Creating A Secure Software Supply Chain In A Large Engineering Organization - IBM

Introduction

Introduction

In this session of the DevOps Enterprise Summit, Rosalyn Raglev and Tom Wallace of IBM discussed the critical initiative to centralize continuous integration and continuous deployment (CI/CD) execution and establish a secure software supply chain across the vast IBM organization. As IBM continues to evolve with technology and cybersecurity threats, the need for a consolidated and efficient approach to software development has never been more vital.

About IBM CIO Organization

Rosalyn introduced herself as an IBM Fellow responsible for DevSecOps within the IBM CIO organization and highlighted her collaboration with Tom, who works as a senior technical staff member in the same office. Together, they manage the intricate systems supporting IBM, which has over 300,000 global employees. The CIO office oversees approximately 6,000 developers, 6,000 applications, and 70,000 GitHub repositories, making it crucial in providing vital applications that manage the company's extensive operations.

The Need for Centralization

Tom explained that IBM's diverse technology landscape encompasses everything from legacy mainframe applications to modern containerized applications running in IBM Cloud. With the proliferation of cybersecurity threats, the responsibility for secure code deployment lies heavily on the shoulders of development teams. Each application may have its own regulatory requirements, making it time-consuming and costly to ensure that all teams adhere to security protocols across such a large organization.

Historically, teams have relied on a variety of CI/CD tools, including Jenkins and other open-source tools. However, this has resulted in redundancy and wasted resources, compounding the issue across thousands of source code repositories. Even small efficiencies, when scaled, can lead to substantial savings in terms of developer hours.

The incident involving the Log4j vulnerability further highlighted the lack of centralized tracking and reporting within IBM's vast array of applications. Teams were forced to assess the impact of Log4j on their applications independently, resulting in an inefficient investigative rather than reporting process.

The Path Forward

To tackle these challenges, IBM is focusing on improving the environment for its developers through the software supply chain initiative. The goal is to streamline CI/CD pipelines, enhance visibility, and reduce repetitive work across the organization. By centralizing data management related to software vulnerabilities and deployments, IBM aims to create a more efficient and secure software supply chain that empowers development teams without compromising on security.

Conclusion

Through collaborative efforts within the IBM CIO organization, Rosalyn and Tom are leading the charge to enhance developer experience while prioritizing security. The overarching aim is to establish IBM as a model “client zero” for demonstrating effective hybrid cloud practices and secure software deployment processes in the industry.

Keywords

• IBM
• DevSecOps
• CI/CD
• Software Supply Chain
• Cybersecurity
• Log4j Vulnerability
• Developer Experience
• Centralized Management

FAQ

Q: What is the role of the IBM CIO organization?
A: The IBM CIO organization manages IT infrastructure that supports various business functions, including HR and sales, and oversees thousands of developers and applications.

Q: Why is centralizing the CI/CD process important for IBM?
A: Centralization helps reduce redundancy, enhance visibility into software vulnerabilities, and improve overall efficiency and security across diverse technologies.

Q: What event highlighted the need for better software supply chain management at IBM?
A: The Log4j vulnerability incident revealed gaps in centralized tracking and reporting, prompting the need for improved management of software supply chains.

Q: How can organizations benefit from a secure software supply chain?
A: A secure software supply chain allows for efficient deployment processes, better adherence to security protocols, and a reduction in wasted resources and developer hours.

Q: What is the ultimate goal of IBM's software supply chain initiative?
A: The initiative aims to create a seamless, secure, and efficient software development environment that serves as a best practice model in the industry.