I’m excited to be rejoining OpsMx just in time to share with you our next exciting set of innovations – secure software delivery. Today at cdCon 2023 in Vancouver, Canada, OpsMx announced a new release of OpsMx Intelligent Software Delivery (ISD) that is the industry’s CI/CD solution specifically designed for supply chain security. I’d like to share how OpsMx can help your organization prevent the introduction of security issues, discover and more quickly resolve vulnerabilities in production environments, and capture a deployment bill of materials (DBOM).
The Growing Problem: Software Supply Chain Attacks
As digital innovation accelerates and the role of Artificial Intelligence (AI) expands, the risk of software supply chain attacks intensifies, presenting a significant challenge for organizations of all sizes. By 2025, it is projected that 45% of organizations worldwide will have fallen victim to such attacks—a staggering three-fold increase from 2021.
Modern software delivery pipelines, characterized by many tools, teams, open-source code, and cloud platforms, complicate efforts to safeguard software supply chains from malicious actors. This complexity, coupled with manual processes, integrations, and open-source components, can undermine existing security measures, creating a vast attack surface without a unified approach for end-to-end governance, security, and risk management. Consequently, organizations remain vulnerable to security breaches and the exploitation of vulnerabilities.
Introducing OpsMx ISD Secure Software Delivery
OpsMx Intelligent Software Delivery (ISD) offers a secure, compliant, and optimized continuous delivery solution. The core capabilities of the OpsMx solution are strategically organized into three key pillars: Prevent, Resolve, and Secure. Our Secure Software Delivery extension prevents and resolves vulnerabilities and risks in real time, ensuring a secure and compliant software delivery environment.
Prevent: Proactive Security Controls
Prevention is a top priority in our comprehensive security strategy. Our solution is designed with features and functional areas that create a strong, proactive security posture to ensure the safety and integrity of software delivery processes.
Security Controls: Within our Prevent pillar, Secure Pipelines, Secure Approvals, and Deployment Policy Enforcement play a crucial role. We limit who can make changes in specific environments by implementing access and change controls on delivery pipelines, reducing the risk of unauthorized access or modifications. With AI/ML-assisted security reviews, we provide scalable and efficient approval processes, ensuring top-notch security throughout the software delivery lifecycle. Additionally, we offer the ability to define rules based on vulnerability data and monitor the performance of the environment, application, or pipeline-specific security checks during delivery and deployment.
Advanced Admission Control: Ensuring a secure deployment environment requires validating admission control. Our solution checks if the target environment meets requirements at deployment time, such as having no writable directories or root users. This validation takes place before running a new version, further bolstering the security of the software delivery process.
Vulnerability Management: In today’s rapidly changing threat landscape, addressing vulnerabilities is crucial. Our solution minimizes attack risks by ensuring branch protection, proper security assessments, and timely resolution of vulnerable dependencies according to company-specific policies.
New Release Impacts: Understanding the differences between new and old releases is important for effective risk management. Our solution lets organizations set policies based on vulnerability count and severity, assess criticality, and evaluate exploitation likelihood. We also monitor changes to library locations, providing a clear understanding of potential risks and empowering organizations to take appropriate action.
Alert on Library Changes: By notifying organizations of changes in third-party library content and/or location between releases, we can highlight potential risks for review and intercept typo attacks. This proactive approach significantly improves the security of the software delivery process.
Image Integrity: Maintaining built images’ integrity is essential for a secure software delivery environment. Our Image Integrity and Signature Verification feature verifies that built images are signed and has accurate source provenance data.
The Prevent pillar focuses on equipping organizations with proactive security controls and features that tackle the evolving challenges of software delivery. By investing in these areas, we help organizations minimize vulnerabilities and security breaches, ensuring the highest level of security for their applications.
Resolve: Rapid Vulnerability Detection and Mitigation
The Resolve pillar emphasizes the importance of rapid vulnerability detection and mitigation. Within this pillar, features like streamlined vulnerability management and Git User Activity Control (GUAC) integration empower organizations to respond effectively and promptly to potential security risks.
Streamlined Vulnerability Management: Our solution makes vulnerability management a breeze by providing a clear view of the source of binaries in each environment, vulnerabilities in each binary, and the source Git for each binary. We establish a chain of custody from Git to the artifact and identify gaps in context, ensuring a robust and thorough approach to managing vulnerabilities.
Vulnerability Tracing: With OpsMx, you can instantly and automatically pinpoint where vulnerable code is deployed in your environment. This swift detection allows for quicker remediation, keeping your software delivery process secure.
Code Vulnerability Alerts: Our solution keeps you in the loop about newly uncovered vulnerabilities in code deployed in your environment, changes to the SBOM, and alerts on actual deployments. This real-time monitoring helps organizations proactively tackle potential threats.
CIS Vulnerabilities Detection and Resolution: OpsMx assists organizations in detecting and resolving infrastructure vulnerabilities resulting from post-deployment infrastructure changes. This ongoing monitoring ensures the software delivery process remains secure as the infrastructure evolves.
GUAC Integration: Our Secure Software Delivery solution works seamlessly with Git User Activity Control (GUAC) to identify vulnerabilities within your SBOM. By merging deployment and build information from OpsMx and GUAC, your organization gains an extensive understanding of its security landscape, enabling swift responses to potential threats.
By concentrating on streamlined vulnerability management and incorporating GUAC integration, we offer a well-rounded and proactive approach to detecting and mitigating vulnerabilities, ensuring top-notch security for your applications.
Secure: Ensuring Traceability, Auditing, and Exception Management
The Secure pillar of our Secure Software Delivery solution focuses on ensuring traceability, auditing, and exception management. This pillar is designed to provide organizations complete visibility into their software delivery pipeline, enabling them to maintain a robust, compliant, and secure environment.
End-to-End Traceability: Our solution allows you to obtain complete visibility into image provenance, including build details, dependency differences, and vulnerability tracking between image versions. This end-to-end traceability simplifies managing and securing your software delivery pipeline.
Approval Traceability: OpsMx documents and tracks approval processes, including Git commits, test approvals, and stage promotion approvals. This traceability provides a clear audit trail for images running in production environments, ensuring your organization maintains high security and compliance standards.
Vulnerability Exception Management: Our Secure Software Delivery solution includes a vulnerability exception management feature, which allows you to track when a known vulnerability is allowed to be deployed. This feature contains a record of who authorized the exception and the duration for which it is valid. With vulnerability exception management, you can maintain control over your software delivery process and ensure exceptions are properly managed and tracked.
By implementing these features, you can effectively manage and mitigate risks in your software delivery pipeline, ensuring the resilience and integrity of your applications. Our focus on traceability, auditing, and exception management allows organizations to maintain a proactive stance on security, facilitating a secure and efficient software delivery lifecycle.
In conclusion, the growing threat of software supply chain attacks is an urgent concern for organizations worldwide. The complexities of modern software delivery pipelines and the ever-evolving threat landscape demand a unified and proactive approach to security, risk management, and governance.
OpsMx Intelligent Software Delivery (ISD) provides a comprehensive solution with its Secure Software Delivery extension, tackling real-time vulnerability risks and security breaches. By strategically organizing our solution into three key pillars – Prevent, Resolve, and Secure – we empower organizations to maintain a strong security posture throughout the software delivery lifecycle.