Profile Applicability:
Level 1
Description:
Build worker environments, including their operating systems, software, and dependencies, must be regularly and automatically scanned for security vulnerabilities. Automated scanning helps identify weaknesses that could be exploited to compromise the build process or the software supply chain.
Rationale:
Automated vulnerability scanning of build workers reduces the risk of attacks that originate from compromised or misconfigured build infrastructure. Early detection and remediation improve overall security posture and ensure the integrity of the software build pipeline.
Impact:
Pros:
Enhances security of build infrastructure.
Identifies vulnerabilities proactively.
Supports compliance with security policies and standards.
Helps prevent supply chain attacks.
Cons:
Requires integration and maintenance of scanning tools.
May increase resource usage and operational overhead.
Default value:
Build workers may not be routinely scanned for vulnerabilities by default.
Audit:
Review vulnerability scanning reports and schedules for build workers. Verify that identified issues are tracked and remediated in a timely manner.
Remediation:
Integrate vulnerability scanning tools (e.g., Nessus, OpenVAS, Qualys) into build infrastructure management. Automate regular scans and enforce remediation workflows. Train infrastructure teams on vulnerability management.
References:
CIS Controls v8, Control 7 - Continuous Vulnerability Management: https://www.cisecurity.org/controls/continuous-vulnerability-management/
OWASP DevSecOps Guidelines: https://owasp.org/www-project-devsecops-guideline/
NIST SP 800-40 Revision 3: Guide to Enterprise Patch Management Technologies: https://csrc.nist.gov/publications/detail/sp/800-40/rev-3/final