SC.06 — Malware Protection#
System: AI Connectors Platform Last updated: 2026-04-29
This document describes how the AI Connectors platform fulfils the SC.06 control category.
Control Attestation Table#
| Control | Description | Status | Evidence |
|---|---|---|---|
| SC.06.05 | Implement malware protection where relevant and possible (application whitelisting) | Compliant | Container-based deployment with immutable infrastructure; dependency pinning and vulnerability scanning via Snyk; minimal base images. See sections below and vulnerability-patch-management.md, security-baseline.md |
Security Controls Reference#
CTRL0537534 — SC.06.05: Implement malware protection where relevant and possible#
Control Text: If relevant and possible, implement application whitelisting.
Applicability: The IT System is not on CORP or PSNet.
Additional Description
For servers outside CORP and PSnet, it is recommended to apply application whitelisting tools based on a risk assessment, using the technology suggested by the relevant IT service provider. Application whitelisting is implemented on the server(s) of the IT solution, and an application-specific policy is established to outline which software elements may be executed on the host.
For information on the current application whitelisting solution in Novo Nordisk, see the entry on the Service Catalogue.
Detailed Description
The AI Connectors platform fulfils SC.06.05 through immutable infrastructure and container-based security controls rather than traditional host-based application whitelisting. All MCP server containers run on AWS ECS Fargate with immutable images built from minimal base images, pinned dependencies locked in uv.lock, and no package managers or build tools in the runtime stage. Snyk scans every build for vulnerabilities in container images, application code, dependencies, and infrastructure configuration before deployment. This approach prevents unauthorized executable installation through read-only filesystems, ephemeral containers that are destroyed after each deployment, and defense-in-depth controls including network segmentation, least-privilege IAM roles, and continuous vulnerability monitoring.
Implementation Considerations
- security-baseline.md §1–2 — container hardening and immutable infrastructure
- vulnerability-patch-management.md §2 — Snyk scanning process and patching SLAs