Recommendations and Information for Requirement 6
- Ensure that the latest iWay Software service packs and hotfixes are applied. Refer to http://techsupport.ibi.com for the latest service packs and patches.
- Third-party drivers and software used by iWay applications, should be updated as recommended by those vendors.
Recommendations and Information for Requirement 6.1 and 6.2
- iWay is constantly monitoring industry-based standards and possible security vulnerabilities, which may affect iWay Service
Manager. If any vulnerability is identified within an iWay Integration Product or within a third-party component utilized
by the iWay product line, the vulnerability is resolved and a patch or a set of instructions is provided to the users and
is made available on http://techsupport.ibi.com.
Recommendations and Information for Requirement 6.3
- Adhere to internal Software Development Life Cycle (SDLC) recommendations for application development to ensure that any
customizations do not introduce new vulnerabilities.
- Remove any test servers, scripts, data, or access accounts created during development, prior to a production rollout.
Recommendations and Information for Requirement 6.4
- Install separate iWay Service Manager instances for Development, Test, Production, and any other environment required for
the application roll out.
- Ensure that all development is done on the development environment. The application should be designed with the black-box approach in mind. For this reason, the iWay components within an application should be configured to utilize dynamic configuration
driven from external configuration files (which would be different between environments), deployment templates (which would
be different between environments), or other external facilities. Applications should not change during the propagation across
the environments with the deployment template or external configuration file being the only differentiator between the environments,
which should also be maintained in a secure fashion with secure access.
- Utilize Source Management Systems for change control and collaborative teamwork. Ensure that only specific users have the
authority to access and modify critical application components.
- Establish user accounts with access to deployment into the
production environment.
- Applications can be rolled back to a given
version, based on the utilization of the Source Management System
for the application development life cycle.
Recommendations and Information for Requirement 6.5
- iWay Service Manager provides for an array of security features and best practices for developing a secure and robust application.
It provides out of the box protection against Denial of Service attacks (DoS), unsecure access, session management, IP-based
access restrictions, and other secure facilities, which are discussed in this manual.
- Application developers are advised to use proper error handling techniques in their applications, which must not expose
any sensitive data in clear-text or provide any sensitive information in the log files.
- iWay Service Manager itself does not log any sensitive data, such as credentials in the log files or for any debug purposes,
ensuring there is no unintended access to that information.
- Information Builders adheres to established Software Development Life Cycle standards, when developing the iWay Integration
Products.