Profile Applicability:
Level 1
Description:
All contributors who submit new code to repositories must use Multi-Factor Authentication (MFA) when accessing version control systems. Enforcing MFA adds an extra layer of security by requiring users to provide multiple forms of verification before gaining access, reducing the risk of unauthorized code changes.
Rationale:
Requiring MFA for code contributors mitigates the risk of compromised credentials leading to unauthorized code commits, protecting the integrity of the software development lifecycle. It supports secure access control practices and aligns with security frameworks and compliance requirements.
Impact:
Pros:
Strengthens authentication security for code repositories.
Reduces risk of unauthorized or malicious code changes.
Enhances overall security posture and compliance.
Cons:
May require user training and support for MFA setup.
Could introduce minor delays in access due to additional authentication steps.
Default value:
Some version control systems may not enforce MFA by default for code contributors.
Audit:
Verify that all contributor accounts have MFA enabled. Review access logs and authentication records to confirm MFA usage.
Remediation:
Implement policies requiring MFA for all users with code commit privileges. Enforce MFA through identity providers or version control platform settings. Provide user education and support for MFA adoption.
References:
GitHub Enforcing MFA: https://docs.github.com/en/github/authenticating-to-github/configuring-two-factor-authentication
GitLab MFA Requirements: https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication.html
CIS Controls v8, Control 6.5 - Multi-Factor Authentication: https://www.cisecurity.org/controls/multi-factor-authentication/