Empowering CIOs to accelerate crypto-agility with IBM Quantum Safe Explorer: IBM as client zero
As quantum computing approaches practical utility, the security landscape faces change to the status quo. IBM’s unrivaled research, fabrication facilities and velocity of innovation offers the world's most powerful quantum computers via the cloud and powered by Qiskit, the quantum software stack built for performance. Alongside quantum computing advancement, IBM prioritizes the need for organizations to be quantum-resilient and developed two of NIST’s published PQC standards.
Early on, IBM recognized a risk that most enterprises are starting to confront: today’s cryptography could be tomorrow’s liability. Consequently, IBM’s CIO Office aimed to discover cryptographic artifacts with near-zero manual effort, generate an actionable Cryptography Bill of Materials (CBOM) for full visibility, identify and remediate crypto-agility anti-patterns before they reach production and proactively manage quantum-era cryptographic risk with measurable outcomes.
To tackle challenges of discovery, visibility, remediation and modernization in managing cryptography — and stay ahead of the “harvest now, decrypt later” threat — IBM’s CIO Office adopted IBM Quantum Safe Explorer.
IBM’s CIO Office easily deployed Quantum Safe Explorer and:
- scanned nearly 6000 repositories and over 47 million lines of code,
- identified 3900+ vulnerabilities,
- generated Cryptographic Bills of Materials (CBOMs) for audit and compliance; and
- enabled dashboards for leadership to track risk and remediation.
Organizations must identify all cryptography in their applications in order to reduce security risk and meet regulations, such as NIST PQC migration requirements. Many legacy applications use outdated or hard-coded methods, making them vulnerable to current and future threats. With thousands of homegrown applications and scattered codebases, manual discovery is impractical.
Cryptography is often buried deep in code, spread across dozens of libraries (each with hundreds of APIs), and implemented through multi-step operations. For example, encrypting a file may involve retrieving a key from HashiCorp Vault, wrapping it via JCA, instantiating ciphers and secure random generators, creating Initialization Vectors, combining all parameters, and writing the file in blocks. In many cases, setup occurs at application startup, with initialized objects stored in constants or global variables, then used later in separate functions.
IBM’s CIO Office leveraged Quantum Safe Explorer to discover cryptographic artifacts with near-zero manual effort. Quantum Safe Explorer’s automated scans, integrated with the application’s build pipeline, became part of regular DevSecOps routines, not ad-hoc manual audits.
Quantum Safe Explorer locates cryptographic artifacts across all environments and programming languages—including homegrown applications–through 3 modular components:
- VS Code Extension: Allows developers to scan code locally, installed in under 5 minutes.
- CLI: For CI/CD integration, enabling automated scans during build processes. Quantum Safe Explorer supports Java, Python, C, C++, C#, Go and Dart (with more planned) and recognizes all common cryptographic libraries for each language (like JCA and Bouncy Castle for Java, OpenSSL for C, Crypto for Python). The detection patterns are externalized in a knowledge base, making it easy to add new libraries without modifying the analysis engine.
- Automated Scans: Integrates with the application’s build pipeline, usually via its CLI or RESTful API, triggering an automated scan every time the app is rebuilt.
Quantum Safe Explorer is built to help developers quickly and easily leverage its capabilities in CI/CD. Because Quantum Safe Explorer integrates with tools familiar to developers (CLI, CI scripts, VS Code), local or pipeline scans are enabled before commit, pinpointing vulnerable code (for example, Cipher.getInstance (“RSA/ECB/PKCS1Padding”)) and highlighting anti-patterns (hard-coded algorithm names or key sizes, missing fallback negotiation paths and non-parameterized init vectors or modes).
Quantum Safe Explorer supports Z Linux CLI deployments, enabling scanning on IBM z systems in DevSecOps builds running on Linux on Z hardware. Additional support includes Nimbus JOSE + JWT 10.2 and Apache Commons Codec 1.18, enhanced Java API discovery for KeyStore and HashiCorp Vault secret engines, multi-discovery CBOM combined into single file and customization of vulnerability severity levels and standardized VS Code error reporting
With Quantum Safe Explorer, IBM’s CIO Office was able to scan nearly 6000 repositories and over 47 million lines of code in just a few hours, identifying 3900+ vulnerabilities.
Key metrics for batch scan:
- Total number of code repositories scanned: 5,815
- Total number of files scanned [Java, Python & Golang]: 440,689
- Total number of lines of code scanned: 47,599,426
- Total number of crypto-assets detected: 2,499
- Total number of issues requiring quantum safe remediation: 3,943
Once cryptographic objects are discovered, the next challenge is gaining clear visibility and prioritization of risk across the environment. Quantum Safe Explorer provides portfolio-wide cryptographic risk visibility, enabling the IBM’s CIO Office with faster crypto-inventory creation and presenting the team with a central view.
A JSON output file containing the updated cryptography inventory is passed to a central aggregation point: Portfolio View, a web app that aggregates scan results from multiple applications into a Postgres database, provides dashboards on cryptography usage, libraries, algorithms, key sizes, and vulnerabilities across the enterprise.
Portfolio View utility is a productization of a pre-existing system IBM’s CIO Office team developed called the Developer Data Lake (DDL). The DDL aggregates all the meta-information from the many tools the CIO team uses.
To provide CIOs and DevSecOps leads with enhanced visibility, Quantum Safe Explorer automatically produces a Cryptography Bill of Materials (CBOM) for each repository scanned, listing libraries, algorithms, key sizes, and dependencies, along with severity-mapped vulnerabilities and quantum-risk flags. These automated CBOMs support audits, governance, and prioritization of high-risk issues, such as unsafe public-key usage in customer-facing services. Minimal-friction pipeline integration ensures each build generates fresh CBOMs, enabling regression tracking and trend monitoring via CI/CD dashboards.
Quantum Safe Explorer’s automatically generated CBOM results are fed into IBM’s CIO Office’s Developer Data Lake (DDL), extending its security scanning capabilities with a full cryptographic inventory.
The IBM’s CIO Office team uses a centralized, common Tekton-based cloud native CI/CD pipeline platform which brings together all their common security scanning tools for DAST, SAST and Open-Source scanning into one standard approach for continuous scanning of source code on every commit. By integrating the Quantum Safe Explorer CLI into the pipeline, the team has been able to add detection of cryptographic reference and vulnerabilities to their security scan results.
As a result, the IBM’s CIO Office dev team has discovered:
- numerous legacy components using key sizes too small by quantum-safe standards,
- multiple copies of hardcoded cryptographic parameters in Java and Python; and
- unsafe defaults and missing crypto-agility patterns (such as no fallback mechanisms).
Even if a cryptographic library is upgraded to support post-quantum cryptography (PQC), applications don’t automatically inherit the change — the code must be updated to request PQC algorithms explicitly. IBM’s Quantum Safe Explorer addresses this with a static analysis engine that traces setup and usage across the entire application, pinpointing algorithms and key sizes even when they’re fragmented across files and functions.
IBM’s CIO Office needed to update weak algorithms, standardize library usage, and enforce policy gating. Quantum Safe Explorer streamlines developer remediation workflows. The application developer receiving a ticket uses Quantum Safe Explorer’s VS Code extension to navigate across the lines of code containing the offending cryptography and alter the code, save, recompile, unit test, and PR the code. These changes will get picked up in the next build at which point information security teams can close the ticket.
Quantum Safe Explorer’s Portfolio View, built on the DDL, offers an organization’s leadership and C-suite an enterprise-wide, interactive view of crypto usage and vulnerabilities. With prioritized risks, leadership can drill down by business unit or application to focus remediation where it matters most. Portfolio View’s executive dashboards summarize posture: quantum-vulnerable cryptography prevalence, inventory completeness, and anti-pattern counts. These translate technical findings into actionable business risks and help meet NIST 2035 inventory requirements.
In addition to flagging vulnerabilities, Quantum Safe Explorer identifies crypto-agility anti-patterns including:
- hard-coded algorithms/versions,
- missing fallback logic,
- inconsistent use of libraries across modules; and
- unsupported or obsolete libraries (for example, reliance on older PyCrypto, weak OpenSSL versions).
By highlighting these patterns with code paths, teams are enabled to undergo system-wide remediation planning.
Between looming quantum-safe guidelines and the threat of harvest now, decrypt later attacks, organizations need to begin the transformation towards crypto-agility to prepare their cryptography for the future. The ability to rapidly adapt against threats is an environment-wide transformation and only made more challenging by the increasing sprawl of data exacerbated by technological drivers such as hybrid cloud and artificial intelligence.
IBM’s CIO Office as Client Zero proved that establishing quantum-resilient cryptographic hygiene does not require massive organizational disruption. With Quantum Safe Explorer, IBM’s CIO Office experienced easy installation, seamless deployment in CI/CD, enterprise-wide visibility and configurable insights.
By embedding Quantum Safe Explorer into their DevSecOps pipeline, IBM’s CIO Office set a foundation for crypto-agility, quantum-era preparedness, and resilient cyber-hygiene. This early test case helped shape IBM’s mission to help enable customers transition towards crypto-agility and quantum-resilience, as enterprises globally begin their quantum-safe transformations.
That early test case helped shape the broader IBM Quantum Safe product suite — Explorer, feeding into Advisor, Posture Management, and Remediator — as enterprises globally begin their quantum-safe transformation.
This success story illustrates how easy it is to install, deploy, and configure (operationalize) Quantum Safe Explorer — and the value it brings to CIOs, developers, and executive leadership in understanding cryptographic vulnerabilities and driving sound crypto-agility.