Control 8.4 : Access to Source Code

Summary

Read and write access to source code, development tools, and software libraries should be appropriately managed. This protects the organization's intellectual property and prevents the unauthorized modification of software.

Applicability

In-Scope: Mandatory for organizations that develop their own software, scripts, or automated workflows. It is critical for maintaining the integrity of the software supply chain.

Out-of-Scope: Only applicable if the organization performs no custom software development or scripting of any kind.

Implementation Guidance

Microsoft 365 / Entra ID

Repository Security: Secure source code repositories (e.g., Azure DevOps or GitHub) using Entra ID for authentication and enforcing Multi-Factor Authentication.
Branch Protection: Implement branch protection rules that require a peer review and successful automated builds before code can be merged into the main or production branch.
Service Principals: Use Entra ID Service Principals and Managed Identities for automated deployments (CI/CD) to avoid using human credentials in the development pipeline.

Evidence Checklist

Source Code Access Policy: Rules defining who can view, edit, and deploy code.
Repository Permission Logs: Current list of users and their access levels (Read/Write/Admin) for critical code repositories.
Commit History: Audit logs showing that all changes to the production code were reviewed and approved by an authorized second person.

Practical Audit Advice

Here are some questions the auditor might ask:

How do you ensure that developers cannot bypass the peer review process when pushing code to production?
What is the process for removing a developer's access to all code repositories immediately upon their resignation?
Are developers prohibited from storing sensitive information (like API keys or passwords) within the source code itself?
Can you demonstrate how you monitor for unauthorized downloads or bulk cloning of the entire source code repository?