Profile Applicability:
Level 2
Description:
All software artifacts, including binaries, libraries, packages, and container images, must be encrypted before being distributed externally or internally across networks. Encryption protects the confidentiality and integrity of artifacts during transit and storage, preventing unauthorized access or tampering.
Rationale:
Encrypting artifacts before distribution mitigates risks related to interception, theft, or manipulation of software components. This control helps maintain the security of the software supply chain and complies with data protection and regulatory requirements.
Impact:
Pros:
Protects sensitive software components from unauthorized disclosure.
Ensures integrity and authenticity during transmission and storage.
Supports compliance with security policies and regulations.
Reduces risk of supply chain attacks.
Cons:
Requires management of encryption keys and processes.
May add overhead to build and deployment pipelines.
Default value:
By default, artifacts may be transmitted or stored without encryption, increasing exposure to risks.
Audit:
Review distribution processes and verify encryption mechanisms are applied. Inspect logs and configurations to confirm artifact encryption before transmission.
Remediation:
Integrate encryption steps into build and release pipelines. Use strong, standardized encryption algorithms and secure key management practices. Train teams on encryption requirements.
References:
NIST Special Publication 800-57 - Key Management Guidelines: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf
CIS Controls v8, Control 3 - Data Protection: https://www.cisecurity.org/controls/data-protection/
OWASP Software Supply Chain Security: https://owasp.org/www-project-software-supply-chain-security/