
  • SCAGILE: Tasks Requiring the Help of Security Experts 12
  • SCSIC: Vendor Software Delivery Integrity Controls, Vendor Software Development Integrity Controls
  • SP800181: SP-DEV-002; K0009, K0039, K0073, K0153, K0165, K0275, K0531; S0167

PW.9.2

Implement the default settings (or groups of default settings, if applicable), and document each setting for software administrators.

Implementation Examples
  • Example 1: Verify that the approved configuration is in place for the software.
  • Example 2: Document each setting’s purpose, options, default value, security relevance, potential operational impact, and relationships with other settings.
  • Example 3: Use authoritative programmatic technical mechanisms to record how each setting can be implemented and assessed by software administrators.
  • Example 4: Store the default configuration in a usable format and follow change control practices for modifying it (e.g., configuration-as-code).
References
  • BSAFSS: CF.1
  • BSIMM: SE2.2
  • EO14028: 4e(iv), 4e(ix)
  • IDASOAR: 23
  • IEC62443: SG-3
  • OWASPSAMM: OE1-A
  • PCISSLC: 8.1, 8.2
  • SCAGILE: Tasks Requiring the Help of Security Experts 12
  • SCFPSSD: Verify Secure Configurations and Use of Platform Mitigation
  • SCSIC: Vendor Software Delivery Integrity Controls, Vendor Software Development Integrity Controls
  • SP80053: SA-5, SA-8(23)
  • SP800161: SA-5, SA-8(23)
  • SP800181: SP-DEV-001; K0009, K0039, K0073, K0153, K0165, K0275, K0531