June 29, 2021 By Ajay Joshi 3 min read

Today, we are excited to announce the availability of IBM’s reference implementation of DevSecOps, providing a complete SDLC automated with IBM Cloud Continuous Delivery and other IBM Cloud services.

Does a lack of deep security expertise across your application dev teams cause rework and additional costs to ensure your security posture? Does it take a lot of manual effort out of your dev teams for compliance audit preparedness? Do you experience every dev team within your organization having custom DevOps investments and solving difficult issues around reliability and compliance from within silos? Are you worried about your ever-changing security landscape?

If so, IBM Cloud has a solution for you.

DevSecOps with IBM Cloud Continuous Delivery

Through years of deep security experience in creating a secure cloud, IBM has found its own answers to the above problems via standardized, integrated and automated DevSecOps best practices. Aligned with the requirements of the Financial Services industry, IBM Cloud Continuous Delivery provides a reference implementation of NIST Configuration Management controls as a service that you can configure in a few clicks by using toolchain templates. The workflow will build, scan, test and deploy your cloud-native applications while ensuring security and compliance goals are met and evidence is retained for any future audits. The workflow can be customized to leverage other enterprise tools or implement custom policies.

The reference implementation is built on the Continuous Delivery service, which provides Git Repos and Issue Tracking, Tekton Pipelines, DevOps Insights, Code Risk Analyzer and the Eclipse Orion Web IDE in the Cloud. The Continuous Delivery service is compliant with SOC and other standards, and it is currently available in eight highly available multi-zone regions (Dallas, Frankfurt, London, Osaka, Sydney, Tokyo, Toronto and Washington DC).

The reference implementation also takes advantage of other IBM Cloud services, such as IBM Cloud Secrets Manager, IBM Key Protect for IBM Cloud, IBM Cloud Object Storage and IBM Cloud Container Registry. Users can customize the toolchain to use external tools that enterprises have standardized upon, such as Git providers and artifact stores. DevSecOps supports hybrid deployments — in particular, by using private pipeline workers — and can be interfaced with other deployment tools like Satellite Config and ArgoCD.

When a single opinionated and compliant reference pipeline can be used for all components across an organization, developers are free to spend less time developing automation solutions and can focus on feature development. The organization and security officers can be confident that the necessary controls are in place to ensure secure, compliant software and provide evidence that can be used in an audit.

The reference implementation of DevSecOps provides a standard format for evidence and processes in evidence collection and durable storage. It also includes a change management process that allows for automated approvals for deployments and a mechanism for manual overrides for exceptional situations.

Watch how to deploy a secure app using DevSecOps best practices:


Key highlights of the reference implementation of DevSecOps from IBM Cloud Continuous Delivery

Security and compliance checks

A common issue across dev organizations is a lack of deep security expertise in an application dev team. The reference implementation of DevSecOps addresses this concern by enabling automated pre-deployment security and compliance checks and helps prevent security issues from reaching production systems. IBM’s Code Risk Analyzer is integrated in the toolchain, runs code scans to discover vulnerabilities in application code and OS stack (base image) based on rich threat intelligence from Snyk and Clair and provides fix recommendations. 

Change request management

The change request can be configured to be auto-approved or manually approved. There is a provision for emergency deployments, as well. The change request management automation helps developers, approvers and auditors monitor the compliance aspects of all code deployments.

Container image signing

The toolchains in the reference implementation enforce the developers having to self-sign any image built and recorded in the inventory before they can be deployed on production deployment. The pipeline uses Skopeo as a default tool to provide image-signing capabilities.

Inventory and evidence collection

The reference implementation provides a standard format for evidence and processes in evidence collection and durable storage. The inventory and evidence are collected as part of every pipeline run and are available in a standard format and defined location. This reference implementation uses IBM DevOps Insights to collect a number of types of evidence, such as acceptance-test records, bill-of-materials check, detect-secrets check, image signing, vulnerability scans, etc.

Integration with IBM Cloud Security Security and Compliance Center

The IBM Cloud Security and Compliance Center offers a unified experience to view and manage the security and compliance postures of your cloud resource configurations. The IBM DevSecOps CD toolchain template offers integration with IBM Security and Compliance Center. You can trigger a scan on your deployment environment and see the security posture of your deployment environment.

Aligned with the requirements of the Financial Services industry, IBM Cloud Continuous Delivery provides a reference implementation of NIST Configuration Management controls as a service that you can configure in a few clicks by using templates.

I invite you to try the IBM DevSecOps toolchain template today at IBM Cloud; you can adopt it for your organizational DevSecOps requirements.

Get started

More from Announcements

IBM Hybrid Cloud Mesh and Red Hat Service Interconnect: A new era of app-centric connectivity 

2 min read - To meet customer demands, applications are expected to be performing at their best at all times. Simultaneously, applications need to be flexible and cost effective, and therefore supported by an underlying infrastructure that is equally reliant, performant and secure as the applications themselves.   Easier said than done. According to EMA's 2024 Network Management Megatrends report only 42% of responding IT professionals would rate their network operations as successful.   In this era of hyper-distributed infrastructure where our users, apps, and data…

IBM named a Leader in Gartner Magic Quadrant for SIEM, for the 14th consecutive time

3 min read - Security operations is getting more complex and inefficient with too many tools, too much data and simply too much to do. According to a study done by IBM, SOC team members are only able to handle half of the alerts that they should be reviewing in a typical workday. This potentially leads to missing the important alerts that are critical to an organization's security. Thus, choosing the right SIEM solution can be transformative for security teams, helping them manage alerts…

IBM and MuleSoft expand global relationship to accelerate modernization on IBM Power 

2 min read - As companies undergo digital transformation, they rely on APIs as the backbone for providing new services and customer experiences. While APIs can simplify application development and deliver integrated solutions, IT shops must have a robust solution to effectively manage and govern them to ensure that response times and costs are kept low for all applications. Many customers use Salesforce’s MuleSoft, named a leader by Gartner® in full lifecycle API management for seven consecutive times, to manage and secure APIs across…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters