Summary

Applications should run isolated from other applications (using sandboxing, jails, containers, etc).

Description

These mechanisms provide controlled environments in which applications can operate, limiting their access to system resources and interactions with other applications. When these isolation methods are implemented, compromised or malicious applications are less likely to affect the overall system.

References

• CAPEC-124. Shared resource manipulation
• OWASPM10-M8. Code tampering
• AGILE-11. Best architectures, requirements, and designs
• MISRAC-2_1. Assembly language shall be encapsulated and isolated
• HITRUST-01_w. Sensitive system isolation
• HITRUST-09_d. Separation of development, test and operational environments
• ISO27002-8_7. Protection against malware
• ISO27002-8_26. Application security requirements
• NISTSSDF-PO_5_1. Implement and maintain secure environments for software development
• ISSAF-S_5_7. Web server security - Countermeasures (Compartmentalize web server process)
• OWASPSCP-10. System configuration
• BSAFSS-SC_4-1. Secure Coding (software architecture and design)
• ASVS-1_14_5. Configuration architecture
• ASVS-14_2_6. Dependency
• C2M2-9_2_l. Implement network protections for cybersecurity architecture
• SIGLITE-SL_88. Is development, test, and staging environment separate from the production environment?
• ASVS-5_2_8. Sanitization and sandboxing
• PADSS-8_1. Secure network environment
• ISO27001-8_7. Protection against malware
• ISO27001-8_26. Application security requirements
• CASA-1_14_5. Configuration Architecture

Weaknesses

• 126. Lack of isolation methods