More exciting news from the Bandolier project… we are wrapping up some extensive collaborative testing with one of our vendor partners. It is the most thorough outside review of the Bandolier audit files to date and we are very pleased with the results. With each development and testing cycle, we are able to apply what we have learned to audit files from other vendors as well as improve the assessment methodology. The review process has solidified our opinion on application vendor involvement, re-iterated the importance of the OS-level checks, and pushed us to develop a better set of checks.

We blogged recently on the benefit of vendor involvement and this most recent testing process has certainly corroborated our feelings on the subject. The ability to tap into the application’s developers and top security talent definitely helps us create the best set of checks possible. The vendors are also intimately familiar with development and testing processes and can provide QA assistance by testing the audit files in their labs.

We’ve observed that application vendors that are serious about security are taking steps to deliver the underlying operating systems in a hardened state. This sometimes includes additional security hardening documentation and, for Windows systems, group policies that dictate a number of important security settings. We discussed before how our expectations about the value of the app checks vs. the OS checks shifted a little — the OS checks, tailored to the application, have proven to be a very important part of Bandolier.

To capture Windows security settings, we use a variety of collection techniques. Tenable provides some tools that have been helpful. The first one is a simple executable that is launched on a Windows machine known as the Windows Nessus Policy Creator (WNPC). It gathers many of the typical Windows security settings and translates them into audit checks. The second is called i2a (inf to audit) and generates an audit file based on a Microsoft .inf policy file. (We’ll discuss the configuration to audit tool (c2a) for Linux in a later post.)

An important lesson learned during the recent testing process concerned review of the checks developed from the automated tools. The vendor pushed us to improve the baseline OS files with better organization, descriptions, and additional checks. These improvements will lead to better Windows server and workstation OS files for all the Bandolier applications.

Having this thorough, outside review was definitely beneficial. In the meantime, we are seeing support and interest in this project continue to ramp up. Other big news for Bandolier… next week at PCSF we will announce the final list of audit files.