Profile Applicability:
Level 1
Description:
Build workers should be configured to have only the minimal necessary network connectivity required for their operation. Limiting network access reduces the attack surface and prevents unauthorized communication that could compromise build integrity or leak sensitive information.
Rationale:
Minimizing network connectivity mitigates risks from lateral movement, data exfiltration, and external attacks targeting build infrastructure. It enforces the principle of least privilege at the network level, enhancing the overall security posture of the build environment.
Impact:
Pros:
Reduces attack surface and exposure to threats.
Prevents unauthorized data transfer or intrusion.
Supports network segmentation and isolation best practices.
Enhances compliance with security policies.
Cons:
May require careful network design and maintenance.
Could impact legitimate communication if not properly configured.
Default value:
Build workers often have broader network access by default, increasing risk.
Audit:
Review network policies, firewall rules, and access control lists governing build worker connectivity. Verify that connections are limited to essential endpoints only.
Remediation:
Implement network segmentation, firewalls, and access controls to restrict build worker communications. Regularly review and update network configurations. Educate teams on secure network architecture principles.
References:
CIS Controls v8, Control 14 - Controlled Access Based on the Need to Know: https://www.cisecurity.org/controls/controlled-access-based-on-the-need-to-know/
NIST SP 800-125 - Guide to Security for Full Virtualization Technologies: https://csrc.nist.gov/publications/detail/sp/800-125/final
OWASP DevSecOps Guidelines: https://owasp.org/www-project-devsecops-guideline/