Profile Applicability:
Level 1
Description:
Responsibilities and privileges of build workers must be clearly segregated to prevent conflicts of interest and reduce risks of unauthorized or malicious activities. Segregation of duties ensures that no single build worker has control over all critical stages of the build and release process.
Rationale:
Separating duties among build workers mitigates insider threats, errors, and fraud by distributing responsibilities such as code integration, build execution, and deployment approval. This control enhances accountability, transparency, and compliance with security policies.
Impact:
Pros:
Reduces risk of unauthorized or malicious actions.
Increases accountability and oversight.
Supports compliance with regulatory and organizational standards.
Enhances overall build process security.
Cons:
May require additional personnel and coordination.
Could introduce operational complexity.
Default value:
Build worker duties may overlap or lack clear segregation in some environments.
Audit:
Review role definitions, access controls, and task assignments of build workers. Verify enforcement of duty segregation policies.
Remediation:
Define and implement role-based access control (RBAC) separating build duties. Establish approval workflows requiring multiple personnel for critical actions. Train teams on segregation policies and monitor compliance.
References:
CIS Controls v8, Control 4 - Controlled Use of Administrative Privileges: https://www.cisecurity.org/controls/controlled-use-of-administrative-privileges/
NIST SP 800-53 AC-5 - Separation of Duties: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
OWASP DevSecOps Guidelines: https://owasp.org/www-project-devsecops-guideline/