R2Devops - SWEPY Knowledge Base

# R2Devops | Caracteristic | | | ------------- | -------------------------------------------------- | | Platform | [[GitLab]] | | Maintainer | R2Devops | | License | Freemium[^1] | | Homepage | [r2devops.io](https://r2devops.io/) | | Documentation | [docs.r2devops.io](https://docs.r2devops.io/docs/) | ## Cyber threat management capabilities Questions every organization using a [[Software Forge]] should ask about its [[CICD - Continuous Integration Continuous Deployment|CICD]] (from [[NIS2]] and [[NIST CSF 2.0]] requirement about [[CICD - Continuous Integration Continuous Deployment|CICD]] and [[SDLC - Software Development Life Cycle|SDLC]]): - Are we able to know which **docker image**, **version** and **sources** are in use, when it was **introduced**, **updated** and **removed**? - Are we able to know how many projects are using **[[Job#Templates|templated jobs]]** and **[[Job#Versionning|versionned jobs]]**, how much [[CI - Continuous Integration|CI]] rely on **[[Job#Hardcoded|hardcoded jobs]]** and how much doesn't have any **[[CI - Continuous Integration|CI]] configuration**, the evolution of those **trends** over time? - Are we able to make sure that [[gitlab]] project **configuration doesn't drifts** from established **policies**, and can we **track the evolution** of this drift? - How much **time** and **workpower** would this cost today? - Are we able to **prove** that we make this audit on a **regular basis**? ### NIST CSF 2.0 implementation R2Devops helps implementing [[NIST CSF 2.0]] and covers the following area: - [[1 GV.OC - Organizational Context|GV.OC]] - 05 - [[6 GV.SC - Cybersecurity Supply Chain Risk Management|GV.SC]] - 08 - [[1 ID.AM - Asset Management|ID.AM]] - 02, 05, 07, 08 - [[2 ID.RA - Risk Assessment|ID.RA]] - 01, 03, 04, 05, 07, 09 - [[3 ID.IM - Improvement|ID.IM]] - 01 - [[4 PR.PS - Platform Security|PR.PS]] - 01, 02, 04, 05, 06 - [[1 DE.CM - Continuous Monitoring|DE.CM]] - 03, 09 - [[2 DE.AE - Adverse Event Analysis|DE.AE]] - 02, 03, 04, 06 - [[2 RS.AN - Incident Analysis|RS.AN]] - 03, 06, 07, 08 - [[4 RS.MI - Incident Mitigation|RS.MI]] - 01, 02 - [[1 RC.RP - Incident Recovery Plan Execution|RC.RP]] - 02, 04, 05, 06 There is 3 mains points to R2: - **Compliance control**: R2 provides a comprehensive oversight of SDLC compliance policies, rather than focusing on isolated aspects. It control and demonstrate automatically the presence and usage of their security and compliance tools, such as Snyk, Sonar, and others, across all projects. - **Observability Dashboard**: it provides global visibility on projects compliance, progress, and allows to demonstrate compliance to auditor with transparency and accountability. Without R2, audits of all [[Pipeline|pipelines]] would be done manually and results puts in excel sheet. It takes lot of time (~1 day/project/audit), is expensive and results are instantly outdated (as [[pipeline]] are evolving). ⁠ - **Incident Detection**: [[Pipeline|Pipelines]] can access code and all deployments token. If it's compromised, everything is compromised. Without R2Devops, It is not possible to controls the content and dependencies of [[CICD - Continuous Integration Continuous Deployment|CI/CD]] [[Pipeline|pipelines]], which is a huge security flaw. ## Features Coverage capabilities for [[CICD - Continuous Integration Continuous Deployment|CI/CD]] [[pipeline]] validation, providing a framework for detecting and mitigating issues related to container usage, [[pipeline]] composition, secrets management, project protection, and [[variable]] security: - Automated controls, logging and alerts about: - [[CICD - Continuous Integration Continuous Deployment|CICD]] containers: - use of specific docker image (tags) - unknown image source - [[Pipeline]] composition: - Hardcoded [[job]] - Missing required template/[[CICD - Continuous Integration Continuous Deployment|CICD]] [[GitLab Component|component]] - [[Pipeline]] composition requirement defined on the project (project needs to be audited to define requirements) - [[override]] of global [[variable]] - [[override]] of [[job]] - [[override]] of required template/[[CICD - Continuous Integration Continuous Deployment|CICD]] [[GitLab Component|component]] - forbidden template/[[GitLab Component|component]] [[reference]] - Outdated template/[[CICD - Continuous Integration Continuous Deployment|cicd]] [[GitLab Component|component]] - [[Pipeline]] secrets: - secrets in pipeline configuration - Project Protection: - branch protection - branch merge rights - branch push rights - branch force-push rights - approval on protected branch - approval rules - Project [[Variable|variables]]: - protected and masked [[Variable|variables]] --- Bibliography: - [R2Devops - r2devops.io](https://r2devops.io/) - [R2Devops Documentation - docs.r2devops.io](https://docs.r2devops.io/docs/) [^1]: [Pricing - r2devops.io](https://r2devops.io/pricing)