IBM Security and Privacy by Design

SPbD@IBM

SPbD@IBM is designed as a streamlined and agile set of focused security and privacy practices, intended to reflect our commitment to improving security and privacy in the design of IBM’s generally available products and services. SPbD@IBM is influenced by the United States National Institute of Standards and Technology (NIST’s) Secure Software Development Framework (SSDF).

SPbD@IBM Process

There are three steps in our SPbD@IBM process:

1. Threat Assessments

IBM performs both cyber and privacy threat assessments. We leverage standard industry threat model and privacy impact assessment concepts to help ensure data minimization and adequate data protections are in place from the beginning.

2. Security Testing

System, code, and application security testing are performed in addition to penetration testing and manual ethical hacking. The testing is implemented in a manner that supports agile practices and continuous deployment by being integrated and automated into DevOps pipelines.

3. Release Review

Final individual team and corporate level product reviews of generally available (GA) products prior to GA, to help ensure key foundational security requirements have been or will be addressed to IBM’s satisfaction.