I know that the current “best practice” for Octopus Deploy in a PCI DSS environment is to have two separate servers; one in the PCI DSS environment and one in a more typical development environment. There’s also suggestions of having separate feeds in Octopus Deploy, but it all feels unnecessarily clunky and bothersome.
According to my understanding of PCI DSS, it doesn’t require a setup as described above. It requires network segmentation, management approval of implemented changes and that the one deploying the changes is not the same person who authored them.
Network segmentation is solved well enough, I believe, by having the networks physically disjointed and by Octopus Deploy’s “environment” support. There is a severe lack of ACL on a per-environment / per-project basis in Octopus Deploy that I believe needs to be addressed, but not for having a secure and verifiable PCI DSS deployment pipeline, I think.
On to the next point; management approval can be solved through authentication and signing. Here is where I think Octopus Deploy in its current state may be lacking features. It would be great if the act of either creating a release or at least promoting it to an environment, could require a manual step. This step should not only be required to be performed by a specific group in Octopus Deploy, but since the Octopus Deploy server itself is not within PCI DSS, the verification itself needs to be done with PKI towards the PCI DSS environment (SSH springs to mind, but there are many viable options). I’m thinking this could be done as a manual step with an input parameter, where the parameter would be an OTP and perhaps a public key.
The last point; proving the identity of the one who built the code: I believe this can be done through code signing. With Git, everything can be signed all the way up to the individual commits or at least the tag representing the commit being created as a release in Octopus Deploy and with NuGet, packages can be signed as well. If the package contains the signed code and the package itself is signed, we can verify the signatures and at least be sure that there’s two different signatures. If the signatures are coupled with PKI that is verified by the PCI DSS environment, we can be pretty sure the signatures belong to different people as well.
So, I’m basically wondering if the above description is something you agree could be approved according to PCI DSS, and more importantly; whether this is something that could be sketched up with Octopus Deploy? Is NuGet code signing supported, for instance? If not, can it be performed by a custom step in Octopus Deploy? How about creating a custom step asking the user for credentials and then verify those credentials against a network service before continuing the deploy?
Also, is it possible for Octopus Deploy tentacles to verify that the package they receive from Octopus adheres to a set of specified criteria, such as verified code signature, etc.?