Merative ™ Security Testing and the use of Third-Party Scanning Tools
Question & Answer
What security testing is performed prior to a Merative Social Program Management Release? Does Merative Social Program Management support the use of third-party scanning tools?
Merative has a multilayered approach for preventing, identifying, and addressing security vulnerabilities in our product portfolio. Our ongoing internal initiative promotes consistent adoption of security practices in the development of products, with the goal of continually improving the quality and security characteristics of all Merative products. An important guide in this initiative is the IBM Redguide Security in Development: The IBM Secure Engineering Framework, which describes approaches to secure engineering practices for software products.
Customers are free to perform their own security testing of licensed (on-premise) software, as long as they adhere to the terms of License Agreements. Therefore, tools that reverse assemble, reverse compile, otherwise translate, or reverse engineer the Program, except as expressly permitted by law without the possibility of contractual waiver, are not supported. An example of a tool that performs these steps is Veracode.
Key security related activities and practices in Merative’s product development and support processes include:
- Implementing threat analysis processes during product design that provide development teams with up to date information about timely and pertinent security considerations
- Developing vulnerability test plans for our products. Testing is an extremely important part of our development process and we typically employ scanning technologies as part of this process. Merative works to continually enhance our security scanning tools and standardized testing policies and practices.
- Developing robust mitigation practices that track and address product defects with the goal of remediating critical and high vulnerabilities in Merative products during development.
- The Merative Product Security Incident Response Team (PSIRT) is a global team that manages the receipt, investigation and internal coordination of security vulnerability information related to Merative offerings. Merative PSIRT is a focal point for security researchers, industry groups, government organizations, and vendors to report potential Merative product security vulnerabilities. This team will coordinate with Merative product and solutions teams to investigate, and if needed, identify the appropriate response plan. Customers of Merative offerings should continue to report all product related issues, including potential security vulnerabilities, to Merative Technical Support. Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.
- To demonstrate leadership and promote transparency and accountability for its development practices, Merative is participating in the development of the Open Group Trusted Technology Forum (OTTF), a global supply chain integrity program and framework intended to provide buyers of IT products with a choice of accredited technology partners and vendors.
Because security of computer systems and computer software is a very complex issue, Merative does not provide information about development practices for individual products other than what is found in standard product documentation or as published though our public activities.
In most cases, published vulnerabilities are documented at timely intervals through Merative Security Bulletins, which include the associated Common Vulnerability Scoring System (CVSS) base score. In some cases Merative may contact customers directly and discreetly regarding specific vulnerabilities.
Thank you for your interest.