Profile Applicability:
Level 1
Description:
All changes to source code must be tracked using a version control system (VCS) such as Git, SVN, or Mercurial. This ensures that all modifications, including additions, deletions, and updates, are recorded with metadata like the author, timestamp, and change description. Using a VCS enables traceability, collaboration, and rollback capabilities, enhancing security and accountability in software development processes.
Rationale:
Tracking changes in a version control system prevents unauthorized or undocumented code changes, reduces the risk of code corruption or loss, and facilitates audit and compliance requirements. It also supports collaborative development, improves code quality through peer reviews, and enables rapid recovery from mistakes.
Impact:
Pros:
Improves code accountability and traceability.
Enables collaboration among developers.
Provides a history of changes for auditing and compliance.
Simplifies rollback to previous versions if issues occur.
Cons:
Requires initial setup and ongoing discipline.
May add overhead if not integrated properly into development workflows.
Default value:
By default, code repositories may not have enforced version control or may have incomplete tracking of changes.
Audit:
Verify that all code changes are committed and pushed to a version control platform with appropriate commit messages and metadata.
Remediation:
Implement and enforce the use of a version control system for all codebases. Train developers and relevant teams on proper version control practices. Set policies to prevent code changes outside the version control process.
References:
Git Official Documentation - Version Control Basics: https://git-scm.com/book/en/v2
Atlassian Git Tutorials - What is Version Control?: https://www.atlassian.com/git/tutorials/what-is-version-control
CIS Controls v8, Control 6 - Maintenance, Monitoring, and Analysis of Audit Logs: https://www.cisecurity.org/controls/maintenance-monitoring-and-analysis-of-audit-logs/