Skip to main content

CCC Build

Build refers to a fully managed continuous integration service offered by cloud service providers for build automation. It is designed to compile source code, run tests, and produce deployable artifacts without having to setup, manage or scale your own infrastructure for running build servers.

Release Details

Version:
DEV
Assurance Level:
Release Manager:
DB
Development Build

Contributors

DT
Development Team

Change Log

  • Development build - no formal changelog available

Capabilities

IDTitleDescriptionThreat Mappings
CCC.Build.F01Build AutomationProvides fully managed continuous integration service that compiles source code, run tests and produce software packages based on triggers or schedules.
1
CCC.Build.F02CI/CD PipelinesProvides or integrates with continuous integration and continuous delivery/deployment (CI/CD) services.
0
CCC.Build.F03Source Repository IntegrationIntegrates with cloud native or external source code repositories such as GitHub, Bitbucket, GitLab to trigger builds on code changes.
1
CCC.Build.F04Artifact StorageAbility to securely store build artifacts for later use.
1
CCC.Build.F05Multi-language SupportProvides pre-configured build environments for popular programming languages such as Java, Python, Node.js, .NET, etc.
0
CCC.Build.F06Custom Build EnvironmentsAllows custom build environments by specifying the operating system, runtime, or providing a custom docker runtime image.
0
CCC.Build.F07Build Docker ImageSupport for building docker container images in the pipelines.
0
CCC.Build.F08Environment VariablesAbility to set environment variables within the build project.
0
CCC.Build.F09Concurrent BuildsSupport for concurrent, parallel builds to improve build performance.
0
CCC.Build.F10CachingCaching of dependencies between builds for faster builds.
0
CCC.Build.F11Realtime Build LogsProviding the ability to monitor builds and view logs in the real-time.
0
CCC.Build.F12List and View BuildsAbility to list, view logs and download artifacts of old builds.
0
CCC.Core.F01Encryption in Transit Enabled by DefaultThe service automatically encrypts all data using industry-standard cryptographic protocols prior to transmission via a network interface.
0
CCC.Core.F02Encryption at Rest Enabled by DefaultThe service automatically encrypts all data using industry-standard cryptographic protocols prior to being written to a storage medium.
0
CCC.Core.F04Transaction Rate LimitsThe service can throttle, delay, or reject excess requests when transactions exceed a user-specified rate limit, and always provides industry-standard throughput up to that limit.
1
CCC.Core.F06Access ControlThe service automatically enforces user configurations to restrict or allow access to a specific component or a child resource based on factors such as user identities, roles, groups, or attributes.
1
CCC.Core.F07Event PublicationThe service automatically publishes a structured state-change record upon creation, deletion, or modification of data, configuration, components, or child resources.
1
CCC.Core.F09Metrics PublicationThe service automatically publishes structured, numeric, time-series data points related to the performance, availability, and health of the service or its child resources.
2
CCC.Core.F10Log PublicationThe service automatically publishes structured, verbose records of activities, operations, or events that occur within the service.
2
CCC.Core.F14API AccessThe service exposes a port enabling external actors to interact programmatically with the service and its resources using HTTP protocol methods such as GET, POST, PUT, and DELETE.
1
CCC.Core.F19Resource ScalingThe service may be configured to scale child resources automatically or on-demand.
1

Threats

IDTitleDescriptionExternal MappingsCapability MappingsControl Mappings
CCC.Build.TH01Unauthorized Build ExecutionAttackers may trigger builds using unauthorized build agents or external services, leading to unauthorized code execution or deployment of malicious code.
1
1
0
CCC.Build.TH02External Exposure of Build EnvironmentsIf build environments have external network access, they may be accessed by unauthorized parties, leading to data exfiltration or tampering.
1
1
0
CCC.Core.TH01Access is Granted to Unauthorized UsersLogic designed to give different permissions to different entities may be misconfigured or manipulated, allowing unauthorized entities to access restricted parts of the service, its data, or its child resources. This could result in a loss of data confidentiality or tolerance of unauthorized actions which impact the integrity and availability of resources and data.
1
1
5
CCC.Core.TH02Data is Intercepted in TransitData transmitted by the service is susceptible to collection by any entity with access to any part of the transmission path. Packet observations can be used to support the planning of attacks by profiling origin points, destinations, and usage patterns. The data may also be vulnerable to interception or modification in transit if not properly encrypted, impacting the confidentiality or integrity of the transmitted data.
1
1
2
CCC.Core.TH03Deployment Region Network is UntrustedSystems are susceptible to unauthorized access or interception by actors with social or physical control over the network in which they are deployed. If the geopolitical status of the deployment network is untrusted, unstable, or insecure, this could result in a loss of confidentiality, integrity, or availability of the service and its data.
1
1
0
CCC.Core.TH04Data is Replicated to Untrusted or External LocationsSystems are susceptible to unauthorized access or interception by actors with political or physical control over the network in which they are deployed. Confidentiality may be impacted if the data is replicated to a network where the geopolitical status is untrusted, unstable, or insecure.
1
1
2
CCC.Core.TH05Interference with Replication ProcessesMisconfigured or manipulated replication processes may lead to data being copied to unintended locations, delayed, modified, or not being copied at all. This could lead to compromised data confidentiality and integrity, potentially also affecting recovery processes and data availability.
1
1
1
CCC.Core.TH06Data is Lost or CorruptedServices that rely on accurate data are susceptible to disruption in the event of data loss or corruption. Any actions that lead to the unintended deletion, alteration, or limited access to data can impact the availability of the service and the system it is part of.
1
1
0
CCC.Core.TH07Logs are Tampered With or DeletedTampering or deletion of service logs will reduce the system's ability to maintain an accurate record of events. Any actions that compromise the integrity of logs could disrupt system availability by disrupting monitoring, hindering forensic investigations, and reducing the accuracy of audit trails.
1
1
1
CCC.Core.TH09Runtime Logs are Read by Unauthorized EntitiesUnauthorized access to logs may expose valuable information about the system's configuration, operations, and security mechanisms. This could jeopardize system availability through the exposure of vulnerabilities and support the planning of attacks on the service, system, or network. If logs are not adequately sanitized, this may also directly impact the confidentiality of sensitive data.
1
1
1
CCC.Core.TH11Publications are Incorrectly TriggeredIncorrectly triggered publications may disseminate inaccurate or misleading information, creating a data integrity risk. Such misinformation can cause unintended operations to be initiated, conceal legitimate issues, and disrupt the availability or reliability of systems and their data.
1
1
0
CCC.Core.TH12Resource Constraints are ExhaustedExceeding the resource constraints through excessive consumption, resource-intensive operations, or lowering of rate-limit thresholds can impact the availability of elements such as memory, CPU, or storage. This may disrupt availability of the service or child resources by denying the associated functionality to users. If the impacted system is not designed to expect such a failure, the effect could also cascade to other services and resources.
1
1
0
CCC.Core.TH14Older Resource Versions are UsedRunning older versions of child resources can expose the system to known vulnerabilities that have been addressed in more recent versions. If the version identifier is detected by an attacker, it may be possible to exploit these vulnerabilities to compromise the confidentiality, integrity, or availability of the system and its data.
1
1
0
CCC.Core.TH15Automated Enumeration and Reconnaissance by Non-human EntitiesAutomated processes may be used to gather details about service and child resource elements such as APIs, file systems, or directories. This information can reveal vulnerabilities, misconfigurations, and the network topology, which can be used to plan an attack against the system, the service, or its child resources.
1
1
0
CCC.Core.TH16Publications are DisabledPublication of events, metrics, and runtime logs may be disabled, leading to a lack of expected security and operational information being shared. This can impact system availability by delaying the detection of incidents while also impacting system design decisions and enforcement of operational thresholds, such as autoscaling or cost management.
1
1
0

Controls

IDTitleObjectiveControl FamilyThreat MappingsGuideline MappingsAssessment Requirements
CCC.Build.C01Restrict Allowed Build AgentsEnsure that builds are executed only on authorized build agents to maintain control over the build environment and prevent unauthorized code execution. Access Control
1
3
1
CCC.Build.C02Restrict Allowed External Services for Build TriggersEnsure that builds can only be triggered by authorized external services or repositories to prevent unauthorized code execution or tampering. Access Control
1
3
1
CCC.Build.C03Deny External Network Access for Build EnvironmentsEnsure that build environments do not have external network access to prevent unauthorized external access and data exfiltration. Network Security
2
3
1
CCC.Core.C01Encrypt Data for TransmissionEnsure that all communications are encrypted in transit to protect data integrity and confidentiality. Data
1
8
5
CCC.Core.C02Encrypt Data for StorageEnsure that all data stored is encrypted at rest using strong encryption algorithms. Data
1
7
1
CCC.Core.C09Ensure Integrity of Access LogsEnsure that access logs are always recorded to an external location that cannot be manipulated from the context of the service(s) it contains logs for. Data
3
5
3
CCC.Core.C10Restrict Data Replication to Trust PerimeterEnsure that data is only replicated on infrastructure in locations that are explicitly included within a defined trust perimeter. Data
1
4
1
CCC.Core.C04Log All Access and ChangesEnsure that all access attempts are logged to maintain a detailed audit trail for security and compliance purposes. Logging & Monitoring
1
5
3
CCC.Core.C05Prevent Access from Untrusted EntitiesEnsure that secure access controls enforce the principle of least privilege to restrict access to authorized entities from explicitly trusted sources only. Identity and Access Management
1
8
6