Development processes and software integrity
Development processes and ensuring system and software integrity are key parts of the IBM Cloud Framework for Financial Services. You must manage changes to the information system by using a defined system development life cycle (SDLC) that incorporates information security considerations.
You should ensure that security engineering principles are applied in the design, development, implementation, and modification of the system. During the ongoing development, implementation, operations, maintenance, and continuous monitoring of the overarching information system lifecycle, you must develop, implement, operate, and maintain the system in accordance with the security processes and technical requirements that are detailed in the IBM Cloud Framework for Financial Services and the accompanying operational plans and policies.
You must ensure that developers:
- Perform configuration management during system/component/service development, implementation, and operation.
- Document change approvals and security impact analyses for all system changes.
- Perform unit, integration, system, regression testing/evaluation.
- Perform static and dynamic code analysis.
- Use development testing processes that provide coverage for the entire component and explicitly reviews, evaluates, and tests all security functions.
- Control consumer data so that it is never placed into nonproduction environments. Consumer data must not be consumed or used for the purposes of testing services.
- Enable integrity verification of software components to detect unauthorized changes to system software, firmware, and information:
- All applicable software components must be cryptographically signed by the manufacturer or developer to ensure you can perform integrity checks and verify that the component that is deployed in the system is the same component that the manufacturer or developer evaluated and certified.
- Deploy only signed and approved builds within the environment.
- Ensure only the approved, tested changes/code gets promoted to production and no vulnerabilities are introduced.
- Document and evidence the execution of the system/service and security testing/scanning along with the results.
- Track security flaws and flaw resolution within the system and report findings to designated personnel.
Red Hat OpenShift on IBM Cloud
When using Red Hat OpenShift on IBM Cloud to host workloads, you must use Container Registry and the Vulnerability Advisor component it contains. Red Hat OpenShift on IBM Cloud provides a multi-tenant, highly available, scalable, and encrypted private image registry that is hosted and managed by IBM®. You can use Container Registry by setting up your own image namespace and pushing container images to your namespace. By using Container Registry, only users with access to your IBM Cloud account can access your images.
When you push images to Container Registry, you benefit from the built-in Vulnerability Advisor features that scan for potential security issues and vulnerabilities. Vulnerability Advisor checks for vulnerable packages in specific Docker base images, and known vulnerabilities in app configuration settings. When vulnerabilities are found, information about the vulnerability is provided. You can use this information to resolve security issues so that containers are not deployed from vulnerable images.
Any issues that are found by Vulnerability Advisor result in a verdict that indicates that it is not advisable to deploy this image. If you choose to deploy the image, any containers that are deployed from the image include known issues that might be used to attack or otherwise compromise the container. The verdict is adjusted based on any exemptions that you specified. This verdict can be used by Portieris to prevent the deployment of nonsecure images in Container Registry. Portieris is a Kubernetes admission controller for the enforcement of image security policies. You can create image security policies for each Kubernetes namespace, or at the cluster level, and enforce different rules for different images.
Fixing the security and configuration issues that are reported by Vulnerability Advisor can help you to secure your IBM Cloud infrastructure.
See the following for more information on Container Registry and how to set it up:
Virtual server instances
There is not a Financial Services Validated solution for scanning virtual server images. You need to install your own software solution.
Related controls in IBM Cloud Framework for Financial Services
The following IBM Cloud Framework for Financial Services controls are most related to this guidance. However, in addition to following the guidance here, do your own due diligence to ensure you meet the requirements.
| Family | Control |
|---|---|
| System and Information Integrity (SI) | SI-7 Software & Information Integrity |
| System and Services Acquisition (SA) | SA-3 System Development Life Cycle SA-8 Security Engineering Principles SA-10 Developer Configuration Management SA-10 (1) Developer Configuration Management | Software and Firmware Integrity Verification SA-11 Developer Security Testing and Evaluation SA-15 Development Process, Standards, and Tools SA-15 (9) Development Process, Standards, and Tools | Use of Live Data |
| Risk Assessment (RA) | RA-5 Vulnerability Scanning |