Profile Applicability:
Level 1
Description:
Build and deployment pipelines must include automated scanning tools that detect misconfigurations in infrastructure-as-code, container settings, cloud resources, and application configurations. This proactive scanning helps identify and remediate configuration issues early, reducing security risks and operational errors.
Rationale:
Misconfigurations are a common source of security vulnerabilities and operational failures. Automated detection within pipelines ensures consistent enforcement of configuration standards, supports compliance requirements, and enhances the overall security posture of the software and infrastructure.
Impact:
Pros:
Early identification and remediation of misconfigurations.
Reduces risk of security breaches and outages.
Supports compliance with organizational and regulatory policies.
Facilitates continuous configuration management and security.
Cons:
May increase pipeline execution time.
Requires integration and tuning of scanning tools to reduce false positives.
Default value:
Many pipelines do not perform automated misconfiguration scanning by default.
Audit:
Review pipeline configurations and reports to confirm presence and effectiveness of misconfiguration scanning. Check incident logs for identified and resolved issues.
Remediation:
Integrate tools such as Checkov, Terraform Validator, or AWS Config into pipelines. Define policies and thresholds for acceptable configurations. Train teams on interpreting scan results and remediation.
References:
Checkov - Infrastructure-as-Code Scanning: https://www.checkov.io/
CIS Controls v8, Control 4 - Secure Configuration of Enterprise Assets and Software: https://www.cisecurity.org/controls/secure-configuration-of-enterprise-assets-and-software/
OWASP DevSecOps Guidelines: https://owasp.org/www-project-devsecops-guideline/