Looking to bring security and compliance analytics to devops, IBM has added its Code Risk Analyzer capability to its IBM Cloud Continuous Delivery service.
Code Risk Analyzer is described by IBM as a security measure that can be configured to run at the start of a developer’s code pipeline, analyzing and reviewing Git repositories to discover issues with open source code. The goal is to help application teams recognize cybersecurity threats, prioritize application security problems, and resolve security issues. IBM Cloud Continuous Delivery helps provision toolchains, automate tests and builds, and control software quality with analytics.
IBM said that as cloud-native development practices such as microservices and containers change security and compliance processes, it is no longer feasible for centralized operations teams to manage application security and compliance. Developers need cloud-native capabilities such as Code Risk Analyzer to embed into existing workflows. Code Risk Analyzer helps developers ensure security and compliance in routine workflows.
In developing Code Risk Analyzer, IBM surveyed source artifacts used by IT organizations in building and deploying applications and in provisioning and configuring Kubernetes infrastructure and cloud services. Existing cloud solutions provide limited security controls across the source code spectrum including vulnerability scanning of application manifests. Thus it is necessary to design a solution that encompasses security and compliance assessment across artifacts.
Code Risk Analyzer scans Git-based source code repositories for Python, Node.js, and Java code and performs vulnerability checks, license management checks, and CIS (Center for Internet Security) compliance checks on deployment configurations and generating a “bill of materials” for all dependencies and their sources. Terraform files used to provision cloud services such as Cloud Object Store are scanned to find any security misconfigurations.
IBM sought to anchor security controls in standards such as NIST or CIS and to flatten the learning curve while introducing users to new security practices. Developers are shielded from having to understand security definitions and policies, with actionable feedback provided.