6-2.2 Significant Change

Significant changes are those changes that could impact or affect the security of an application’s data environment. The following changes might constitute a significant change:

  1. Changing devices such as firewalls, routers, switches and servers. These changes can potentially introduce new vulnerabilities, network paths, or even errors that would go unknown until the next vulnerability scan and penetration test.
  2. Functional application changes are the most likely changes to affect security. Not only should applications be vulnerability scanned and penetration tested before being put into production, but code review and/or automated code scanning should be performed as well. If vulnerabilities are found, the vulnerabilities must be corrected or mitigated before the application goes into production.
  3. Upgrades or changes in operating systems. Going from one version of an OS to another may be just as significant as changing the OS.
  4. Network changes. Any change to the network should be considered a significant change regardless of how “minor” the change might appear. Networks can be like puzzles, and the movement of devices or wires can result in unintended paths being opened as a result.
  5. Patching of operating systems or applications. Some patches such as updates to critical services (e.g. .NET or the IP stack) that should be considered significant and vulnerability scanning and penetration testing should be run because of the nature of the patches being applied.

Powered By OneLink