Unauthorised access to the authoritative source for software is prevented.
Secure all code forms—including source code, executable code, and configuration-as-code—using the principle of least privilege. Store code in a restricted-access repository, enforce version control and commit signing, conduct code owner reviews, and apply cryptographic protections. These measures ensure that only authorized personnel and tools can access or modify the code, safeguarding its integrity and preventing unauthorized access.
Protect application secrets and credentials stored in configuration files and code to ensure compliance with the principle of least privilege and maintain production system security. Developers should not have direct access to production secrets. Implement mechanisms to safeguard secrets, such as assigning authorized personnel to add secrets to configuration files during deployment, adhering to the separation of duty principle, and encrypting all production secrets stored in configuration files and ensuring encryption-at-rest. Avoid storing production secrets in configuration files used for development or testing environments, as these typically have lower security postures. Additionally, ensure that sensitive credentials and secrets are not left unprotected in code repositories. Use purpose-built tools for secure storage and key management to enforce access controls, allowing only authorized personnel responsible for production deployments to handle these secrets. This approach minimizes the risk of unauthorized access and ensures the integrity and confidentiality of sensitive data.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-01-04-03-01-01 | Use secret management tools | Implement tools like HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault to securely store and manage production secrets, ensuring encryption at rest. | Development | DevOps team, Security team |
| SSS-01-04-03-01-02 | Encrypt secrets in configuration files | Encrypt any secrets included in configuration files before deployment. Use encryption keys stored in secure key management systems. | Deployment | DevOps team, Security team |
| SSS-01-04-03-01-03 | Enforce separation of duties | Ensure only authorized personnel can add or access production secrets in configuration files. Developers should not have direct access to production credentials. | Deployment | Security team, Operations team |
| SSS-01-04-03-01-04 | Restrict secrets to appropriate environments | Separate secrets for production, testing, and development environments. Do not reuse production secrets in lower-security environments like development or testing. | Development | Security team, Development teams |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1422) NIST Secure Software Development Framework (PS.1.1) OWASP SAMM: Software Assurance Maturity Model (I-SD-1-B) |