Profile Applicability:
Level 1
Description:
All users must authenticate before gaining access to build environments, including build servers, agents, and related infrastructure. Authentication mechanisms such as usernames and passwords, multi-factor authentication (MFA), or integration with centralized identity providers should be implemented to verify user identities.
Rationale:
Requiring authentication ensures that only authorized individuals can access the build environment, protecting against unauthorized access, tampering, and potential compromise of the software build process. It supports accountability and compliance with security policies.
Impact:
Pros:
Prevents unauthorized access to build environments.
Enhances security by verifying user identities.
Supports audit and compliance requirements.
Enables traceability of user actions.
Cons:
May introduce access delays if authentication is misconfigured.
Requires management of authentication infrastructure and credentials.
Default value:
Some build environments allow anonymous or unauthenticated access by default, posing security risks.
Audit:
Review access logs and configuration settings to verify that authentication is enforced. Test access controls to confirm authentication requirements.
Remediation:
Implement and enforce authentication methods such as MFA or single sign-on (SSO). Integrate build environments with centralized identity management systems. Train users and administrators on secure authentication practices.
References:
CIS Controls v8, Control 5 - Account Management: https://www.cisecurity.org/controls/account-management/
NIST SP 800-63B - Digital Identity Guidelines: https://pages.nist.gov/800-63-3/sp800-63b.html
OWASP Secure Build Processes: https://owasp.org/www-project-secure-build-processes/