About cookies on this site Our websites require some cookies to function properly (required). In addition, other cookies may be used with your consent to analyze site usage, improve the user experience and for advertising. For more information, please review your options. By visiting our website, you agree to our processing of information as described in IBM’sprivacy statement. To provide a smooth navigation, your cookie preferences will be shared across the IBM web domains listed here.
Better CVE management and faster development with AI
IBM software development organization
The challenge of supporting code security without slowing development
Based on IBM watsonx™ technology, IBM Concert® is a solution designed for optimizing application management and operations. And the development team responsible for this offering was under pressure to deliver the product to general availability (GA) while meeting IBM’s stringent requirements for mitigating security risks in the product’s code.
It’s a challenge familiar to product dev teams everywhere: in parallel with development, security assessment tools scan the code and generate lists of hundreds or thousands of Common Vulnerabilities and Exposures (CVEs). Most CVEs aren’t critical, but the work of sifting through the lists and prioritizing remediations can slow development significantly. If critical issues aren’t discovered until late in the dev cycle, loads of time can sink into rebuilds and retests. Thus, product readiness—and ultimately, revenue—are tied to proper CVE management.
Fortunately for the Concert dev team, an innovative solution was right in front of them. One of the core use cases Concert supports is streamlining CVE management. So the product’s own developers became some of its first happy customers.
Better insight into critical exposures, faster remediation
Using Concert, the dev team created a smarter, more streamlined approach to managing CVEs. Previously, the team relied on a pair of third-party security assessment tools that generated unique lists of CVEs, including priority scores. The team would then manually analyze and correlate the two lists and subsequently communicate with the office of the IBM Chief Information Security Officer (CISO) to agree on priorities.
Now, the data from the third-party tools feeds into Concert, which produces a unified CVE list with more intelligent prioritization. The software’s underlying AI analyzes how each CVE relates to the application’s entire environment, including connections and entry points, and accounts for this in its priority ranking.
The CVEs and priority scores are also displayed on a graphical map, helping developers quickly understand how each CVE relates to the application and where work is needed first. “Concert goes further than the other scanning tools,” says Mahesh Dashora, Program Director of QA and Security and Release Engineering at IBM. “We’re getting better insight into exposures, so we can resolve the important items more quickly.”
The team also benefited from these additional Concert features:
- Concert surfaces duplicate CVEs, helping the team fix issues in multiple places with a single remediation.
- Concert provides a dashboard that clearly displays CVEs, priority scores and supporting context, enabling efficient alignment with the office of the CISO.
- Concert can be integrated with GitHub, facilitating the rapid population of service tickets with remediation details, to help accelerate fixes.
- Concert provides an Evidence store for documenting all decisions regarding CVEs, supporting audit readiness.
A virtuous circle: improving security in code while accelerating development
When the team first employed Concert for CVE management, it faced about 200 open CVE issues. Normally, reviewing and triaging this many items and securing approvals on priority order and remediation actions would have taken more than eight person-weeks (PW) of work. By prioritizing actions with Concert, the team reduced its manual triage and analysis efforts, needing only six PW to process the open issues.
With those time savings, the team beat its target for GA. According to Vikram Murali, Vice President of Software Development at IBM, “Using IBM Concert to manage critical vulnerabilities allowed us to cut scan time by 25% and successfully GA Concert four days ahead of schedule.”
Of course, the story doesn’t end with the software’s first release. Development on the product will continue, as will the CVE management cycle. But the dev team has created a virtuous circle, and it will keep it going. “We’re getting to the right solutions faster, and ultimately reducing overall risk,” says Dashora. “And then we’re reinvesting the time saved, spending more time building new capabilities into IBM Concert.”
The IBM software development organization is a global team that drives the company's software solution portfolio, including internal and client-facing solutions. With expertise in artificial intelligence, cloud computing, cybersecurity and more, the group focuses on building cutting-edge products that foster innovation in all industries.
Legal
© Copyright IBM Corporation 2024. IBM, the IBM logo, IBM Concert, and IBM watsonx are trademarks or registered trademarks of IBM Corp., in the U.S. and/or other countries. This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates.
Client examples are presented as illustrations of how those clients have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary.
