DevSecOps Reference Implementation for Audit-Ready Compliance Across Development Teams

3 min read

Today, we are excited to announce the availability of IBM's reference implementation of DevSecOps, providing a complete SDLC automated with IBM Cloud Continuous Delivery and other IBM Cloud services.

Does a lack of deep security expertise across your application dev teams cause rework and additional costs to ensure your security posture? Does it take a lot of manual effort out of your dev teams for compliance audit preparedness? Do you experience every dev team within your organization having custom DevOps investments and solving difficult issues around reliability and compliance from within silos? Are you worried about your ever-changing security landscape?

If so, IBM Cloud has a solution for you.

DevSecOps with IBM Cloud Continuous Delivery

Through years of deep security experience in creating a secure cloud, IBM has found its own answers to the above problems via standardized, integrated and automated DevSecOps best practices. Aligned with the requirements of the Financial Services industry, IBM Cloud Continuous Delivery provides a reference implementation of NIST Configuration Management controls as a service that you can configure in a few clicks by using toolchain templates. The workflow will build, scan, test and deploy your cloud-native applications while ensuring security and compliance goals are met and evidence is retained for any future audits. The workflow can be customized to leverage other enterprise tools or implement custom policies.

The reference implementation is built on the Continuous Delivery service, which provides Git Repos and Issue Tracking, Tekton Pipelines, DevOps Insights, Code Risk Analyzer and the Eclipse Orion Web IDE in the Cloud. The Continuous Delivery service is compliant with SOC and other standards, and it is currently available in eight highly available multi-zone regions (Dallas, Frankfurt, London, Osaka, Sydney, Tokyo, Toronto and Washington DC).

The reference implementation also takes advantage of other IBM Cloud services, such as IBM Cloud Secrets Manager, IBM Key Protect for IBM Cloud, IBM Cloud Object Storage and IBM Cloud Container Registry. Users can customize the toolchain to use external tools that enterprises have standardized upon, such as Git providers and artifact stores. DevSecOps supports hybrid deployments — in particular, by using private pipeline workers — and can be interfaced with other deployment tools like Satellite Config and ArgoCD.

When a single opinionated and compliant reference pipeline can be used for all components across an organization, developers are free to spend less time developing automation solutions and can focus on feature development. The organization and security officers can be confident that the necessary controls are in place to ensure secure, compliant software and provide evidence that can be used in an audit.

The reference implementation of DevSecOps provides a standard format for evidence and processes in evidence collection and durable storage. It also includes a change management process that allows for automated approvals for deployments and a mechanism for manual overrides for exceptional situations.

Watch how to deploy a secure app using DevSecOps best practices:

 

Key highlights of the reference implementation of DevSecOps from IBM Cloud Continuous Delivery

Security and compliance checks

A common issue across dev organizations is a lack of deep security expertise in an application dev team. The reference implementation of DevSecOps addresses this concern by enabling automated pre-deployment security and compliance checks and helps prevent security issues from reaching production systems. IBM's Code Risk Analyzer is integrated in the toolchain, runs code scans to discover vulnerabilities in application code and OS stack (base image) based on rich threat intelligence from Snyk and Clair and provides fix recommendations. 

Change request management

The change request can be configured to be auto-approved or manually approved. There is a provision for emergency deployments, as well. The change request management automation helps developers, approvers and auditors monitor the compliance aspects of all code deployments.

Container image signing

The toolchains in the reference implementation enforce the developers having to self-sign any image built and recorded in the inventory before they can be deployed on production deployment. The pipeline uses Skopeo as a default tool to provide image-signing capabilities.

Inventory and evidence collection

The reference implementation provides a standard format for evidence and processes in evidence collection and durable storage. The inventory and evidence are collected as part of every pipeline run and are available in a standard format and defined location. This reference implementation uses IBM DevOps Insights to collect a number of types of evidence, such as acceptance-test records, bill-of-materials check, detect-secrets check, image signing, vulnerability scans, etc.

Integration with IBM Cloud Security Security and Compliance Center

The IBM Cloud Security and Compliance Center offers a unified experience to view and manage the security and compliance postures of your cloud resource configurations. The IBM DevSecOps CD toolchain template offers integration with IBM Security and Compliance Center. You can trigger a scan on your deployment environment and see the security posture of your deployment environment.

Aligned with the requirements of the Financial Services industry, IBM Cloud Continuous Delivery provides a reference implementation of NIST Configuration Management controls as a service that you can configure in a few clicks by using templates.

I invite you to try the IBM DevSecOps toolchain template today at IBM Cloud; you can adopt it for your organizational DevSecOps requirements.

Get started

Be the first to hear about news, product updates, and innovation from IBM Cloud