In general, PCF satisfies all technical requirements implied by this control. PCF supports the use of third-party scanners, either using remote access scanning, or using local installation of third-party agents on the BOSH stemcells. Pivotal has defined an appropriate configuration benchmark to assist organizations assessing the security posture of a PCF deployment. The deployer is responsible for performing scans for both configuration and vulnerabilities. Customers performing configuration scans against a PCF deployment should adjust their scanning benchmark to perform a cloud-native assessment, as opposed to employing a scanning benchmark intended for standalone Linux server deployments. Customers requiring assistance with scanning a deployment may contact Pivotal Security Team at firstname.lastname@example.org.
Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).