AzSKStaging

3.9.5

Framework/Configurations/SVT/AzureDevOps/AzureDevOps.Project.json

                                {

    "FeatureName":  "Project",

    "Reference":  "aka.ms/azsktcp/project",

    "IsMaintenanceMode":  false,

  "Controls": [

    {

      "ControlID": "AzureDevOps_Project_AuthN_Set_Visibility_Private",

      "Description": "Projects visibility must be set to private",

      "Id": "Project110",

      "ControlSeverity": "High",

      "Automated": "Yes",

      "MethodName": "CheckPublicProjects",

      "Rationale": "Data/content in projects that have public visibility can be downloaded by anyone on the internet without authentication. This can lead to a compromise of corporate data.",

      "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/devops/organizations/public/make-project-public?view=vsts&tabs=new-nav",

      "Tags": [

        "SDL",

        "TCP",

        "Automated",

        "AuthN"

      ],

      "Enabled": true

    },

    {

        "ControlID": "AzureDevOps_Project_AuthZ_Min_RBAC_Access",

        "Description": "All teams/groups must be granted minimum required permissions on project",

        "Id": "Project120",

        "ControlSeverity": "High",

        "Automated": "No",

        "MethodName": "",

        "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.",

        "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/devops/organizations/security/set-project-collection-level-permissions?view=vsts&tabs=new-nav",

        "Tags": [

          "SDL",

          "TCP",

          "Manual",

          "AuthZ"

        ],

        "Enabled": true

      },

      {

        "ControlID": "AzureDevOps_Project_AuthZ_Justify_Group_Members",

        "Description": "Justify all identities that are granted with member access on group and teams.",

        "Id": "Project130",

        "ControlSeverity": "High",

        "Automated": "No",

        "MethodName": "",

        "Rationale": "Accounts that are a member of these groups without a legitimate business reason increase the risk for your Organization. By carefully reviewing and removing accounts that shouldn't be there in the first place, you can avoid attacks if those accounts are compromised.",

        "Recommendation": "Go to Project Settings --> Security --> Select Teams/Group --> Verify Members",

        "Tags": [

          "SDL",

          "TCP",

          "Manual",

          "AuthZ"

        ],

        "Enabled": true

      }

]

}