Profile Applicability:
Level 2
Description:
Deployment configuration files, including Infrastructure as Code (IaC) templates, environment-specific settings, and deployment scripts, should be stored separately from the application’s source code repositories. This separation helps reduce the risk of accidental exposure, simplifies access control, and enables independent management of configurations and code.
Rationale:
Separating deployment configurations from source code improves security by limiting access to sensitive configuration data, reduces the risk of configuration leaks, and facilitates more granular permission management. It also supports better organization and lifecycle management of code and configuration artifacts.
Impact:
Pros:
Enhances security by isolating sensitive deployment data.
Enables finer-grained access control and auditability.
Simplifies management and updates of deployment configurations.
Supports compliance with separation of duties and data protection policies.
Cons:
May require additional infrastructure or repository management.
Could introduce complexity in deployment workflows if not properly integrated.
Default value:
Deployment configurations are often stored alongside source code, increasing risk of accidental exposure or unauthorized access.
Audit:
Review repository structures and access controls to confirm that deployment configurations are maintained separately from application code. Check for policies enforcing this separation.
Remediation:
Create dedicated repositories or secure storage locations for deployment configurations. Implement access controls and integrate configuration repositories into deployment pipelines. Educate teams on separation best practices.
References:
GitHub – Managing Multiple Repositories: https://docs.github.com/en/get-started/quickstart/github-flow
CIS Controls v8, Control 14 – Controlled Access Based on the Need to Know: https://www.cisecurity.org/controls/controlled-access-based-on-need-to-know/
OWASP Secure Configuration Guide: https://owasp.org/www-project-secure-configuration-guide/