Profile Applicability:
Level 1
Description:
Every change made to the source code must be linked to an associated task, issue, or ticket within a project management or issue tracking system (e.g., Jira, GitHub Issues, Azure DevOps). This linkage ensures that code modifications are accountable, auditable, and correlated to approved work items, facilitating transparency and effective project governance.
Rationale:
Tracing code changes back to their corresponding tasks helps prevent unauthorized or undocumented changes, improves accountability, and supports audit and compliance requirements. It also aids in understanding the context and purpose of changes, streamlining debugging, code reviews, and release management.
Impact:
Pros:
Enhances traceability between code and business or security requirements.
Improves accountability and auditability of development activities.
Simplifies impact analysis and troubleshooting.
Supports compliance with regulatory and organizational policies.
Cons:
Requires disciplined adherence to linking practices.
May add administrative overhead if processes are not streamlined.
Default value:
By default, some development environments may allow code changes without mandatory association to a task or issue.
Audit:
Verify that commit messages, pull requests, or code review tools reference relevant task IDs or issue numbers consistently.
Remediation:
Implement policies and tools that enforce or encourage linking code changes to tasks. Educate developers on the importance of maintaining these references. Integrate version control systems with project management platforms where possible.
References:
Atlassian Jira Best Practices: https://www.atlassian.com/software/jira/guides/use-cases/best-practices
Git Commit Guidelines - Linking to Issues: https://chris.beams.io/posts/git-commit/
CIS Controls v8, Control 6 - Maintenance, Monitoring, and Analysis of Audit Logs: https://www.cisecurity.org/controls/maintenance-monitoring-and-analysis-of-audit-logs