Profile Applicability:
Level 1
Description:
All outputs generated by build or deployment pipelines—such as artifacts, logs, and reports—must be stored in dedicated, secured storage repositories that are separate from source code and pipeline configuration files. This separation safeguards outputs from unauthorized access or tampering.
Rationale:
Isolating pipeline outputs enhances security by limiting exposure to sensitive data, preventing accidental overwrites, and enabling stricter access controls. It supports integrity, confidentiality, and auditability of build artifacts and related data.
Impact:
Pros:
Protects artifacts and logs from unauthorized modification or access.
Enables focused access control policies on output data.
Improves traceability and audit capabilities.
Supports compliance with security and data protection regulations.
Cons:
May require additional storage management and costs.
Introduces complexity in storage configuration and maintenance.
Default value:
Outputs may be stored alongside source or pipeline files without segregation, increasing risk.
Audit:
Verify storage locations for build outputs are separate and secured. Review access controls and encryption settings on output repositories. Check logs for unauthorized access attempts.
Remediation:
Configure pipelines to write outputs to isolated storage with strict permissions. Use encryption at rest and in transit. Document storage policies and train relevant teams.
References:
OWASP Secure Storage Guidelines: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Storage_Cheat_Sheet.html
CIS Controls v8, Control 14 - Controlled Access Based on the Need to Know: https://www.cisecurity.org/controls/controlled-access-based-on-the-need-to-know/
NIST SP 800-53 AC-3 Access Enforcement: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final