iCompaas Support

Profile Applicability:
Level 1

Description:
Repository webhooks must be configured and secured to prevent unauthorized or malicious payloads from triggering automated processes. Security measures include validating webhook payload signatures, restricting webhook IP ranges, and using secure communication channels (HTTPS). Proper webhook security helps maintain the integrity of CI/CD pipelines and other integrations triggered by repository events.

Rationale:
Unsecured webhooks can be exploited to execute unauthorized actions, inject malicious code, or disrupt development workflows. Securing webhooks mitigates the risk of external attacks and ensures only trusted and verified requests are processed, maintaining the confidentiality, integrity, and availability of automated systems.

Impact:
Pros:

• Prevents unauthorized or malicious webhook-triggered actions.
  
  

• Protects CI/CD pipelines and integration points.
  
  

• Enhances overall repository and automation security.
  
  

• Supports compliance with security best practices.
  
  

Cons:

• Requires additional configuration and maintenance.
  
  

• May complicate integration setup if not properly managed.
  
  

Default value:
By default, webhooks may not have signature verification or IP restrictions enabled, leaving them vulnerable.

Audit:
Review webhook configurations for signature verification settings, IP whitelisting, and use of HTTPS. Test webhook endpoints for proper validation and error handling.

Remediation:
Enable webhook signature validation using secret tokens or HMAC signatures. Restrict webhook delivery to trusted IP ranges where supported. Ensure webhook endpoints use HTTPS with valid certificates. Document and enforce webhook security policies.

References:

1. GitHub Securing Your Webhooks: https://docs.github.com/en/developers/webhooks-and-events/webhooks/securing-your-webhooks
   
   

2. GitLab Webhook Security: https://docs.gitlab.com/ee/user/project/integrations/webhooks.html#secure-webhooks
   
   

3. OWASP Webhooks Security Guidelines: https://owasp.org/www-project-secure-headers/#webhooks
   
   

4. CIS Controls v8, Control 16 - Application Software Security: https://www.cisecurity.org/controls/application-software-security/