Looking to bring security and compliance analytics to devops, IBM has added its Code Risk Analyser capability to its IBM Cloud Continuous Delivery service.
Code Risk Analyser is described by IBM as a security measure that can be configured to run at the start of a developer’s code pipeline, analysing and reviewing Git repositories to discover issues with open source code.
The goal is to help application teams recognise cyber security threats, prioritise application security problems, and resolve security issues. IBM Cloud Continuous Delivery helps provision toolchains, automate tests and builds, and control software quality with analytics.
IBM said that as cloud-native development practices such as microservices and containers change security and compliance processes, it is no longer feasible for centralised operations teams to manage application security and compliance.
Developers need cloud-native capabilities such as Code Risk Analyser to embed into existing workflows. Code Risk Analyser helps developers ensure security and compliance in routine workflows.
In developing Code Risk Analyser, IBM surveyed source artifacts used by IT organisations in building and deploying applications and in provisioning and configuring Kubernetes infrastructure and cloud services.
Existing cloud solutions provide limited security controls across the source code spectrum including vulnerability scanning of application manifests. Thus it is necessary to design a solution that encompasses security and compliance assessment across artifacts.
Code Risk Analyser scans Git-based source code repositories for Python, Node.js, and Java code and performs vulnerability checks, licence management checks, and CIS (Centre for Internet Security) compliance checks on deployment configurations and generating a “bill of materials” for all dependencies and their sources. Terraform files used to provision cloud services such as Cloud Object Store are scanned to find any security misconfigurations.
IBM sought to anchor security controls in standards such as NIST or CIS and to flatten the learning curve while introducing users to new security practices. Developers are shielded from having to understand security definitions and policies, with actionable feedback provided.