Additional security considerations when using Hyper Protect Secure Build servers

Learn about the security related responsibilities that you must observe when you use IBM Hyper Protect Secure Build servers.

Because the Hyper Protect Secure Build server runs as a Hyper Protect Virtual Server instance, you must also follow the recommendations in the Additional security responsibilities for IBM Hyper Protect Virtual Servers topic besides the following ones specific for Hyper Protect Secure Build.

  • Ensure that you update the environment regularly to the latest available images when they are made available.
  • Take the required actions on regular security notifications from IBM.
  • Ensure that only required ports are opened and the ports are secured (TLS enabled).
  • Ensure only trusted or known users are allowed access to the environment and virtual servers.
  • Ensure that secrets or credentials used should never be stored in Github.
  • Ensure that sensitive data in the source code repository should be safe-guarded and should not be accessed by non intended persons.
  • Ensure that you have network boundary protection in place.
  • Application managers credentials must be safely stored because they can be used to delete the Hyper Protect Secure Build server.
  • Application Builder needs to handle all involved credentials safely in his or her purview.
  • An auditor is responsible to review the associated signed manifest content and not approve the image created from the secure build to be released to a customer or be deployed.
  • Ensure that you establish a trusted channel to enable the auditor to get the public key from the Hyper Protect Secure Build server.