The rise in cyberattacks on software supply chains poses a significant risk to organizations worldwide, with an estimated 45% of organizations affected, according to Gartner. These attacks, known as supply chain risks, include vulnerabilities in code sourced from open source or third parties. These risks are especially concerning for critical systems, such as IT infrastructure and financial services organizations, as they need to balance innovation with security and compliance requirements.

IBM Cloud for Financial Services: A Solution for Security and Compliance

IBM Cloud for Financial Services provides a solution that supports innovation while ensuring security and compliance. By leveraging industry standards like NIST and the expertise of over a hundred financial services clients, IBM Cloud for Financial Services helps clients create secure and compliant hybrid cloud solutions. It utilizes IBM Cloud DevSecOps, also known as One Pipeline, to focus on the full software lifecycle, including continuous integration (CI), continuous delivery (CD), continuous deployment, and continuous compliance.

The Role of IBM Cloud DevSecOps in Ensuring Secure and Compliant Applications

IBM Cloud DevSecOps, or One Pipeline, is used to deploy applications on IBM Cloud while checking for vulnerabilities and ensuring auditability. The DevSecOps pipeline consists of three components: continuous integration (CI), continuous delivery/deployment (CD), and continuous compliance (CC). The CI pipeline is responsible for building the application and running best practices like unit testing, dynamic scans, and vulnerability checks. The CD pipeline supports the continuous deployment of the application, including evidence collection and compliance scans. The CC pipeline periodically scans the deployed application for continuous compliance.

In cases where third-party code is involved and a complete CI process cannot be run, alternative approaches can be used. The DevSecOps CLI, which contains the pipeline code logic, can be integrated into existing CI systems like Jenkins, Travis, or GitLab. This allows organizations to still verify the security and compliance of the application or component by leveraging the inventory and evidence pieces.

Case Study: Financial Transaction Manager (FTM)

An example of integrating the DevSecOps CLI into existing pipelines is demonstrated by the Financial Transaction Manager (FTM) team. Due to its complex build structure and long build time, FTM could not adopt a full One-Pipeline-based solution. However, by integrating the DevSecOps CLI into their existing Jenkins-based pipelines, the FTM team was able to generate the required inventory and evidence items for One Pipeline deployment.

The FTM team created utility classes in their Jenkins script libraries to facilitate interaction with the DevSecOps CLI. This allowed them to easily add evidence and inventory items to a Git repository, integrating them into their Jenkins infrastructure. This approach enables organizations to augment their existing pipelines and secure their software supply chain.

Conclusion

IBM Cloud DevSecOps, in combination with IBM Cloud for Financial Services, enables organizations to deploy external applications securely and compliantly. By integrating the DevSecOps CLI into existing CI systems, organizations can ensure the verification of security and compliance even when a full One-Pipeline deployment is not possible. This approach enhances the software supply chain’s security and mitigates the risks associated with supply chain attacks.

Frequently Asked Questions (FAQ)

What is IBM Cloud for Financial Services?

IBM Cloud for Financial Services is a platform that provides security and compliance for financial services companies. It leverages industry standards and the expertise of financial services clients to support innovation while ensuring security and compliance.

What is IBM Cloud DevSecOps?

IBM Cloud DevSecOps, also known as One Pipeline, is a set of toolchains and pipelines used to deploy applications on IBM Cloud. It focuses on continuous integration, continuous delivery/deployment, and continuous compliance to ensure the security and compliance of applications.

How can the DevSecOps CLI be integrated into existing CI systems?

The DevSecOps CLI can be integrated into existing CI systems, such as Jenkins, Travis, or GitLab. Organizations can use specific commands provided by the CLI, such as adding evidence or inventory items, to generate the necessary artifacts for secure and compliant deployments.

What is the role of the inventory and evidence lockers in secure and compliant deployments?

The inventory tracks artifact deployments, signatures, and components in a GitOps model. The evidence locker contains items that assert the completion of required checks, such as unit tests, code scans, and pull request reviews. These repositories are crucial in determining what should be deployed and ensuring the security and robustness of the application.

How does IBM Cloud DevSecOps enhance the security of the software supply chain?

By integrating the DevSecOps CLI into existing CI systems, organizations can augment their pipeline processes and secure their software supply chain. The CLI enables the generation of an evidence locker and inventory, allowing organizations to verify the security and compliance of the application or component before deployment.