Profile Applicability:
Level 1
Description:
The build infrastructure—including build servers, agents, container hosts, and related components—must undergo automated vulnerability scanning regularly. This ensures timely identification of security weaknesses that could be exploited to compromise the build process or artifacts.
Rationale:
Automated vulnerability scanning helps maintain the security and integrity of build environments by detecting known vulnerabilities and configuration issues early. Securing the build infrastructure is critical to safeguarding the software supply chain and preventing the introduction of compromised artifacts.
Impact:
Pros:
Enables proactive identification and remediation of vulnerabilities.
Enhances the overall security posture of the build environment.
Supports compliance with security standards and audit requirements.
Reduces risk of supply chain attacks.
Cons:
May require additional resources and tooling investments.
Potential for false positives needing manual review.
Default value:
Many organizations lack regular automated scanning of build infrastructure, leaving gaps in security.
Audit:
Review vulnerability scan reports and schedules for build infrastructure components. Verify remediation of identified issues. Check configurations of scanning tools and access controls.
Remediation:
Deploy and configure automated vulnerability scanners (e.g., Nessus, Qualys, OpenVAS) targeting build infrastructure. Establish regular scanning intervals and integrate findings into patch management workflows. Train operations and security teams on scanning processes.
References:
CIS Controls v8, Control 7 - Continuous Vulnerability Management: https://www.cisecurity.org/controls/continuous-vulnerability-management/
NIST SP 800-115 Technical Guide to Information Security Testing and Assessment: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf
OWASP DevSecOps Practices: https://owasp.org/www-project-devsecops-guideline/