Appraisals Based on Security Best Practices for Software Configurations

Protecting systems and data from malicious access and corruption requires the existence of effective security mechanisms and the correct configuration of those mechanisms. Configuring large software systems for security is a complex task, entailing a lot of expertise that many administrators do not have. This paper proposes a generic methodology to condense widespread information about security best practices into easy-to-use appraisals for three scenarios: 1) to assess how effective software configurations are in terms of fulfilling best practices; 2) to understand the set of best practices that can be implemented when using a given software product; and 3) to evaluate how well a system administrator knows existing security best practices. Following this methodology we defined an appraisal for database systems configurations, which was used to evaluate four real installations. Experimental results show the usefulness of this kind of security appraisals.