Does IBM CMOD product has some document or certificate that passed security scan for product?
(e.g. Passed OWASP top 10, secure coding, penetration test, or VA scan)
In case of software packages, banking customer need this documentation/certification to approve go-live.
(In case of app development, they need to have source code scan, VA Scan, penetration test processes.)
Hi,
As far as I can look back into my memory I have not come across any such documentation for CMOD but what I can recommend is a strategy on how to go about it.
Probably you can ask your security/VA scan or Pen test team to run all the legitimate use cases which they may have identified for application pen test or VA scan against your pre-prod fully functional CMOD system and if there are any failures in the report those can be addressed by CMOD team and once that VA/PAN test report is all green that report/document you can produce to banking customer as passed security scan document which can then be signed off for going go live.
In my view vulnerabilities are very dynamic in nature. You can only fix those which are already identified but the ones which are yet to be identified :) can only be fixed once they are known and you have the fix for it.
Hope this helps.
Thanks,
Mayank