SI-2 (2) - Automated Flaw Remediation Status
Control requirements
- SI-2 (2) - 0
- The organization employs automated mechanisms [IBM Assignment: at least monthly] to determine the state of information system components with regard to flaw remediation.
Implementation guidance
See the resources that follow to learn more about how to implement this control.
IBM Cloud for Financial Services profile
The rules related to this control that follow are part of the IBM Cloud for Financial Services v1.2.0 profile in IBM Cloud® Security and Compliance Center.
- Check whether DevSecOps Toolchain scans build artifacts to identify vulnerabilities
- Check whether DevSecOps Toolchain verifies source code branch protection rules to enforce security policies
- Check whether Container Registry Vulnerability Advisor scans for critical or high vulnerabilities in the system at least every # day(s)
- Check whether OpenShift worker nodes are updated to the latest image to ensure patching of vulnerabilities
- Check whether DevSecOps Toolchain validates code against Center for Internet Security (CIS) Docker benchmarks to ensure container runtimes are configured securely
- Check whether DevSecOps Toolchain passes dynamic code scan to identify vulnerabilities in deployed artifacts
- Check whether DevSecOps Toolchain scans source code and their dependencies to identify vulnerabilities
- Check whether DevSecOps Toolchain source code contains no secrets
- Check whether DevSecOps Toolchain passes static code scan to identify vulnerabilities in source code
- Check whether DevSecOps Toolchain collects software bills of materials (SBOM) to provide transparency in build artifacts
- Check whether DevSecOps Toolchain passes unit tests to validate all code changes
- Check whether OpenShift version is up-to-date
- Check whether DevSecOps Toolchain passes acceptance tests to validate every deployment
- Check whether DevSecOps Toolchain signs build artifacts to attest their provenance
- Check whether DevSecOps Toolchain deployment has approved change documentation including security impact analysis