Profile Applicability:
Level 1
Description:
Access to build environments must be restricted to authorized users and systems only. This includes limiting permissions for build servers, agents, configuration files, and related resources to reduce the risk of unauthorized changes, tampering, or data leakage during the build process.
Rationale:
Limiting access enforces the principle of least privilege, protecting the integrity and confidentiality of build environments. It reduces the attack surface, helps prevent insider threats, and ensures that only trusted personnel can influence the build process.
Impact:
Pros:
Protects build integrity and confidentiality.
Minimizes risk of unauthorized or malicious modifications.
Supports compliance with security policies and standards.
Enhances accountability and auditability.
Cons:
Requires proper access management and monitoring.
May complicate access for legitimate users if overly restrictive.
Default value:
Build environments may have broad or poorly managed access by default, increasing security risks.
Audit:
Review access control policies and permissions for build environment resources. Verify access logs and audit trails for unauthorized attempts.
Remediation:
Implement role-based access controls (RBAC) and enforce multi-factor authentication (MFA) for access. Regularly review and update access permissions. Train staff on secure access procedures.
References:
CIS Controls v8, Control 5 - Account Management: https://www.cisecurity.org/controls/account-management/
NIST SP 800-53 AC-6 - Least Privilege: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
OWASP Secure Build Processes: https://owasp.org/www-project-secure-build-processes/