Adding policies and legitify references (#1497)

* adding legitify references * added more changes * added one more line * Update Software_Supply_Chain_Security.md
OWASP · Sep 29, 2024 · 3111504 · 3111504
1 parent 70ea1e3
commit 3111504
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/cheatsheets/CI_CD_Security_Cheat_Sheet.md b/cheatsheets/CI_CD_Security_Cheat_Sheet.md
@@ -47,6 +47,12 @@ CI/CD environments allow for code to be pushed to a repository and then deployed
 - Require commits to be signed
 - Carefully weigh the risk against the benefits of allowing ephemeral contributors. Limit the number and permissions of external contributions when possible.
 - Enable MFA where available
+- Avoid assigning default permissions for users and roles with access to your SCM assets. Carefully manage your permissions.
+- Restrict the ability to fork private or internal repositories.
+- Limit the option to change repository visibility to public.
+You can find a wide variety of additional policies in this [documentation](https://policies.legitify.dev/).
+
+To help navigate SCM configuration challenges, there are tools available, such as [Legitify](https://github.com/Legit-Labs/legitify), an open-source tool by [Legit security](https://www.legitsecurity.com/). Legitify scans SCM assets and identifies misconfigurations and security issues, including policies for all the above best practices (available for GitHub and GitLab).
 
 ### Pipeline and Execution Environment
 

diff --git a/cheatsheets/Software_Supply_Chain_Security.md b/cheatsheets/Software_Supply_Chain_Security.md
@@ -60,7 +60,7 @@ Manual code reviews are an important, relatively low cost technique for reducing
 
 #### Secure Config of Version Control Systems
 
-Compromise or abuse of the source control system is consistently recognized as a significant SSC risk [[4,5](#references)]. The general security best practices of strong access control and logging and monitoring are two methods to help secure VCS. Security features specific to the VCS system, such as protected branches and merge policies in git, should also be leveraged. Regardless of any security controls added a VCS, it must be remember that secrets should never be committed to these systems.
+Compromise or abuse of the source control system is consistently recognized as a significant SSC risk [[4,5](#references)]. The general security best practices of strong access control and logging and monitoring are two methods to help secure VCS. Security features specific to the VCS system, such as protected branches and merge policies in git, should also be leveraged. You can find a wide variety of recommended policies in this [documentation](https://policies.legitify.dev/). There are tools available to help manage configuration of SCM systems, such as [Legitify](https://github.com/Legit-Labs/legitify), an open-source tool by [Legit security](https://www.legitsecurity.com/). Legitify is designed to detect misconfigurations in GitHub and GitLab and assist with the implementation of best practices. Regardless of any security controls added a VCS, it must be remember that secrets should never be committed to these systems.
 
 #### Secure Development Platform