3137 DevSecOps Transformation at IBM with Speek and Scale.pdf

《3137 DevSecOps Transformation at IBM with Speek and Scale.pdf》由會員分享，可在線閱讀，更多相關《3137 DevSecOps Transformation at IBM with Speek and Scale.pdf（31頁珍藏版）》請在三個皮匠報告上搜索。

1、October 21-24,2024Mandalay Bay Convention CenterLas Vegas,NevadaSession 3137Philippe Mulet,IBM Cloud Platform Automationphilippe_ DevSecOps Transformation at IBM with Speed and Scale#IBMTechXchangeBusiness Outcomes by the NumbersTEAMSTEAMS adopted theDevSecOps platform to unlock time for other prior

2、itiesPERSON YEARSPERSON YEARSof timesaved across 150 adopting teamsAgenda01 Why DevSecOps Transformation at IBM?02 IBM DevSecOps Platform03 Accelerating Adoption&Growth04 Business OutcomesIBM TechXchange|2024 IBM Corporation#IBMTechXchangeDriving factors for DevSecOps TransformationRegulatory requir

3、ements,industry standards,and client expectations for a secure software supply chain are intensifying and common solution is needed to ensure efficiency and consistency across IBMRepeatable end-to-end supply chain security is only possible through automation of CI/CD processesDuplication of effort a

4、cross development teams must be greatly reduced to keep developers productive and IBM competitiveVisibility into the security posture of all IBM products is required for efficient identification and remediation of vulnerabilities across the enterprise4IBM TechXchange|2024 IBM Corporation#IBMTechXcha

5、ngeRequired automation to meet new security&compliance directives leads to inconsistency and duplication of effort from teams when implemented in silosPrescriptive automation makes Prescriptive automation makes doing the right thing the easy doing the right thing the easy thingthingNISTControlsSBOMS

6、erviceCORPORATE SECURITY Policy Platform and version Secrets and credentials detection Inventory of open-source libraries Open-source dependency vulnerabilities Code quality and automated test coverage Static Application Security Testing vulnerabilities Container image vulnerabilities Artifact signi

7、ng Compliant productivity!CI RequirementsCI Requirements Deployment environment and hosting region Increase deployment frequency and reduce duration Dynamic Application Security Testing vulnerabilities Production deployment approval auditingCD RequirementsCD Requirements5#IBMTechXchange“Show me what

8、 vulnerabilities you have detected in production,and your plans to remediate them in due time?“Are you able to prevent new vulnerabilities from being deployed to production?“Prove to me that you werent already impacted by the LOG4J CVE when you deployed this release 6 months ago.Can you prove it eve

9、n if developers discarded pipelines?“Prove to me that you validated a release in preprod before prod?“Is the audit evidence stored in safe place,so they cannot be altered or deleted by developers?Can you locate all evidence for a deployment 6 month ago?“How do you enforce the integrity of your softw

10、are supply chain(e.g.avoiding build system to get compromised)?Are you able to produce SBOMs for your releases?Can you attest the provenance of all inputs,outputs and process involved in a certified manner?Example of Audit Requests6#IBMTechXchangeStrategic Recommendation-IBM-wide CI/CD InitiativeJun

11、e 20227Agenda01 Why DevSecOps Transformation at IBM?02 IBM DevSecOps Platform03 Accelerating Adoption&Growth04 Business OutcomesIBM TechXchange|2024 IBM Corporation#IBMTechXchangeIBM DevSecOps PlatformCentralizedCentralized CI/CD platform which preventsprevents software security problems from reachi

12、ng productionproduction systems&streamlines compliance auditsaudits using built-in DevSecOps practicesOpinionated Tekton pipelines include automationautomation that is shared by all usersUnlocksUnlocks development capacity to focus on building new capabilitiesnew capabilities&improve the value of IB

13、M Software for clientsContinuous DeploymentContinuous ComplianceContinuous Integration9#IBMTechXchangeWhats under the hood?Web-based user experience and/or CLITargeted set of IBM Cloud services to configure,run and debug pipelinesToolchains of tools needed by pipelinesSecrets Manager for passwords/A

14、PI keysObject Storage for audit-ready evidenceContinuous Delivery to orchestrate the pipelinesContainer registry namespace for imagesPipeline Worker Pool for secure pipeline executionConfigurable worker types and auto-scalingSecure builds with Supply-chain Levels for Software Artifacts(SLSA)Level 3

15、attestations for pipeline execution and source code integrityIBM Cloud ServicesTekton WorkersDedicated&IsolatedPrivate WorkerPool APrivate WorkerPool BPrivate WorkerPool.ToolchainsCI PipelineCI PipelinePR PipelinePR PipelineCD PipelineCD PipelineCC PipelineCC PipelineContinuousDeliveryWeb-based Inte

16、rfaceCommand Line InterfaceSecrets ManagerObject StorageRegistry Namespace10#IBMTechXchangeDeveloper ExperienceProduct RepoDeveloperDeveloperIBM Cloud Service BoundaryIBM Cloud Service BoundaryTriggerCommitCodePipeline ConfigConfigurePipelineGet ConfigOperations&SupportPipelineReportDevEnvironmentAu

17、tomaticDeploymentStaging/ProductionEnvironmentsChange ControlledDeployment Pre-built pipelines deliver out-of-the box DevSecOps best practices to developers Git-based customization of the build,test and deploy processes with shell scripts CI pipeline triggers on Git commit of changes Pipeline audit

18、trail stored in Evidence Locker Auto deploy to Development environment Slack notifications of pipeline logs&actions Change controlled Production deployments 24x7 operations and follow-the-sun support Global service operated in countries that meet the Secure Software regulatory requirementsUnderstand

19、ing how the platform works11#IBMTechXchangeSASTSCASBOMUnit TestingSecretDetectionBuild ArtifactsBuild ImageScan ImageSign ImageGitOps InventoryGitOps DeployPenetration TestingPerformance TestingRegression TestingIntegration TestingAcceptance TestingInitial Initial AnalysisAnalysisBuildBuildDeployDep

20、loyTestTestMonitorCodeReviewsBuild ProvenanceChange RequestIntegrity ChecksHybrid Deploy Included:Code Risk Analyzer,Syft,CdxGen 3rd party:Mend Included:All popular frameworks,as part of pipeline images.Included:Yelp Included:Built-in introspection of all incoming commits/PRs Also branch protection

21、Included:SonarQube CE,Gosec,FIPS 3rd party:Contrast,SonarQube Included:ant,mvn,gradle,make,COS buckets 3rd party:Any via custom image Included:Buildkit,docker daemon,helm,npm,pip,ICR 3rd party:Any via custom image Included:Self-signing(skopeo)3rd party:Garasign Included:SLSA level 3 Included:Vuln Ad

22、visor,Sysdig Secure 3rd party:Twistlock,Aqua,Trivy,Jfrog XRay Included:Signature validation(skopeo),SLA 3 provenance,in-cluster checks Portieris etc.Included:GRIT 3rd party:GHE,Gitlab,more if needed Included:GRIT,GHE 3rd party:ServiceNow,more if needed Included:Kubectl/helm,Razee,zOS deploy agent,Te

23、rraform 3rd party:ArgoCD Included:Private pipeline worker Included:OWASP ZAP Included:All popular frameworks,as pipeline images.Included:Cypress 3rd party:SauceLabs Included:All popular frameworks,as pipeline images.3rd party:tbd Included:Security and Compliance Center,DevOps Insights,(in progress)I

24、BM ConcertSource Code Included:GRIT 3rd party:GHE,Gitlab,more if neededComprehensive Security&Compliance Capabilities1213Common DevSecOps process for FS CloudPreconfigured from template Available as Deployable Architecture Curated by IBM FS-Cloud validated Also adhering to Secure Software Supply Cha

25、in standards:NIST 800-53(Risk Management),NIST 800-218(SSDF),SLSA level 3,SBOM,etc.Common Pre-Deploy Validation Shift-left control of security/compliance to dev teams Pull request validation Preconfigured CI with all security and compliance checks built-in Unified quality dashboard Automatic trackin

26、g of deviations with due dates Isolated builds for multiple architecturesCommon Release Automation GitOps inventory tracking all build artifacts e.g.,Z&Non-Z Common deployment process for all build artifacts Automatic generation of change request documents Hybrid deployment to OpenShift and WAZI for

27、 staging Automatic gating of bad deployments,emergencies,etc.Emergency flows,rollback supportCommon Compliance CC revalidation post-deployment Integrated with Security&Compliance Center for monitoring CI/CD/CC conformance to FS-Cloud Automatic collection of auditable evidence Auto-remediation back t

28、o dev teamContinuous DeploymentContinuous ComplianceContinuous IntegrationEverything as codeOrchestrating agnostic toolsetSigned build artifactsSBOM generationSLSA level 3 attestationVulnerability scans:dependencies,static code,dynamic code,imageAudit-ready release inventory and evidence retentionPr

29、oblem detection and issue trackingCode review,branch checksSecret detectionOSS license checksTrusted provenanceCIS BenchmarksContinuous production release revalidation(post deployment)Issue management with due datesAutomatic remediationAlerting&reportingIntegration with Posture Management(CSPM)GitOp

30、s release promotionAutomatic change request calculation with deploy readiness,traceabilityApprovals,emergenciesAggregated SBOM and evidence for each releaseHybrid deploymentsEnforcement for signed artifacts deploymentIntegration with Posture Management(CSPM)Development TeamApprover(if needed)DevOpsE

31、ngineerSecurity&ComplianceEngineer 2024 IBM Corporation14Implemented Best PracticesCI pipeline“build”CI pipeline“build”CodeSecret DetectionChange Request change approvedSBOM aggregationCD pipeline“production”CD pipeline“production”for regionfor region-1 1Generate Change RequestCheck Artifact Signatu

32、resUnit testBranch Protection CheckPR pipeline PR pipeline“code”“code”Secret DetectionPull request PR-1CI/CD Artifact InventoryUpdate CD Inventory/EvidenceEnvironment with Signature EnforcementUpdate SCC/InsightsGitOpspromotionto prodprodDependency Vuln ScanCIS ChecksSet pull request statusUnit test

33、Static Code ScanDependency Vuln ScanBranch Protection CheckCode Reviews CheckDeploy in region-1Acceptance testsUpdate CR status(close/fail)Compute Build SBOMProvenance checkCIS ChecksOSSC License checkSign ArtifactsBuild Artifacts incl.SLSA attestationScan ArtifactsDynamic Code ScanDeploy in devAcce

34、ptance testsCredential Vault,Cert ManagerIssue TrackingCI/CD ArtifactsCOS-CI/CDEvidence ArtifactsGit-CI/CDEvidence SummaryEvidence-basedOperatorApplicationDeveloperCompliance ManagerSecurity FocalChange ManagementChange RequestTraceability:Issue/Pull Request,Software Bill of material,Audit EvidenceS

35、tatus on each control:Secret detectionUnit test passedBuild provenance(SLSA level 3)Dependency code vulnerability scan(CVE)Provenance from trusted repositoriesOSSC license checkStatic code scanDynamic code scanChanges reviewedSigned artifactBinary vulnerability scan VA(CVE)Acceptance tests in PRE-PR

36、ODDevOps InsightsSec&Compliance Center,ConcertGitHub,Gitlab,ServiceNowGitHub,Gitlab15#IBMTechXchangePrescriptive&FlexiblePipeline configuration file abstracts users from the complexity of TektonThe.pipeline-config.yaml and associated scripts define what each stage of the pipeline doesBecomes an inte

37、gral part of the application code because it defines what the pipeline should do for the code for each repo.pipeline-config.yamlversion:1setup:image:icr.io/continuous-delivery/pipeline/pipeline-base-ubi script:|#!/usr/bin/env bash if$PIPELINE_DEBUG=1;then trap env EXIT env set-x fi if$(get_env pipel

38、ine_namespace)=*pr*|$(get_env pipeline_namespace)=*ci*;then source scripts/code_setup.sh fitest:abort_on_failure:false image:icr.io/continuous-delivery/pipeline/pipeline-base-ubi script:|#!/usr/bin/env bash source scripts/run_test.sh run_test test com.ibm.unit_tests unit-test-result.xml 1containeriz

39、e:dind:true image:icr.io/continuous-delivery/pipeline/pipeline-base-ubi script:|#!/usr/bin/env bash if$PIPELINE_DEBUG=1;then trap env EXIT env set-x fi source scripts/build_setup.sh source scripts/build.shdeploy:image:icr.io/continuous-delivery/pipeline/pipeline-base-ubi script:|#!/usr/bin/env bash

40、if$PIPELINE_DEBUG=1;then trap env EXIT env set-x fi source scripts/deploy_setup.sh source scripts/deploy.sh16ApplicationDeveloperCompliance ManagerSecurity FocalOperatorShift-left awareness and validationTracking remediationZero TrustAutomatic Release DeploymentMonitoring compliance postureAutomatic

41、 remediationChange RequestTraceability:Issue/Pull Request,Software Bill of material,Audit EvidenceStatus on each control:Secret detectionUnit test passedBuild provenance(SLSA level 3)Dependency code vulnerability scan(CVE)Provenance from trusted repositoriesOSSC license checkStatic code scanDynamic

42、code scanChanges reviewedSigned artifactBinary vulnerability scan VA(CVE)Acceptance tests in PRE-PRODDevOps InsightsSec&Compliance Center,ConcertGitHub,Gitlab,ServiceNowGitHub,GitlabSingle Source of Truth17Securing the Software Supply Chain with IBM CloudEnhance end-to-end agility with alignment acr

43、oss lifecycles,common technologies,and compliancePrevent software security problems and supply chain attacks from reaching production systems with a complete cloud-native,curated,hosted,secure software supply chain on IBM CloudStandardized&Customizable Standardized&Customizable across platformsacros

44、s platformsCommon DevSecOps ToolchainsCommon DevSecOps ToolchainsContinuous Continuous IntegrationIntegrationContinuous Continuous DeploymentDeploymentContinuous Continuous ComplianceComplianceCloudCloudMainframeMainframeOnOn-premisepremiseDeployable ArchitecturesDeployable ArchitecturesTemplated vi

45、a Infrastructure as CodeSoftware Supply Chain SecuritySoftware Supply Chain SecuritySoftware Bill of Materials(SBOM)Artifact SigningSecurity and Vulnerability ManagementAuditability and ComplianceAuditability and ComplianceAuditable Evidence Collection Security and Compliance Center IntegrationCompl

46、iance Monitoring and Issue TrackingAutomatic generation of Change RequestsStandardize and secure the entire Standardize and secure the entire development processdevelopment processImplement Industry StandardsImplement Industry Standards800-53 Configuration Management800-218 Secure Software Developme

47、nt FrameworkSupply Chain Levels for Software Artifacts SLSA Level 3Software Bill of Materials(SBOM)99.95%availability&disaster recoveryIBM Cloud for Financial ServicesVPCVPCAutomated Deployment of Automated Deployment of Infrastructure+ApplicationsInfrastructure+Applications18Agenda01 Why DevSecOps

48、Transformation at IBM?02 IBM DevSecOps Platform03 Accelerating Adoption&Growth04 Business OutcomesIBM TechXchange|2024 IBM Corporation#IBMTechXchangeBenefits of IBM Cloud Secure Software Supply ChainBuy vs BuildBuy vs BuildReinvest your development talent in what really matters-your business!End to

49、end solution meeting all DevSecOps best practices(shift-left,GitOps,etc.)Standard opinionated solution,yet customizable.Can be used as-is or as a platform to augmentEntirely templated via infra as code for quick setupComprehensive toolset,extensible with your own toolsComplete solution handling pre-

50、deploy validation,release automation and compliance for auditsAutomatic tracking of deviations,remediations of vulnerabilitiesSupport any code workload(e.g.for Z and non-Z together)Managed by IBMManaged by IBMCurated by IBM,roadmap of new featuresRegional(data at rest and in transit)Built on robust(

51、SLA 99.95%,BCDR)and certified IBM Cloud services(SOC2,EU,GDPR,FS-Cloud,ISO27K)Hosted in cloud,but capable to interact with and deploy to on-prem environments and other cloud environmentsLeveraging sophisticated IAM controls,credentials management and more from the cloudOut of the box compliantOut of

52、 the box compliantNIST Risk Management Framework(RMF,800-53)NIST Secure Software Development Framework(SSDF,800-218),Zero Trust ArchitectureNIST Software Bill of Materials(SBOM,EO 14028)Supply-chain Levels for Software Artifacts(SLSA 1.0 level 3)IBM Cloud for Financial Services20#IBMTechXchangeGrowt

53、h Strategy Lean Startup Mindset and Principles LEARNLEARNBUILDBUILDMEASUREMEASUREIDEASIDEASIDEASIDEASCODECODEDATADATA21#IBMTechXchangeWhats Really Needed to Accelerate DevSecOps Adoption22#IBMTechXchange23IBM Concert23#IBMTechXchangeGrowth OutcomesTeams per QuarterTeams Pending Onboarding(demand)24A

54、genda01 Why DevSecOps Transformation at IBM?02 IBM DevSecOps Platform03 Accelerating Adoption&Growth04 Business OutcomesIBM TechXchange|2024 IBM Corporation#IBMTechXchangeImproving EfficiencyShift pipeline responsibilities to central teamShift pipeline responsibilities to central teamTable 1 shows t

55、ypical activities that CI/CD teams and developers own for their products&servicesSharing automation that is maintained for the teams can save each team up to 20%efficiencyGreater savings are possible with a DevSecOps platform supported by DevSecOps expertsWhat changes with a What changes with a DevS

56、ecOpsDevSecOps platform?platform?A DevSecOps Center of Excellence(CoE)using IBM Cloud DevSecOps takes ownership of responsibilities as shown in Table 2Identifying&addressing security vulnerabilities early saves teams 10-15 developer hours per week Significant cost savings at the enterprise scaleDevO

57、psDevOpsDeveloperDeveloperManage&maintain CI/CD orchestrator Setup pipelines and new capabilitiesSetup build,test and deploy scriptsExecute pipeline and view logs Debug&fix issues with custom pipeline scriptsTroubleshoot and fix pipeline runtime issuesAlign pipelines capabilities with CISO policiesF

58、acilitate deployment to productionRespond to data requests for auditsCentralCentralDevOpsDevOpsDeveloperDeveloperManage&maintain CI/CD orchestrator Setup pipelines and advise on new capabilitiesSetup build,test and deploy scriptsExecute pipeline and view logs Debug&fix issues with custom pipeline sc

59、riptsTroubleshoot and fix pipeline runtime issuesAlign pipeline capabilities with CISO policiesFacilitate deployment to productionRespond to data requests for auditsTable 1Table 1:Current Model Distributed DevOps with Dedicated StaffTable 2:Table 2:Centralized DevSecOps model DevSecOps Shift26#IBMTe

60、chXchangeReturn On Investment(ROI)CalculatorSPS Platform CapabilitySPS Platform CapabilityAverage Hours Saved per WeekAverage Hours Saved per WeekOperate,patch,upgrade,and maintain pipeline runtime environment with Supply-chain Levels for Software Artifacts(SLSA)Level 3 and aligned to NIST Secure So

61、ftware Development Framework(SSDF)requirements10 hours/week for one member of the CI/CD teamBuild,maintain,and continuously enhance the pipelines and automation to ensure alignment with evolving standards and innovations in security and compliance tooling40 hours/week due to maintenance and enhancem

62、ent of the pipeline automation by the IBM teamSecurity scans(OSS,SAST,DAST,container),vulnerability management automation,and DevOps Insights dashboard for developers and Security&Compliance Center for CISO teams10 hours/week for each security focal spending 50%of time running security scans then an

63、alyzing,tracking,and reporting vulnerabilities.The automation reduces effort to 25%,thus saving security focals 10 hours/weekSoftware Bill of Materials(SBOM)for every build and deploy operation.Evidence of pipeline and pipeline stage execution to ensure auditable compliance to the NIST 800-53 contro

64、ls for standardized responses during internal&external audits4 hours/week by using standardized evidence and change management records to respond to audit questions27#IBMTechXchangeBusiness Outcomes by the NumbersTEAMSTEAMS adopted theDevSecOps platform to unlock time for other prioritiesPERSON YEAR

65、SPERSON YEARSof timesaved across 150 adopting teams28#IBMTechXchange29Thank YouPhilippe MuletIBM Cloud Platform Automationphilippe_ IBM TechXchange|2024 IBM Corporation#IBMTechXchangeNotices and disclaimersCertain comments made in this presentation may be characterized as forward looking under the P

66、rivate Securities Litigation Reform Act of 1995.Forward-looking statements are based on the companys current assumptions regarding future business and financial performance.Those statements by their nature address matters that are uncertain to different degrees and involve a number of factors that c

67、ould cause actual results to differ materially.Additional information concerning these factors is contained in the Companys filings with the SEC.Copies are available from the SEC,from the IBM website,or from IBM Investor Relations.Any forward-looking statement made during this presentation speaks on

68、ly as of the date on which it is made.The company assumes no obligation to update or revise any forward-looking statements except as required by law;these charts and the associated remarks and comments are integrally related and are intended to be presented and understood together.2024 International

69、 Business Machines Corporation.All rights reserved.This document is distributed“as is”without any warranty,either express or implied.In no event shall IBM be liable for any damage arising from the use of this information,including but not limited to,loss of data,business interruption,loss of profit

70、or loss of opportunity.Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved.Actual performance,cost,savings or other results in other operating environments may vary.Workshops,sessions and associated materials may have

71、been prepared by independent session speakers,and do not necessarily reflect the views of IBM.Not all offerings are available in every country in which IBM operates.Any statements regarding IBMs future direction,intent or product plans are subject to change or withdrawal without notice.IBM,the IBM l

72、ogo,and are trademarks of International Business Machines Corporation,registered in many jurisdictions worldwide.Other product and service names might be trademarks of IBM or other companies.A current list of IBM trademarks is available on the Web at“Copyright and trademark information”at: TechXchange|2024 IBM Corporation30