Profile Applicability:
Level 1
Description:
Build worker environments must enforce run-time security measures such as process isolation, least privilege execution, integrity monitoring, and real-time threat detection. These controls help protect build systems from unauthorized access, malicious activities, and compromise during the build process.
Rationale:
Enforcing run-time security for build workers mitigates risks of insider threats, supply chain attacks, and exploitation of build infrastructure vulnerabilities. It ensures that build processes execute in a secure context, maintaining the integrity and trustworthiness of software builds.
Impact:
Pros:
Protects build infrastructure from compromise.
Detects and prevents malicious activities in real time.
Supports compliance with security policies and standards.
Enhances overall software supply chain security.
Cons:
May introduce performance overhead.
Requires deployment and maintenance of security monitoring tools.
Default value:
Run-time security controls may be minimal or absent on build workers by default.
Audit:
Review security configurations and logs on build worker hosts for run-time protections. Verify alerts and responses to security events.
Remediation:
Deploy host-based security tools such as Endpoint Detection and Response (EDR), integrity checkers, and sandboxing technologies. Enforce least privilege and process controls. Train operations teams on monitoring and incident response.
References:
CIS Controls v8, Control 8 - Audit Log Management: https://www.cisecurity.org/controls/audit-log-management/
NIST SP 800-125B - Secure Virtual Network Deployment: https://csrc.nist.gov/publications/detail/sp/800-125b/final
OWASP DevSecOps Guidelines: https://owasp.org/www-project-devsecops-guideline/