Configuration management is an aspect of secure coding. A security professional needs to understand what configuration management is, what its essential properties are, and how it works within secure coding.
In particular, configuration management is a fundamental aspect of secure coding in the following ways:
- Maintaining a durable configuration history
- Providing a foundation for a secure coding environment
- Creating secure baselines
It has been said that software programming is the only art form that fights back. Software solutions are complex human artifacts. Many different parts compose a software solution, which can be many files from many different sources. Variety like this creates complexity in software solution management. In addition to this variety, the very nature of software is to change.
Software evolves as business needs evolve and change. As the elements that compose a software solution change, the software solution’s functionality, side effects, and configuration change. Software development is a practice in managing multiple moving targets.
Configuration management is the means to have knowledge and control over the artifacts and their state that compose a software solution. Configuration management captures and documents the current state of the software, libraries, frameworks, operating systems, patching, hardware, including versions, patch levels, configurations, documentation, and all the elements that make up a software-based solution. This is necessary for the correct and secure functionality of the solution.
The basic building blocks of software configuration management are the following:
- Configuration item: A configuration item is the atom of configuration management. Configuration items are things such as software source code files, requirements documents, or program resources such as image or video files, and software libraries. A configuration item is an individual element that is part of the configuration of items of a software system. A configuration item must be uniquely identified to be distinct from other configuration items. A configuration item is subject to change with changes to the software system. A collection of configuration items make up a baseline.
- Baseline: A baseline is an immutable set of configuration items that have immutable states. A baseline may have the properties of being associated with workflows, workload environments, conditions of approval, or qualitative states such as security. As such, a baseline is an identified configuration and is thus a special version.
- Version: A version is a concept that describes the immutable state of a configuration item, a set of configuration items, and a baseline. A version is associated with a change set. When a change set is applied to a previous version of a baseline, it creates a new version of that baseline. Versions are typically identified by labels.
- Change set: A change set is group of related changes to configuration items that have been changed, and it is the basis of how changes to the software system are controlled. Change sets are subject to code review, quality assurance, testing, verification, and acceptance measure.
- Branch: A branch in configuration management terms has two definitions. The first one is that a branch identifies a set of versioned configuration items that are being developed in parallel to the main configuration. Second, to branch is a verb where a set of configuration items are copied off for parallel development. A main branch, or trunk, is the base configuration from which all other branches are derived.
Note that while some of these terms have specific definitions in other contexts, they are being described in the context of their role as building blocks of software configuration management. These building blocks form the essential conceptual basis of configuration management. A version control system materializes these concepts for practical use. A version control system, also known as source code version control or revision control, is a software tool that organizes, manages, and documents the changes to configuration items.
The chief aim of configuration management of software is to maintain visibility and control over all of the elements that compose a software system. A change to any of the configuration items can introduce a bug or flaw to the software. Uncontrolled changes can ultimately lead to potentially exploitable vulnerabilities in the software. A change control process manages ongoing differences in the software code and configuration.
In this sense, configuration management also relates to the larger discipline of change management. Change management is discussed earlier in the chapter in the section “Change Management.”