MCP Security Alert: MarkItDown, Archon OS, Kubectl MCP
Read the Latest Research
Open Software Supply Chain Attack Reference (OSC&R) > T0173 - Auto merge rules in SCM

Realms:

SCM Posture

T0173 - Auto merge rules in SCM

Auto merge rules in SCM (Source Code Management) are rules that determine how code changes should be merged automatically into a main code repository or branch. While auto merge rules in SCM can help to streamline the code review and merge process, there are several security risks to consider, including: 1. Malicious code injection: Auto merge rules may allow malicious code changes to be merged into the code repository, compromising the security of the system. 2. Vulnerability propagation: Automatic merges can propagate security vulnerabilities to the main code repository or branch, allowing attackers to exploit these vulnerabilities to gain unauthorized access to the system. 3. Human error: Auto merge rules can lead to errors in the code repository, such as overwriting critical code or merging code that has not been properly reviewed. 4. Compliance violations: Auto merge rules can violate compliance requirements, such as failing to properly audit code changes or not properly segregating code changes between different teams.
ID: T0173
Type: Technique
Tactic: Execution
Summary: Auto merge rules in SCM
State: Draft

Mitigations

ID
TYPE
SUMMARY
DESCRIPTION
M1730
Mitigation
Mitigation Implement code reviews Code reviews are a valuable tool for improving code quality, reducing technical debt, and ensuring the security and reliability of software applications.
Most crucial changes should be reviewed and validated to ensure there are no any security risks. Code reviews can identify defects and vulnerabilities in the code before it's deployed, reducing the likelihood of security breaches, system failures, and other issues. Require code reviews for any changes to source code or configuration files, especially for those affecting the CI/CD pipeline.
M1731
Mitigation
Mitigation Implement verification of signed commits Signing commits, or requiring to sign commits, gives other users confidence about the origin of a specific code change.
It ensures that the author of the change is not hidden and is verified by the version control system, thus the change comes from a trusted source. For each repository in use, enforce the branch protection rule of requiring signed commits, and make sure only signed commits are capable of merging.
M1732
Mitigation
Mitigation Implement code scanning for security risks Scanning pull requests to detect risks allows for early detection of vulnerable code and/or dependencies and helps mitigate potentially malicious code.
For every repository in use, enforce risk scanning on every pull request.
M1860
Mitigation
Mitigation Implement strong authentication mechanisms Authentication is the process of verifying the identity of a user or entity accessing the SCM system.
Strong authentication typically involves using multiple factors to verify the user's identity, beyond just a username and password. This may include factors such as something the user knows (e.g., password), something the user has (e.g., smart card or token), and something the user is (e.g., biometric data like fingerprint or facial recognition). Multi-factor authentication (MFA) can significantly enhance the security of SCM systems by adding an additional layer of protection against unauthorized access.
M1861
Mitigation
Mitigation Implement strong authorization mechanisms Strong authorization ensures that users only have access to the resources and actions that are necessary for their job functions and responsibilities, and nothing more.
This can be achieved through proper access controls, such as role-based access control (RBAC) or attribute-based access control (ABAC), which define fine-grained permissions and privileges for users, groups, and repositories in the SCM system. Regularly review user permissions and remove all unnecessary permissions for specific users.

Detections

ID
TYPE
SUMMARY
DESCRIPTION
D1262
Detection
Detection Implement vulnerability assesment Vulnerability assessment is a proactive approach to mitigating cybersecurity risks by systematically identifying, evaluating, and prioritizing vulnerabilities in a system, network, or application.
It involves conducting regular assessments to identify potential weaknesses that could be exploited by attackers, and taking appropriate actions to remediate or mitigate those vulnerabilities.
D1500
Detection
Detection Configure monitoring of used artifacts and open-source libraries Implement regular scanning of used artifacts and open-source libraries for known vulnerabilities.
Set up monitoring of reported issues based on regular scanning results.
D1510
Detection
Detection Implement Intrusion Detection System and anti-malware An intrusion detection system (IDS) is a security tool designed to detect and alert on unauthorized access to a computer system or network.
Implementing intrusion detection systems (IDS) and anti-malware software can help to identify and block malicious activity. IDS is a critical security tool that helps organizations to detect and respond to security incidents in a timely manner. By providing real-time monitoring and analysis of network traffic, IDS can help organizations to stay ahead of potential threats and reduce the risk of a security breach.

References

  1. https://securityintelligence.com/posts/abusing-source-code-management-systems/
Group 1000004924

OSC&R Threat Report Uncovers Urgent Software Supply Chain Risks

AppSec teams are overwhelmed by useless alerts, managing numerous applications with vulnerabilities across various kill-chain stages, making them increasingly susceptible to successful attacks.
Download Report Download