Framework/Configurations/SVT/ADO/ADO.CommonSVTControls.json
|
{
"FeatureName": "CommonSVTControls", "Reference": "aka.ms/azsktcp/commonsvtcontrols", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "ADO_Repository_DP_Inactive_Repos", "Description": "Inactive repositories must be removed if no more required.", "Id": "Repository100", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckInactiveRepo", "Rationale": "Each additional repository being accessed by pipelines increases the attack surface. To minimize this risk ensure that only active and legitimate repositories are present in project.", "Recommendation": "To remove inactive repository, follow the steps given here: 1. Navigate to the project settings -> 2. Repositories -> 3. Select the repository and delete.", "Tags": [ "SDL", "TCP", "Automated", "DP", "Repository" ], "Enabled": true }, { "ControlID": "ADO_Repository_AuthZ_Dont_Grant_All_Pipelines_Access", "Description": "Do not make repository accessible to all (YAML) pipelines.", "Id": "Repository110", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckRepositoryPipelinePermission", "Rationale": "If a repository is granted access to all YAML pipelines, an unauthorized user can steal information from the repository by building a pipeline and accessing the repository. Note that this does not prevent classic pipelines from accessing the repository as it depends on the permissions granted to pipeline user.", "Recommendation": "1. Go to Project --> 2. Repositories --> 3. Select the repository --> 4. Security --> 5. Under 'Pipeline Permissions', remove YAML pipelines that repository no more requires access to or click 'Restrict Permission' to avoid granting access to all YAML pipelines. ", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "ADO_Repository_AuthZ_Dont_Grant_BuildSvc_Permission_On_Branch", "Description": "Do not grant build service groups excessive permissions on repository branches.", "Id": "Repository120", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckBuildServiceAccessOnBranch", "Rationale": "If 'Project Collection Build Service' or 'Project Build Service' groups have excessive permissions on important branches of a repository, then a malicious user can access the repository and tamper its contents by bypassing any defined policies.", "Recommendation": "1. Navigate to Project Settings. --> 2. Click on Repository under Repos. --> 3. Select your repository. --> 4. Click on 'Security'. --> 5. Click on 'All Branches' under 'Git refs permissions'. --> 6. Ensure 'Excessive' permissions of broader groups is not set to 'Allow'. Refer to detailed scan log (Repository.LOG) for broader groups and excessive permissions list. --> 5. Repeat this for any other groups for other individual branches that should not have excessive permissions.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "MSW", "AutomatedFix" ], "Enabled": true }, { "ControlID": "ADO_Feed_AuthZ_Restrict_Broader_Group_Access", "Description": "Do not allow a broad group of users to upload packages to feed.", "Id": "Feed100", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckBroaderGroupAccessOnFeeds", "Rationale": "If a broad group of users (e.g., Contributors) have permissions to upload package to feed, then integrity of your pipeline can be compromised by a malicious user who uploads a package.", "Recommendation": "1. Go to Project --> 2. Artifacts --> 3. Select Feed --> 4. Feed Settings --> 5. Permissions --> 6. Groups --> 7. Review users/groups which have administrator and contributor roles. Ensure broader groups have read-only access. Refer to detailed scan log (Feed.LOG) for broader group list.", "Tags": [ "SDL", "TCP", "AuthZ", "RBAC", "MSW", "AutomatedFix" ], "Enabled": true }, { "ControlID": "ADO_Feed_AuthZ_Dont_Grant_BuildSvcAcct_Permission", "Description": "Do not grant Build Service Account direct access to feed.", "Id": "Feed110", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckBuildSvcAccAccessOnFeeds", "Rationale": "Build service account is default identity used as part every build in project. Providing direct access to this common service account will expose feeds to all build definitions in the project.", "Recommendation": "1. Go to Project --> 2. Artifacts --> 3. Select Feed --> 4. Feed Settings --> 5. Permissions --> 6. Groups --> 7. Review Build service accounts should not have administrator/contributor/collaborator roles.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "MSW", "AutomatedFix" ], "Enabled": true }, { "ControlID": "ADO_Feed_SI_Review_Inactive_Feeds", "Description": "Inactive feeds must be removed if no more required.", "Id": "Feed120", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckForInactiveFeeds", "Rationale": "Each additional feed increases the attack surface. An attacker can abuse an inactive feed to start publishing packages that might seem useful to other devs but have trojan horses inside. For good security hygiene and to minimize this risk, ensure that only active and legitimate feeds are present in your environment.", "Recommendation": "1. Go to Project --> 2. Artifacts --> 3. Select Feed --> 4. Feed Settings --> 5. Delete Feed.", "Tags": [ "SDL", "Best Practice", "Automated", "SI", "AutomatedFix" ], "Enabled": true }, { "ControlID": "ADO_Feed_SI_Delete_Inactive_Packages", "Description": "Inactive packages must be removed if no more required.", "Id": "Feed130", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckForInactivePackages", "Rationale": "Each additional feed package increases the attack surface. An attacker can abuse an inactive package to start publishing updates to such packages that might seem useful to other devs but have trojan horses inside. For good security hygiene and to minimize this risk, ensure that only active and legitimate packages are present in your environment.", "Recommendation": "1. Go to Project --> 2. Artifacts --> 3. Select Feed --> 4. Feed Settings --> 5. Check the 'Enable package retention' option. --> 6. Under 'Days to keep recently downloaded packages', enter the number of days after which a package should be deleted if it is has not been downloaded. Make sure it is under the threshold days i.e. $($this.ControlSettings.FeedsAndPackages.ThreshHoldDaysForFeedsAndPackagesInactivity) days. Also keep the 'Maximum number of versions per package' less than $($this.ControlSettings.FeedsAndPackages.ThresholdPackagesPerFeed).", "Tags": [ "SDL", "Best Practice", "Automated", "SI" ], "Enabled": true }, { "ControlID": "ADO_SecureFile_AuthZ_Dont_Grant_All_Pipelines_Access", "Description": "Do not make secure files accessible to all (YAML) pipelines.", "Id": "SecureFile100", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckSecureFilesPermission", "Rationale": "If a secure file is granted access to all YAML pipelines, an unauthorized user can steal information from the secure files by building a YAML pipeline and accessing the secure file. Note that this does not prevent classic pipelines from accessing the secure file as it depends on the permissions granted to pipeline user.", "Recommendation": "1. Go to Project --> 2. Pipelines --> 3. Library --> 4. Secure Files --> 5. Select your secure file from the list --> 6. Click 'Pipeline Permissions', remove YAML pipelines that secure file no more requires access to or click 'Restrict Permission' to avoid granting access to all YAML pipelines. For classic pipeline review user permissions carefully.", "Tags": [ "SDL", "AuthZ", "Automated", "Best Practice", "MSW", "AutomatedFix" ], "Enabled": true }, { "ControlID": "ADO_SecureFile_AuthZ_Restrict_Broader_Group_Access", "Description": "Do not allow secure file to have excessive permissions for a broad group of users.", "Id": "SecureFile110", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckBroaderGroupAccessOnSecureFile", "Rationale": "If a broad group of users (e.g. Contributors) have excessive permissions on a secure file, A malicious user may gain access of stored secret/certificate which may open the door to malicious attack (e.g. SSH for accessing machine/server using these secret/certifcate).", "Recommendation": "1. Go to Project --> 2. Pipelines --> 3. Library --> 4. Secure Files --> 5. Select your secure file from the list --> 6. Click 'Security' --> 7. Review users/groups which have administrator and user roles. Ensure broader groups have read-only access. Refer to detailed scan log (SecureFile.LOG) for broader group list.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "MSW", "AutomatedFix" ], "Enabled": true }, { "ControlID": "ADO_SecureFile_AuthZ_Enable_Branch_Control", "Description": "Allow secure files to be accessed only by select branches.", "Id": "SecureFile120", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckBranchControlOnSecureFile", "Rationale": "Once a secure file is made accessible to a YAML pipeline, malicious users with contribute/'create branch' permissions on the repository will be able to access the secure file by queueing the pipeline from the branch they select even if they do not have access to the secure file. To prevent this ensure that the secure file can be accessed only from select branches (eg. 'main').", "Recommendation": "1. Navigate to the secure file --> 2. Click on 'Approvals and Checks' --> Create a branch control --> Provide the branches from which you would like the secure file to be accessed from. For additional protection, enable 'Verify branch protection'.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "ADO_SecureFile_DP_Review_Inactive_SecureFile", "Description": "Inactive secure files must be removed if no more required.", "Id": "SecureFile130", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckInactiveSecureFile", "Rationale": "Secure files can be used to store sensitive files such as SSH keys and signing certificates. Thus each inactive secure file can increase the exposure of such important information to a malicious user. To minimize this risk ensure that inactive secure files are proactively deleted.", "Recommendation": "1. Navigate to library --> 2. In the secure files tab identify the inactive secure file --> 3. Click on the three dots --> 4. Select 'Delete'", "Tags": [ "SDL", "TCP", "Automated", "DP", "AutomatedFromCloudmine" ], "Enabled": true }, { "ControlID": "ADO_Environment_AuthZ_Dont_Grant_All_Pipelines_Access", "Description": "Do not make environment accessible to all (YAML) pipelines.", "Id": "Environment100", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckEnviornmentAccess", "Rationale": "To support security of the pipeline operations, environments must not be granted access to all YAML pipelines. This is in keeping with the principle of least privilege because a vulnerability in components used by one pipeline can be leveraged by an attacker to attack other pipelines having access to critical resources. Note that this does not prevent classic pipelines from accessing the environment as it depends on the permissions granted to pipeline user.", "Recommendation": "1. Go to Pipelines --> 2. Environments --> 3. Select your environment from the list --> 4. Click Security --> 5. Under 'Pipeline Permissions', remove YAML pipelines that environment no more requires access to or click 'Restrict Permission' to avoid granting access to all YAML pipelines. For classic pipeline review user permissions carefully.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "AutomatedFix" ], "Enabled": true }, { "ControlID": "ADO_Environment_AuthZ_Restrict_Broader_Group_Access", "Description": "Do not allow environment to have excessive permissions for a broad group of users.", "Id": "Environment110", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckBroaderGroupAccessOnEnvironment", "Rationale": "If a broad group of users (e.g., Contributors) have excessive permissions on an environment, a malicious user can abuse these permissions to compromise integrity of the environment.", "Recommendation": "1. Go to Project --> 2. Pipelines --> 3. Environments --> 4. Select your environment from the list --> 5. Click 'Security' --> 6. Review users/groups which have administrator and user roles. Ensure broader groups have read-only access. Refer to detailed scan log (Environment.LOG) for broader group list.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "AutomatedFix" ], "Enabled": true }, { "ControlID": "ADO_Environment_AuthZ_Enable_PreDeployment_Approval", "Description": "Environments for production deployments must have approvals enabled.", "Id": "Environment120", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPreDeploymentApprovalOnEnv", "Rationale": "Approvals on an environment ensure that deployment from a YAML pipeline happens only after designated users have reviewed the changes being deployed. This provides an additional layer of defense against inadvertent (or possibly malicious) changes to your production environment.", "Recommendation": "1. Go to Project --> 2. Pipelines --> 3. Environments --> 4. Select your environment from the list --> 5. Click on the three dots in upper right corner --> 6. Select 'Approvals and Checks' --> 7. Add an approval check on environment --> 8. Add the appropriate users and groups in list of approvers.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "ADO_Environment_AuthZ_Review_PreDeployment_Approvers", "Description": "Approvers on environment must be periodically reviewed.", "Id": "Environment130", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckPreDeploymentApproversOnEnv", "Rationale": "Periodic review of approvers list for production deployments ensures that only appropriate people are members of such a critical role. As team composition/membership changes, this privilege may need to be revoked from members who are no more in the team.", "Recommendation": "To remove any user/group from the approvers list: 1. Go to Project --> 2. Pipelines --> 3. Environments --> 4. Select your environment from the list --> 5. Click on the three dots in upper right corner --> 6. Select 'Approvals and Checks' --> 7. Select 'Approvals' --> 8. Review users/groups as needed from approvers list. Refer detailed log file to review the list of approvers. ", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "ADO_Environment_SI_Use_Good_Branch_Hygiene", "Description": "All deployments to production environments must be done from standard branches.", "Id": "Environment140", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckBranchHygieneOnEnv", "Rationale": "You should ensure that deployments to environments are always done from standard branches (like main, master and develop). These branches should have the tightest access controls and approval standards. Any changes in the source code should be tested first on a development branch before merging in the standard branches. The source code in these branches should correspond to production bits at all times. This helps in maintaining stable source code and helps prevent deployment of breaking changes (and potential security bugs) into the production environment.", "Recommendation": "1. Go to Project --> 2. Pipelines --> 3. Environments --> 4. Select your environment from the list --> 5. Click on the three dots in upper right corner --> 6. Select 'Branch Control' --> 7. Review all the branches that have been added in the list.", "Tags": [ "SDL", "TCP", "Automated", "SI" ], "Enabled": true }, { "ControlID": "ADO_Repository_AuthZ_Disable_Inherited_Permissions", "Description": "Do not allow inherited permission on repository.", "Id": "Repository130", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckInheritedPermissionsOnRepository", "Rationale": "Disabling inherited permissions lets you finely control access to various operations at the repository level for different stakeholders. This ensures that you follow the principle of least privilege and provide access only to the persons that require it.", "Recommendation": "1. Go to Project Settings --> 2. Repositories --> 3. Select a Repository --> 4. Permissions --> 5. Disable 'Inheritance'.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "ADO_Repository_AuthZ_Dont_Grant_BuildSvcAcct_Permission", "Description": "Do not grant Build Service Account direct access to repositories.", "Id": "Repository140", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckBuildSvcAcctAccessOnRepository", "Rationale": "Build service account is default identity used as part every build in project. Configuring these identities with excessive permissions will expose repository details to all build definitions in the project.", "Recommendation": "1. Go to Project Settings --> 2. Repositories --> 3. Select your repository from the list --> 4. Select security --> 5. 4. Ensure 'Excessive' permissions of 'Project Collection Build Service(organization)/[Project] Build Service' groups is not set to 'Allow'. Refer to detailed scan log (Repository.LOG) for excessive permissions list.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "MSW", "AutomatedFix" ], "Enabled": true }, { "ControlID": "ADO_Repository_DP_Enable_Credentials_And_Secrets_Policy", "Description": "Enable policy to block pushes that contain credentials and other secrets.", "Id": "Repository150", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckCredentialsAndSecretsPolicyOnRepository", "Rationale": "Exposed credentials in engineering systems continue to provide easily exploitable opportunities for attackers. To defend against this threat, Microsoft security experts developed the CredScan tool to automatically find exposed secrets. CredScan indexes and scans for credentials & other sensitive content in source code, as well as other data sources. CredScan indexes and scans for credentials & other sensitive content in source code, as well as other data sources. CredScan should be enabled at each repo level to avoid commiting credentials or secrets.", "Recommendation": "1. Go to Project Settings --> 2. Repositories --> 3. Select a repository --> 4. Policies --> 5. Enable 'Check for credentials and other secrets' --> 6. Incase you are not able to locate this check, it means that CredScan has not been integrated for the ADO repositories. Make sure it has been integrated in your organization. ", "Tags": [ "SDL", "TCP", "Automated", "Best Practice" ], "Enabled": true }, { "ControlID": "ADO_Repository_AuthZ_Enable_Branch_Control", "Description": "Allow repositories to be accessed only by select branches.", "Id": "Repository160", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckBranchControlOnRepository", "Rationale": "Once a repository is made accessible to a YAML pipeline, malicious users with contribute/'create branch' permissions on the repository will be able to access the repository by queueing the pipeline from the branch they select even if they do not have access to the repository. To prevent this ensure that the repository can be accessed only from select branches (eg 'main').", "Recommendation": "1. Navigate to the repository --> 2. Click on 'Approvals and Checks' --> Create a branch control --> Provide the branches from which you would like the repository to be accessed from. For additional protection, enable 'Verify branch protection'.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "ADO_SecureFile_DP_Use_Template_From_Protected_Branch", "Description": "Allow secure file to be accessed by templates only from protected branches.", "Id": "SecureFile140", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckTemplateBranchForSecureFile", "Rationale": "If malicious users have 'contribute' permissions to the repository containing the template required to access the secure file, they can tamper the template itself and misuse the secure file. To prevent this, enable branch protection policies on the branch which contains the template required to access this resource.", "Recommendation": "1. Navigate to the secure file --> 2. Click on 'Approvals and Checks' --> Create a branch control --> Provide the branches from which you would like the secure file to be accessed from. For additional protection, enable 'Verify branch protection'.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "ADO_Environment_DP_Use_Template_From_Protected_Branch", "Description": "Allow environment to be accessed by templates only from protected branches.", "Id": "Environment150", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckTemplateBranchForEnvironment", "Rationale": "If malicious users have 'contribute' permissions to the repository containing the template required to access the environments, they can tamper the template itself and misuse the environments. To prevent this, enable branch protection policies on the branch which contains the template required to access this resource.", "Recommendation": "1. Navigate to the environments --> 2. Click on 'Approvals and Checks' --> Create a branch control --> Provide the branches from which you would like the environments to be accessed from. For additional protection, enable 'Verify branch protection'.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "ADO_Repository_DP_Use_Template_From_Protected_Branch", "Description": "Allow repositoris to be accessed by templates only from protected branches.", "Id": "Repository170", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckTemplateBranchForRepository", "Rationale": "If malicious users have 'contribute' permissions to the repository containing the template required to access the repositories, they can tamper the template itself and misuse the repositorie. To prevent this, enable branch protection policies on the branch which contains the template required to access this resource.", "Recommendation": "1. Navigate to the repositories --> 2. Click on 'Approvals and Checks' --> Create a branch control --> Provide the branches from which you would like the repositorie to be accessed from. For additional protection, enable 'Verify branch protection'.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "ADO_Repository_Dont_Grant_Broader_Group_Access_As_Approvers", "Description": "Broader groups (contributors, project valid users, etc.) should not be added as approvers on repository.", "Id": "Repository170", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckBroaderGroupApproversOnRepository", "Rationale": " Any user/ group can be added as an approver to the Repository, which gives users the permission to approve any run of pipelines accessing the resource even if they do not have access to the Repository. To prevent illegitimate consumption and approval of the resource, ensure that broader groups are not added as approvers.", "Recommendation": "1. Navigate to the Repository --> 2. Click on 'Approvals and Checks' --> Remove Broader groups from Approvals. Refer to detailed scan log (Repository.LOG) for broader group list.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "ADO_Environment_Dont_Grant_Broader_Group_Access_As_Approvers", "Description": "Broader groups (contributors, project valid users, etc.) should not be added as approvers on environment.", "Id": "Environment150", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckBroaderGroupApproversOnEnv", "Rationale": "Any user/ group can be added as an approver to the environment, which gives users the permission to approve any run of pipelines accessing the resource even if they do not have access to the Environment. To prevent illegitimate consumption and approval of the resource, ensure that broader groups are not added as approvers.", "Recommendation": "1. Go to Project --> 2. Pipelines --> 3. Environments --> 4. Select your environment from the list --> 5. Click on the three dots in upper right corner --> 6. Select 'Approvals and checks' --> 7. Remove Broader groups from Approvals. Refer to detailed scan log (Environment.LOG) for broader group list.", "Tags": [ "SDL", "TCP", "Automated", "SI" ], "Enabled": true }, { "ControlID": "ADO_SecureFile_Dont_Grant_Broader_Group_Access_As_Approvers", "Description": "Broader groups (contributors, project valid users, etc.) should not be added as approvers on secure file.", "Id": "SecureFile150", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckBroaderGroupApproversOnSecureFile", "Rationale": "Any user/ group can be added as an approver to the secure file, which gives users the permission to approve any run of pipelines accessing the resource even if they do not have access to the secure file. To prevent illegitimate consumption and approval of the resource, ensure that broader groups are not added as approvers.", "Recommendation": "1. Navigate to the secure file --> 2. Select 'Approvals and checks' --> 7. Remove Broader groups from Approvals. Refer to detailed scan log (SecureFile.LOG) for broader group list.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true } ] } |