One of the PCI DSS rules is:
"The PCI DSS applies to all system components included in or connected to the cardholder data environment"
How would you go about handling an SCM/release automation server? There has to be a port open from some server in dev network segment making it's way to some server in prod network setgment.
Developers produce code, following by build manager producing release artifacts. Release artifacts must make their way to production. How do release artifacts make their way from dev to production – how do they make their way from “not in scope” dev box to “in scope” production box?
I've done a lot of research on this, and what we ended up doing is splitting up our SCM server into dvscm and pdscm.
dvscm:
pdscm:
This way there's a level of separation between DEV and QA/PROD. pdscm is locked down - developers don't have access to it, all firewall rules are DENY by default.
The only outgoing connection from pdscm is port 22 to dvscm, for the sync. The only incoming connections to pdscm are on port 22, connected to a user that has only premissions to read deployment artifacts, using a custom restricted shell.