Fork me on GitHub

Implementation -> Infrastructure Hardening: Infrastructure as Code

Risk and Opportunity

Risk: No tracking of changes in systems might lead to errors in the configuration. In additions, it might lead to unauthorized changes. An examples is jenkins.
Opportunity: Systems are setup by code. A full environment can be provisioned. In addition, software like Jenkins 2 can be setup and configured in in code too. The code should be stored in a version control system.

Exploit details

Usefullness: High
Required knowledge: Medium (two disciplines)
Required time: Very High
Required resources (systems): High

Additional Information

Implementation hints: GitOps, Ansible, Chef, Puppet, Jenkinsfile
OWASP SAMM 2 Mapping: o-environment-management|A|1
ISO27001:2017 Controls Mapping: