PCF Security and Compliance Guide
Page last updated:
Warning: Pivotal Cloud Foundry (PCF) v2.5 is no longer supported because it has reached the End of General Support (EOGS) phase as defined by the Support Lifecycle Policy. To stay up to date with the latest software and security updates, upgrade to a supported version.
This guide explains how Pivotal Cloud Foundry (PCF) manages network access, roles and permissions, internal communications, container hardening, and other security issues. It is intended to give security professionals a complete view of PCF security, and to help all PCF users, not just the security experts, keep the platform secure.
Pivotal publishes security updates regularly in response to privately- and publicly-reported Common Vulnerabilities and Exposures (CVEs).
See the latest CVEs on the Pivotal Application Security Team page.
To learn about Pivotal’s vulnerability reporting and responsible disclosure process, read PCF Security Overview and Policy.
To learn about the testing, release and security lifecycle of PCF, see PCF Testing, Release, and Security Lifecycle.
Security Concepts: Provides links to conceptual documentation about how security is implemented in PCF.
PCF Infrastructure Security: Provides guidance and procedures for securing PCF infrastructure such as hardening stemcells and managing the certificates that enable TLS communication.
Network Security: Covers the security aspects of PCF networking such as the paths, ports, and protocols that components use to communicate.
Credential and Identity Management: Describes how PCF manages permissions and trust for PCF user accounts. Also provides documentation about CredHub, the credential management system that BOSH uses to store deployment credentials and that PCF runtimes use to create and manage app and service credentials.
Security for Apps and Services: Collects documentation about the security mechanisms that surround apps and services running on PCF.
Certificates on PCF: How certificates are utilized in PCF to secure both internal and external networking calls.
Security Processes and Stemcells: How Pivotal responds to security vulnerabilities, and how it tests and updates the versioned operating systems that its products run on.