Hybrid Cloud

Using SecDevOps to design and embed security and compliance into development workflows

Share this post:

The trend toward decentralized cloud-native developer teams creating, modifying, and redeploying their work on a daily, or more frequent basis, has sparked a transformation in security and compliance processes for business applications. Unfortunately for businesses and their developers, the availability of tools to manage the modernization of security and compliance processes, known as DevSecOps, has not kept pace with the demand. In response, IBM Research initiated the focused effort called Code Risk Analyzer to bring security and compliance analytics to DevSecOps. Code Risk Analyzer is a new feature of IBM Cloud Continuous Delivery, a cloud service that helps provision toolchains, automate builds and tests, and control quality with analytics.

Code Risk Analyzer is a security measure that can be configured to run at the beginning of a developer’s code pipeline, reviewing and analyzing Git repositories for known issues with any open source code that need to be managed. The goal is to help application teams properly recognize rapidly evolving cybersecurity threats, prioritize application security problems, and resolve them in a satisfactory manner.

As cloud-native development practices – including containers and microservices – change security and compliance processes, it is infeasible for centralized operations teams to manage application security and compliance. For starters, security operations teams are not large enough to take on the problem of rapidly evolving and decentralized applications. As a result, it has become critical to equip developers with a new set of cloud-native capabilities and tools, such as Code Risk Analyzer, that can be easily embedded into existing development workflows.

The Software Delivery Lifecycle workflow.

The Software Delivery Lifecycle workflow.

First-gen microservice security

First-generation security solutions for microservices were focused on the right side of the Software Delivery Lifecycle (SDLC) workflow, such as the one shown above. They involved scanning and introspecting images in the Image Registry, containers and container configurations at runtime. These security solutions are increasingly proving to be inefficient and ineffective for the following reasons:

  1. Container images are becoming slim and opaque where they contain minimum payload needed to run an application. In the case of a go-app, it would be a single statically linked binary. Existing solutions are ineffective at performing vulnerability scanning on such images, because they rely on access to operating system context inside an image.
  2. Images and containers lack the development context of an application. For instance, when a problem is discovered in a container image stored in an Image Registry, it is often not immediately known which developer or development team is responsible for the detected problem, as image metadata does not contain a reference to a Git repository, branch or commit ID from which the image was built. It is therefore not easy to automate remediation workflows for detected problems.

These concerns point to the need to develop security and compliance solutions that can be used on the developer side of the SDLC, where they can be seamlessly integrated into the development process while providing increased visibility and explainability.

Code Risk Analyzer is a tectonic shift for the ways in which security is implemented and practiced in the SDLC for microservices, and we are dedicated to bring innovation and differentiation towards our north star: Helping the developers.

A new solution that’s comprehensive and consistent

In creating Code Risk Analyzer, we first surveyed and categorized all the source artifacts used by typical IT organizations in provisioning, configuring cloud services, Kubernetes infrastructure, and finally building, deploying their application, and services as shown in the diagram, above. Existing solutions provide isolated and limited security controls across this source code spectrum. That includes performing only vulnerability scanning of application manifests like requirements.txt (python) and pom.xml (java).

In DevSecOps it’s absolutely essential to design a comprehensive and consistent solution that encompasses security and compliance assessment across all these artifacts. As a result, we embodied them all in the scope for the Code Risk Analyzer solution. For application artifacts, we provide Vulnerability, License Management, and CIS checks on deployment configurations, generating Bill-of-Material, and security lint checks. Terraform files (*.tf) used to provision or configure cloud services like Cloud Object Store and LogDNA are also scanned to identify any security misconfigurations.

Next, we made a conscious decision to anchor our security controls around industry standards like NIST or CIS to ease adoption of our solution into regulatory compliance platforms. Acknowledging that developers are not necessarily security experts, we provided separation of concerns between developers and security experts such as a company’s CISO. The CISO should be responsible for defining the desired security posture for an organization’s applications through policy and exception rules (e.g. “block only high-severity vulnerabilities for app B”), automatically enforced inside development workflows. In Code Risk Analyzer, we designed a role-based Open Policy Agent (OPA) framework for controlling such policies.

Flattening the DevSecOps learning curve

We also shield developers from the need to understand security definitions and policies by instead providing them actionable feedback. For example, on discovering failures of security controls, in addition to making them aware of those failures and their impact, we help them identify associated source artifacts and recommend an optimal way to fix them through auto-remediations.

Another goal was to flatten the learning curve for users while introducing them to these new security platform and practices. We achieved this by embedding Code Risk Analyzer right into existing developer workflows, including a change request procedure through pr_workflow (pull request), and a change request approval by commit-to-main-branch in ci_workflow (continuous integration). We are also designing various templates as part of the DevOps toolchain service on IBM Cloud to automate provisioning and integration of our solution.

Code Risk Analyzer helps developers ensure security and compliance in their routine workflows described, here. Our approach also brings value by performing various continuous and asynchronous analytic tasks that truly differentiate our solution over any other solution. In Smart Recommendations, Code Risk Analyzer provides cross-repositories insights for dependencies, remediations, or outlier detections. In Smart Updates, we track changes to all dependencies (e.g. base image, OS package, application package, other git repo, etc.) of your application, classify those changes (performance-related, bug fix, security fix, etc.) and provide automated update notifications.


Inventing What’s Next.

Stay up to date with the latest announcements, research, and events from IBM Research through our newsletter.


More Hybrid Cloud stories

Improving resource efficiency for Kubernetes clusters via load-aware scheduling

Unfortunately, there are no default scheduler plugins in Kubernetes to consider the actual load in clusters for scheduling. To achieve that goal, we developed a way to optimize resource allocation through load-aware scheduling and submitted our "Trimaran: Real Load Aware Scheduling" Kubernetes enhancement proposal, with the hope of soon merging this feature into the Kubernetes scheduler plugin.

Continue reading

Novel approaches to cloud native ecosystem

At KubeCon this week: How to close cloud native security gaps, thus improving cloud native projects from the community at large.

Continue reading

Fine-grained visual recognition for mobile AR technical support

Our team of researchers recently published paper “Fine-Grained Visual Recognition in Mobile Augmented Reality for Technical Support,” in IEEE ISMAR 2020, which outlines an augmented reality (AR) solution that our colleagues in IBM Technology Support Services use to increase the rate of first-time fixes and reduce the mean time to recovery from a hardware disruption.

Continue reading