IBM Containerized Software Security Summary

The Security Summary is a PDF file that explains the security posture of an IBM Containerized product. The summary indicates compliance with several IBM Certification security metrics. The security metrics that are included are based on IBM standards, guidelines, and best practices for delivering secure, enterprise grade software for Red Hat® OpenShift® Container Platform.

Why does IBM provide these summaries?

The Security Summary provides IBM customers with a simple way to understand the product's software posture before deployment. The summary helps IBM make the security posture of its products apparent, known, and easily understandable.

Who is the intended audience?

The summary is intended for OpenShift Container Platform system and application administrators, and security professionals who deploy, plan to deploy, evaluate, or secure container workloads on OpenShift Container Platform. These metrics can be used to apply the appropriate controls and configurations to the OpenShift Container Platform cluster and topology to protect workloads and provide secure access.

How does IBM determine the compliance?

All IBM containerized software goes through a process that is called IBM Certification before publishing. An overview of the process is described in this IBM Developer blog post. IBM assesses over 100 metrics through this certification process to measure and ensure compliance with a rigorous set of standards and best practices. One of the attributes of IBM Certification is the IBM Security and Privacy by Design (SPbD) program. For more information about SPbD, see IBM Security and Privacy by Design.

This summary takes a few critical security metrics from the certification process and externalizes it. Through that process some of the metrics are automated in the continuous integration and delivery pipeline while others are verified with documentation. The attributes with "automated" in their name are validated by an IBM internal linter tool.

Where is the summary?

The summary is included as part of the product's Container Application Software for Enterprises (CASE). A CASE is a well-defined file structure that provides packaging and metadata about the software, including its certification state and provenance.

To view the Security Summary, follow these steps:

  1. Browse to IBM Cloud-pak GitHub Case repo.
  2. Browse to the desired product and version (ibm-example/v1.0).
  3. Download the tgz file.
  4. Extract the tgz file. For example,
     tar –xzvf <\download-location>/ibm-example-1.0.tgz
  5. Change the working directory to the certificates/security folder. For example,
     cd ibm-example/certifications/security
  6. View the summary with your PDF viewer.