IBM Advances DevSecOps in Cloud Service Based on Kubernetes

IBM this week added a Code Risk Analyzer feature to the IBM Cloud Continuous Delivery service that enables developers to analyze code in a Git repository within the context of a DevOps process based on Tekton pipelines running on Kubernetes clusters.

Gosia Steinder, IBM Fellow for container cloud platform research, says Code Risk Analyzer analyzes multiple security feeds and repositories to surface recommendations based on dependencies, outlier detections or known remediations. It also tracks changes to all dependencies, including the base image, operating systems package and application package, to both classify changes by task and provide automated update notifications.

Recommendations are made after analyzing vulnerability data provided by partners such as Snyk, says Steinder. The goal is to help application teams not only recognize rapidly evolving cybersecurity threats but also better prioritize application security issue problems, she notes.

That capability is critical, she says, because beyond simply giving developers a tool to scan images Code Risk Analyzer is extending a DevSecOps toolchain delivered via the IBM cloud.

As developers are held more accountable for security, Steinder says it’s apparent a more holistic approach to DevSecOps is required. Code Risk Analyzer empowers developers to resolve security issues themselves before flawed code is incorporated into the next build, she says.

Code Risk Analyzer is designed for organizations building applications on top of Kubernetes clusters but longer-term she says IBM is exploring making the analytics surfaced by the DevSecOps tool accessible to other application development platforms. Ultimately, IBM is moving toward a centralized security service through which DevOps and cybersecurity teams will be able to collaborate more easily, notes Steinder.

In general, Steinder says it’s no longer feasible for understaffed cybersecurity teams to keep pace with the rate at which applications are now being developed. It’s incumbent on organizations that have embraced DevOps to now make security reviews part of any best practice. Eventually, she says, there may come a day when security is just a standard element of an application quality assurance process.

As IT environments become more complex, thanks mainly to the rise of microservices based on containers, there’s no doubt developers will be held more responsible for security. In fact, cybercriminals are already targeting the application programming interfaces (APIs) upon which the microservices depend.

What’s unreasonable, says Steinder, is expecting developers to know about every potential security issue. Such issues need to be surfaced automatically as developers are writing code rather than sometime later during the build process—or, worse yet, after an application has already been deployed, she notes.

It may be a while before best DevSecOps practices are widely employed. However, as more tools become incorporated into the DevOps toolchain, many developers will assume control over security. After all, nobody wants to intentionally deploy an insecure application. The challenge is making it possible to develop and deploy secure applications as easily as possible.

Mike Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

Mike Vizard has 1641 posts and counting. See all posts by Mike Vizard