Profile Applicability:
Level 1
Description:
Build and deployment pipelines must include automated vulnerability scanning steps to identify security flaws in source code, dependencies, container images, and other build artifacts. This proactive approach helps detect and remediate vulnerabilities early in the development lifecycle before production deployment.
Rationale:
Automated scanning in pipelines reduces the risk of deploying vulnerable software by providing continuous security assessment. It supports compliance with security standards, improves software quality, and enables rapid response to newly discovered threats.
Impact:
Pros:
Identifies vulnerabilities early, reducing remediation costs.
Supports continuous security and compliance.
Enhances overall software quality and security posture.
Facilitates integration of security into DevOps (DevSecOps).
Cons:
May increase build time and resource consumption.
Requires configuration and maintenance of scanning tools.
Default value:
Many pipelines lack integrated automated vulnerability scanning by default.
Audit:
Review pipeline configurations and logs for evidence of automated scanning. Verify that identified vulnerabilities are tracked and addressed.
Remediation:
Integrate static application security testing (SAST), software composition analysis (SCA), and container scanning tools into pipelines. Define policies for vulnerability thresholds and remediation timelines. Educate development teams on security best practices.
References:
OWASP DevSecOps Guidelines: https://owasp.org/www-project-devsecops-guideline/
GitLab Security Scanning: https://docs.gitlab.com/ee/user/application_security/
CIS Controls v8, Control 6 - Maintenance, Monitoring, and Analysis of Audit Logs: https://www.cisecurity.org/controls/maintenance-monitoring-and-analysis-of-audit-logs/