Merge pull request #211 from hlxsites/app-sec-jb-policy-oct23

[Application Security Policies] App sec jb policy oct23
hlxsites · Nov 9, 2023 · 2aad897 · 2aad897
2 parents f73b748 + 83298d8
commit 2aad897
Show file tree

Hide file tree

Showing 39 changed files with 2,050 additions and 389 deletions.
diff --git a/docs/en/enterprise-edition/policy-reference/book.yml b/docs/en/enterprise-edition/policy-reference/book.yml
diff --git a/...licies/azure-repo-cicd-pipeline-policies/azure-repo-certificate-unverified.adoc b/...licies/azure-repo-cicd-pipeline-policies/azure-repo-certificate-unverified.adoc
@@ -0,0 +1,41 @@
+== Certificate not verified by Azure Pipelines pipeline command 
+
+=== Policy Details 
+
+[width=45%]
+[cols="1,1"]
+|=== 
+
+|Prisma Cloud Policy ID 
+|0948afba-1a3d-40d1-a692-26623ed3156a 
+
+|Severity
+|Medium
+// add severity level
+
+|Category
+|Dependency Chains 
+// add category+link
+
+|Subtype
+|Build
+// add subtype-build/runtime
+
+|Frameworks
+|Azure Pipelines
+
+|=== 
+
+=== Description
+
+Not verifying certificates through pipeline commands allows attackers to plant their own certificate and impersonate a server in order to perform a man-in-the-middle attack to intercept, tamper with and/or steal information, to possibly run code in the build system and to reach the production environment.
+
+=== Recommended Solution - Buildtime
+
+Remove flags from the commands found in the pipeline that disable the certificate check.
+
+* For *wget* command, remove `--no-check-certificate`
+* For *curl* command, remove `--insecure` or `-k` flags	
+
+Consider removing the command entirely from the pipeline if the server certificate cannot be authenticated.
+
diff --git a/...licies/azure-repo-cicd-pipeline-policies/azure-repo-cicd-pipeline-policies.adoc b/...licies/azure-repo-cicd-pipeline-policies/azure-repo-cicd-pipeline-policies.adoc
@@ -5,25 +5,73 @@
 |===
 |Policy|Category|Severity
 
+|xref:azure-repo-secrets-npm-downloadurl.adoc[Secrets found in NPM dependency download URL in Azure repository]
+|Dependency Chains
+|High
+
+|xref:azure-repos-pipelines-transmit-data-unencrypted-channel.adoc[Azure Pipelines commands transmit data over an unencrypted channel]
+|Dependency Chains
+|Medium
+
 |xref:azure-repo-miss-npmlockfile.adoc[Azure repository missing NPM lock file]
 |Dependency Chains
 |Medium
 
-|xref:azure-repo-unencryptedchannel-download-dependencies.adoc[Unencrypted channel used in Azure repository to download dependencies from NPM registry]
+|xref:azure-repo-certificate-unverified.adoc[Certificate not verified by Azure Pipelines pipeline command]
 |Dependency Chains
 |Medium
 
+|xref:azure-repo-fork-private-repo-allowed.adoc[Forking of a private Azure repository is allowed]
+|Data Protection
+|Medium
+
+|xref:azure-repo-insecure-def-secret-var.adoc[Insecure definition of secret variable in Azure pipeline]
+|Credential Hygiene
+|Medium
+
 |xref:azure-repo-internal-npm-package-not-scoped-repo.adoc[Internal NPM package is not scoped in Azure repository]
 |Dependency Chains
 |Medium
 
-|xref:azure-repo-secrets-npm-downloadurl.adoc[Secrets found in NPM dependency download URL in Azure repository]
+|xref:azure-repo-missing-integrity-check-download-exe.adoc[Missing integrity check for downloaded executable in Azure Pipelines pipeline]
+|Artifact Integrity Validation
+|Medium
+
+|xref:azure-repos-pckg-insecure-npm-install.adoc[Packages insecurely installed through “npm install” command in Azure Pipelines pipeline]
 |Dependency Chains
-|High
+|Medium
+
+|xref:azure-repo-pr-review-notrequired-merge.adoc[Pull request reviews not required in Azure Repos before merging to the default branch]
+|Flow Control Mechanisms
+|Medium
+
+|xref:azure-repo-requestors-self-approve-pr-defaultbranch.adoc[Requestors allowed to self-approve pull requests on default branch in Azure Repos]
+|Flow Control Mechanisms
+|Medium
+
+|xref:azure-repos-secrets-in-pipeline-logs.adoc[Secrets found in logs of an Azure Pipelines pipeline]
+|Credential Hygiene
+|Medium
+
+|xref:azure-repo-unencryptedchannel-download-dependencies.adoc[Unencrypted channel used in Azure repository to download dependencies from NPM registry]
+|Dependency Chains
+|Medium
+
+|xref:azure-repos-env-var-exposed-printlog.adoc[Environment variables exposed when printed to log in Azure Pipelines]
+|Credential Hygiene
+|Low
 
 |xref:azure-repo-npm-package-lockfile-weak-hash.adoc[NPM package lock file verifies integrity with weak hash algorithm (Azure Repos)]
 |Dependency Chains
 |Low
 
+|xref:azure-repo-project-service-hook-sent-unencrypted.adoc[Project Service hooks sent over unencrypted channel]
+|Data Protection
+|Low
+
+|xref:azure-repo-project-service-hook-ssl-ver-disabled.adoc[Project service hook SSL verification is disabled]
+|Data Protection
+|Low
+
 |===
 
diff --git a/...ies/azure-repo-cicd-pipeline-policies/azure-repo-fork-private-repo-allowed.adoc b/...ies/azure-repo-cicd-pipeline-policies/azure-repo-fork-private-repo-allowed.adoc
@@ -0,0 +1,44 @@
+== Forking of a private Azure repository is allowed
+
+
+=== Policy Details 
+
+[width=45%]
+[cols="1,1"]
+|=== 
+
+|Prisma Cloud Policy ID 
+|aef010f2-b9fa-4386-a0f7-83d5c034ed11 
+
+|Severity
+|Medium 
+// add severity level
+
+|Category
+|Data Protection 
+// add category+link
+
+|Subtype
+|Build
+// add subtype-build/runtime
+
+|Frameworks
+|Azure Repos
+
+|=== 
+
+=== Description
+
+Forking is allowed on private repositories, enabling user accounts with ‘read’ permissions only to fork a repository to another project or user account.
+This could allow sensitive code to be inadvertently/intentionally leaked. 
+Additionally, pull requests can be created from the forked repository to the original repository, which could potentially lead to the execution of malicious code on the CI, even by users with read-only permissions on the original repository.
+
+
+=== Recommended Solution - Buildtime
+
+Whenever not required, disable the forking of private repositories.
+To restrict forking of a private repository in Azure Repos:
+. In *Project Settings*, select *Repositories* in the left navigation.
+. Select the *Repositories* tab, choose a repository > *Settings* > set *Forks* to *OFF*.
+
+For additional instructions, refer to: https://learn.microsoft.com/en-us/azure/devops/repos/git/repository-settings?view=azure-devops&tabs=browser#enable-forks
diff --git a/...icies/azure-repo-cicd-pipeline-policies/azure-repo-insecure-def-secret-var.adoc b/...icies/azure-repo-cicd-pipeline-policies/azure-repo-insecure-def-secret-var.adoc
@@ -0,0 +1,49 @@
+== Insecure definition of secret variable in Azure pipeline
+
+
+=== Policy Details 
+
+[width=45%]
+[cols="1,1"]
+|=== 
+
+|Prisma Cloud Policy ID 
+|b16e2a62-1825-45d2-b722-948092e40beb 
+
+|Severity
+|Medium 
+// add severity level
+
+|Category
+| 
+// add category+link
+
+|Subtype
+|Build
+// add subtype-build/runtime
+
+|Frameworks
+|Azure Pipelines
+
+|=== 
+
+=== Description
+
+The `task.set` variable command is the least secure way to set secret variables in Azure Pipelines. This is because the secret is stored in plain text in the pipeline yaml file, which anyone with access to the pipeline can view.
+
+In addition, hard coded secrets can make it difficult to maintain your code. If you need to change a secret or to perform a periodic rotation, you will need to update it in all of the places where it is used. This can be a time-consuming and error-prone process.
+
+
+=== Recommended Solution - Buildtime
+
+Use OIDC instead of long term credentials as it is more secure, when the service you authenticate against supports it.
+
+The recommended ways to set secret variables in Azure Pipelines are:
+
+* Set a pipeline secret variable. The secret is encrypted and stored in Azure Pipelines exclusively for the pipeline
+
+* Set a secret in a variable group. Variable groups are a way to group together related variables. Secret variables can be added to variable groups and then used in pipelines. This makes it easy to manage secret variables and to reuse them across multiple pipelines
+
+* Link secrets from an Azure key vault. Azure key vault is a service that provides secure storage for secrets. Secret variables can be added to Azure key vault and then used in pipelines
+
+For more information refer to: https://learn.microsoft.com/en-us/azure/devops/pipelines/process/set-secret-variables?view=azure-devops&tabs=yaml%2Cbash.
diff --git a/...epo-cicd-pipeline-policies/azure-repo-missing-integrity-check-download-exe.adoc b/...epo-cicd-pipeline-policies/azure-repo-missing-integrity-check-download-exe.adoc
@@ -0,0 +1,38 @@
+
+== Missing integrity check for downloaded executable in Azure Pipelines pipelines
+
+=== Policy Details 
+
+[width=45%]
+[cols="1,1"]
+|=== 
+
+|Prisma Cloud Policy ID 
+|0c739c8e-d5d1-4866-b1e5-293e3b59080c 
+
+|Severity
+|Medium
+// add severity level
+
+|Category
+|Artifact Integrity Validation 
+// add category+link
+
+|Subtype
+|Build
+// add subtype-build/runtime
+
+|Frameworks
+|Azure Pipelines
+
+|=== 
+
+=== Description
+
+Executables are downloaded and executed during a pipeline run without being validated for integrity, a check which verifies the executable’s content. An attacker who compromises the executable can execute code in the pipeline that can exfiltrate credentials or affect the build process in order to ship malicious code or artifacts to production.
+
+=== Recommended Solution - Buildtime
+
+Follow the vendor’s instructions on how to validate the signature of the downloaded executable.
+
+For *Codecov*: https://docs.codecov.com/docs/codecov-uploader#integrity-checking-the-uploader
diff --git a/...s/azure-repo-cicd-pipeline-policies/azure-repo-pr-review-notrequired-merge.adoc b/...s/azure-repo-cicd-pipeline-policies/azure-repo-pr-review-notrequired-merge.adoc
@@ -0,0 +1,59 @@
+== Pull request reviews not required in Azure Repos before merging to the default branch
+
+=== Policy Details 
+
+[width=45%]
+[cols="1,1"]
+|=== 
+
+|Prisma Cloud Policy ID 
+|d108910f-8d5c-4b41-a9f7-723894897c17
+
+|Severity
+|Medium
+// add severity level
+
+|Category
+|Flow Control Mechanisms
+// add category+link
+
+|Subtype
+|Build
+// add subtype-build/runtime
+
+|Frameworks
+|Azure Repos
+
+|=== 
+
+=== Description
+
+User accounts with "write" permissions on an actively used repository^*^ can push code directly to the default branch without requiring pull request reviews before the code is merged, potentially allowing malicious code to flow through the pipeline to production systems.
+
+* An actively used repository is defined as having at least two contributors, over 50 commits, and has been updated in the last 90 days.
+
+
+=== Recommended Solution - Buildtime
+
+[.task]
+
+It is recommended to restrict direct pushes to the default branch, and to require a minimum number of reviewers to approve pull requests in order to ensure that code is reviewed before merged.
+
+[.procedure]
+
+. In Azure DevOps, browse to *Repositories* under 'Project Settings'.
+. Select a repository and enter its policies.
+. Choose the default branch and toggle *ON* the *Require a minimum number of reviewers* policy.
+. Set the *Minimum number of reviewers* to 1 or more.
+
+=== Best Practice
+
+It is good practice to enable the following policies:
+
+* Check ‘Prohibit the most recent pusher from approving their own changes’
+
+* Check *When new changes are pushed* and select an option:
+** Require at least one approval on the last iteration
+** Reset all approval votes (does not reset votes to reject or wait)
+** Reset all code reviewer votes
+
diff --git a/...po-cicd-pipeline-policies/azure-repo-project-service-hook-sent-unencrypted.adoc b/...po-cicd-pipeline-policies/azure-repo-project-service-hook-sent-unencrypted.adoc
@@ -0,0 +1,35 @@
+== Project Service hooks sent over unencrypted channel  
+
+=== Policy Details 
+
+[width=45%]
+[cols="1,1"]
+|=== 
+
+|Prisma Cloud Policy ID 
+|986494de-cbd0-431b-8457-3eb628ebe371 
+
+|Severity
+|Low
+// add severity level
+
+|Category
+|Data Protection 
+// add category+link
+
+|Subtype
+|Build
+// add subtype-build/runtime
+
+|Frameworks
+|Azure Repos
+
+|=== 
+
+=== Description
+
+The project sends events to a webhook over an unencrypted channel. An attacker executing a man-in-the-middle attack can steal or modify the data sent to the webhook.
+
+=== Recommended Solution - Buildtime
+
+Only use webhooks that support encryption in transit protocols.
diff --git a/...po-cicd-pipeline-policies/azure-repo-project-service-hook-ssl-ver-disabled.adoc b/...po-cicd-pipeline-policies/azure-repo-project-service-hook-ssl-ver-disabled.adoc
@@ -0,0 +1,45 @@
+== Project service hook SSL verification is disabled 
+
+=== Policy Details 
+
+[width=45%]
+[cols="1,1"]
+|=== 
+
+|Prisma Cloud Policy ID 
+|2134299a-2b9b-40f7-ab3b-4e5730690183 
+
+|Severity
+|Low
+// add severity level
+
+|Category
+|Data Protection 
+// add category+link
+
+|Subtype
+|Build
+// add subtype-build/runtime
+
+|Frameworks
+|Azure Repos
+
+|=== 
+
+=== Description
+
+SSL Verification is disabled for a project service hook, which instructs Azure Repos to not verify the identity of the remote server.
+
+The lack of verification enables attackers to perform a man-in-the-middle attack, and to expose the transmitted data.
+
+=== Recommended Solution - Buildtime
+
+[.task]
+
+[.procedure]
+
+To enable SSL Verification for a service hook:
+. In Azure Repos, browse to *Project Settings*.
+. Under *Service hooks*, select the relevant webhook.
+. Uncheck the *“*Accept untrusted SSL certificates* setting.
+