Leadline Inc.CM-01: Source Code Access Review
Quarterly review of source code change access to ensure restricted access to authorized personnel
Control Description
The ability to make changes to the source code is reviewed quarterly to help ensure that such access is restricted to authorized personnel within the xx department. Any inappropriate access identified is removed.
"in-scope applications and related databases" is notated with red text because, if there is only one in-scope application, this language would need to be changed to note "in-scope application and related database."
Plain Meaning
This control ensures that only the right people can modify your application's source code. Every three months, you must check who has access to make code changes and remove access from anyone who shouldn't have it. This prevents unauthorized code modifications that could introduce security vulnerabilities or bugs.
Implementation Examples
AWS EKS & GitHub Integration
1. GitHub Repository Access Management
# .github/teams/developers.yml
name: "Developers"
description: "Development team members with write access"
permission: "push"
members:
- "developer1"
- "developer2"
- "developer3"
# .github/teams/reviewers.yml
name: "Code Reviewers"
description: "Senior developers with merge permissions"
permission: "maintain"
members:
- "senior-dev1"
- "senior-dev2"Related Controls
Change Management
- CM-3: Change Authorization: Change authorization procedures
- CM-4: Change Testing: Change testing and validation
- CM-9: Emergency Change Procedures: Emergency change management
- CM-11: Change Documentation: Change documentation requirements
- CM-12: Change Approval Process: Change approval workflows
- CM-13: Change Implementation: Change implementation procedures
- CM-15: Change Monitoring: Change monitoring and validation
- CM-16: Change Rollback Procedures: Change rollback capabilities
- CM-17: Change Review Process: Post-change review procedures
- CM-18: Change Training: Change management training
Access Management
- LS-04: Access Authorization: Access authorization for code changes
- LS-05: Access Review: Regular access reviews for code access
- LS-07: Privileged Access Management: Privileged access to source code
- LS-14: Administrative Access Restrictions: Administrative access controls
Monitoring and Logging
- COM-02: Centralized Logging Solution: Code change logging and monitoring
- COM-04: Log Monitoring and Alerting: Automated monitoring of code changes
Risk Assessment
- RA-01: Internal Control Audits: Code access control audits
- RA-02: Risk Assessment Procedures: Code change risk assessment
Incident Response
- IR-01: Monthly Incident Review: Code-related incident reviews
- IR-02: Incident Management Process: Code security incident response
Related Links
Leadline Architecture Design
- SSDLC Security Practices: Secure Software Development Lifecycle implementation, security toolchain, and secure development practices
- Observability & Monitoring: Monitoring and logging for change management and code deployment