FAQs
Find answers to the frequently asked questions about IBM® Concert.
Product information questions
Applications and environments questions
Data for business impact questions
- How does Concert integrate with existing code or issue tracking systems?
- What is a risk score and how does that compare to CVSS?
- How is the risk score generated? Can clients customize the scoring to their needs?
- What is a CVE? How does Concert assist with the tracking of vulnerabilities and their management?
- How is the priority of the CVE calculated within Concert? What are some factors that assist in this prioritization?
- Where does the certification expiration in the evidence locker come from?
Gen AI and chat capabilities questions
Product information
How does IBM Concert work?
Concert uses generative AI (gen AI) through watsonx to help you understand and prioritize your vulnerabilities and compliance risks. The completeness of application and environment data provided in the form of imported SBOM files or data ingestion jobs impacts the value and insights Concert delivers. Concert can be deployed as a SaaS subscription or on-premises software.
What can Concert do for me?
Concert provides a holistic view of your application landscape, eliminating silos and evaluating critical risk factors, such as vulnerabilities and compliance. It is designed for a variety of roles within an organization including executives, compliance officers, application owners, and site reliability engineers (SREs). Executives can interactive with an overarching view of the organization's application landscape to see where resources should be allocated and prioritized. Application owners, compliance offers, or other team leads can go deeper to see the scope of impacting risk factors across application components and environments to know where to take action first and implement automation to expedite remediation. SREs can engage with watsonx.ai chat functionality to learn more remediation steps.
What browsers are supported for Concert?
- Apple Safari
- Google Chrome
- Microsoft Edge
- Mozilla Firefox
Applications and environments
- What is an application entity?
-
An application is defined to include references to
- Source code repositories
- Packages used in that application
- Images (such as Docker images) and other files that get deployed for that application
- Environments where the application gets deployed
- Access points (such as API service endpoints)
- What is the software bill of materials (SBOM)?
-
Software bill of materials (SBOM) is a standardized exchange format that plays a critical role in describing applications in the organizations across the lifecycle. SBOMs have also gained regulatory prominence as part of an overall security of the software supply chain. Many organizations maintain SBOMs and the expectation is that their existing continuous integration and continuous delivery (CI/CD) pipelines are the most efficient way to share information with Concert continually. Concert supports three Concert-specific SBOM schemas (
ConcertDef
) as well asCycloneDX
format.
- How do I add an application to Concert?
-
You can define an application by uploading an SBOM file that contains all the relevant images, versions, and connections for your application. You can also create an application profile by entering these deployment details.
For more information, see Defining an application from an SBOM file or Defining an application from components.
- What is an environment entity?
-
An environment definition provides references to the application it hosts, public and private access points, and resources such as nodes and deployments inside Kubernetes that are present inside the environment.
- How do I configure an environment in Concert?
-
Similar to application definition, you can define environments from imported SBOM files or by configuring data ingestion jobs from your third-party tools and services. The imported data generates a library of components you can use to define an environment.
Data for business impact
How does Concert integrate with existing code or issue tracking systems?
Concert integrates with existing code or issue tracking systems for which an authorized connection has been configured. Through this integration, Concert can perform tasks such as opening tickets in the respective system, such as GitHub, ServiceNow, and Jira.
What is a risk score and how does that compare to CVSS?
- Number of applications affected
- How many public access points it has
- How sensitive the data is
- IBM X-force red weaponization score
- Application criticality
CVSS is an industry standard and will be shown alongside the risk score. This allows users to assess vulnerabilities in both contexts while receiving recommendations from Concert to inform the next steps.
How is the risk score generated? Can clients customize the scoring to their needs?
The risk score is calculated based on different risk vectors. Mechanisms for end users to influence the scoring for this feature is an enhancement being considered for a future release.
What is a CVE? How does Concert assist with the tracking of vulnerabilities and their management?
CVE stands for Common Vulnerabilities and Exposures. These are the vulnerabilities that IT security personnel track within the IT footprint. Depending on the different IT components within the footprint, you might encounter different vulnerabilities. Concert assists in this context with understanding the IT footprint and components, correlating each vulnerability and its presence in one or more environments, and presenting a recommendation on the priority of vulnerabilities for remediation. You can use automation rules to automatically create and assign tickets in your preferred ticketing system based on an impacting CVE.
How is the priority of the CVE calculated within Concert? What are some factors that assist in this prioritization?
Concert assesses the priority of vulnerabilities through the contextual understanding of the IT footprint as presented through application and environment data. The severity of the vulnerability, the frequency of occurrence, and other factors come into play in prioritization. Concert combines these factors with other sources of data in order to present a unified recommendation for the specific footprint.
Where does the certification expiration in the Evidence Locker come from?
The evidence store persists milestone data and acts as a time capsule for configuration snapshots or data important for future audits. Certificates are “discovered” in cloud infrastructure, in Kubernetes clusters, and so on. Inspection of the content of these certificates by Concert provides the ability to warn users of unhealthy certificates.
Gen AI and chat capabilities
What can IBM watsonx chat do now?
watsonx can tell you about your vulnerabilities in your applications and environments, and then suggest remediation steps. You can ask for more information about the vulnerabilities to assist you with understanding and choosing remediation steps.
Where can I see my conversation history with Concert?
Currently, your conversation history is saved in the browser's instance. Refresh the page to clear the conversation history with watsonx.
- Are IBM watsonx capabilities included as part of Concert?
-
SaaS versions of Concert include watsonx.ai capabilities at no additional cost and without any additional setup required.
On-premises (software) deployments of Concert support watsonx.ai capabilities, but there are additional implementation steps required. If using the on-premises version of Concert, you must either point to your existing SaaS instance of watsonx.ai or you must deploy an on-premises version of watsonx.ai proximate to your Concert deployment. Once implemented, you must install watsonx.data independently.
Refer to your Concert license details for more information on watsonx.ai usage.