How to add your own security scans with IBM Cloud Security Advisor.
The IBM Cloud Security Advisor allows for centralized security management. It offers a unified dashboard that alerts security administrators for an IBM Cloud account of issues and helps them to resolve the issues. The advisor supports the integration of third-party vendors as well as custom findings. Using a REST API or programming language SDKs, it is possible to manage your own security metrics—from creating incident types and events to displaying them on the unified dashboard.
In this and a follow-up post, I am going to give you a quick introduction to the Security Advisor and then discuss the code I made available on GitHub in the repo security-advisor-findings. It simplifies the management of custom objects and provides functions for some of my security scans.
Overview: Custom findings in Security Advisor
The IBM Cloud Security Advisor offers a growing number of security checks. They include pre-integrated findings, partner integrations, built-in insights, and custom findings. The latter allows you to bring data from existing security tools into Security Advisor or to add your own security scans and related metrics (see screenshot above, section Account User Management). This allows you to become a provider of security events.
In addition to the concept of provider, Security Advisor has notes and occurrences. Notes and occurrences both can be of different pre-defined kinds. Notes are used to define cards, findings, and KPIs (key performance indicators). Findings and KPIs are used to report security issues. In that case, you would create an occurrence of kind FINDING or KPI based on a previously defined note for that finding or KPI.
A finding occurrence typically includes a short description of the security issue and suggested steps to resolve it. The screenshot below shows a single custom finding. To integrate findings and related KPIs into the Security Advisor dashboard, you need to create a card. A card has details on what and how finding types and KPIs should be shown. It could be just numbers (as seen above) or charts. You can also define a badge to be shown if no issues are reported (see top screenshot).
Findings API and SDKs
The Security Advisor offers a REST API to manage notes and occurrences. In addition, you can utilize the Python SDK and Node.js SDK as wrapper around the API. Both are based on IBM core SDKs and hence support common authentication methods.
The SDKs offer functions to list all the findings providers in the account. This is useful, because objects are scoped by account and provider. You can search notes by provider and obtain details. And, of course, it is possible to create new notes, update, or delete them. The same goes for occurrences. They are scoped by account, provider and related note.
Conclusions and next steps
The IBM Cloud Security Advisor allows for centralized security management, and by using an API, it is possible to extend the Security Advisor with your own metrics. In this example, I created notes to define my own findings and KPIs and then a card to display the found issues.
In the next blog, I plan to discuss the code I made available in the GitHub repo security-advisor-findings. It provides a simple command line tool to manage the custom objects and has functions for security scans which integrate results into the security advisor.
I will also show you how to use Cloud Functions to perform security scans in Security Advisor and get IBM Cloud Security Advisor alerts via Slack or email.