IBM Aspera’s Way to Secure Software Development Life Cycle

By Jonathan Yu, IBM Aspera Security Focal

Reviewed by Brian Din, IBM Aspera Release Lead

With fast file transfer and streaming solutions built on the award-winning IBM FASP protocol, IBM Aspera software moves data of any size across any distance. However, without security the data moving is meaningless.

In IBM Aspera, when talking about security, it is not a separate layer on top of the software application, but as an integrated built-in feature. This is achieved by IBM’s Secure Software Development Life Cycle – SPbD@IBM – which stands for Security and Privacy by Design. 

SPbD@IBM Process

SPbD@IBM is integrated with every step of the development life cycle. It is for all offerings, with additional security-focused operating procedures for cloud and SaaS offerings.

SPbD@IBM includes the IBM Secure Development Process and the IBM Secure Release Process. 

Part 1: SPbD@IBM Secure Development Process

The IBM Secure Development Process consists of the following steps:

1.     SPbD Assessment and Privacy Assessment

SPbD assessment is to review and define the security and privacy requirements.  This step is performed in the application requirement gathering and analysis stage.

2.     Threat Modeling

Threat modeling helps ensure the potential vulnerabilities, such as those in OWASP 10 or SANS 25, are identified and mitigated in the application development phase, while it is still "affordable" to address them. Threat Modelling should be completed and reviewed as a part of the application design activity.

3.     Code Scans

Code scans are performed along with code development.  The source code, including source code for open source packages, needs to be scanned for vulnerabilities.  The identified vulnerabilities need to be remediated before the application moves to the QA stage.

4.     Security Tests

Security tests are in the QA stage for testing against the common vulnerabilities.

5.     Penetration Test

Penetration test is conducted by independent penetration test organization in a production-like environment.

IBM Aspera offerings are penetration tested at least annually and when security or functional feature updates have impact on application security or privacy aspects.

6.     Vulnerability Management

The Product Security Incident Response Team (PSIRT) works to ensure the timely identification, reporting, analysis and resolution on security vulnerabilities in IBM Aspera offerings. 

Part 2: SPbD@IBM Secure Release Process

The IBM Secure Release Process is a two-step process that first the local Business Unit, Aspera, evaluates the Secure Release Readiness Criteria for the offering, followed by IBM Corporate Information Security Office’s review. The secure release readiness criteria include but not limited to the following:

1.     Security Architecture

Security architecture of the offering must be sound and complete. Threat Modeling must be in place.

2.     Security Testing

Required testing includes QA security testing, application scanning (code scanning), system vulnerability scanning, and additional penetration testing.

3.     Encryption and Data Protection

All IBM and customer content must be encrypted - both at rest and in transit.  All credentials must be securely protected.

4.     Network

The approach for network security of the offering must be clearly defined and documented.

5.     Security Operations

Security operations plans must be in place and fully staffed. 

6.     Business Continuity / Disaster Recovery

IT Business Continuity plans must be considered to support the timely and secure recovery of the service should a disaster event occur.  Recovery plans must be fully documented and tested on the annual basis. 

7.     Suppliers

All suppliers (internal and external) used in the development, operations and support of the offering must be reviewed to ensure they meet IBM security standards. 

8.     PSIRT (Product Security Incident Response Team)

Offerings must be registered with PSIRT so that vulnerabilities in the product/offering can be managed and tracked as committed to IBM's clients

9.     Compliance

Industry and government required compliance must be in place.