Cloud Native Apps

 View Only

Take control of your change request workflow with the IBM Cloud reference implementation of DevSecOps

By Steve Weaver posted Thu March 31, 2022 04:00 PM


Always be prepared for software audits by integrating automated change management into your builds and deployment.

Change management can be a useful risk mitigation tool and has evolved to be a core component of cloud-native application development processes. However, it comes with its own set of challenges to track all changes, assess change impact, and follow a backout plan if unforeseen issues crop up. Most importantly, you must preserve evidence for an audit to ensure traceability of the changes. In highly regulated industries, such as financial services, organizations trying to leverage cloud technologies must put a lot of investment into traceability and audit compliance.

With years of deep security experience gained from creating a secure cloud, IBM found its own answers to these challenges with standardized, integrated, and automated DevSecOps best practices. The DevSecOps reference implementation offers automated change request management as a key feature. The reference implementation is built on the IBM Cloud Continuous Delivery service, which provides Git repos and issue tracking, Tekton Pipelines, code quality and risk analysis, and the Eclipse Orion Web IDE.

The following diagram shows the data flow and connection between evidence, inventory, and change management within the reference implementation.

  1. Continuous integration (CI) pipeline runs build artifacts and leaves behind evidence about what happened during the creation of those artifacts.
  2. CI pipeline creates entries in the inventory about the artifacts that are created.
  3. Built artifacts in the inventory are promoted to deployment environments such as staging or pre-production.
  4. Change management automation uses data from the inventory, the evidence locker, and the promotion pull request to create the change request.

The change request management automation segment of the DevSecOps reference implementation helps your developers, approvers, and auditors monitor the compliance aspects of all code deployments. This solution helps to remove barriers between your development and compliance teams, and places more accountability on your development team for compliance readiness. Every deployment must follow the change management policy of your organization.

Everything that changes the baseline must be traced by the way of a change request. These changes include updates to the existing code level, changes to the configuration, and updates of the worker nodes. The DevSecOps reference implementation provides a standard format for evidence, and processes for evidence collection and durable storage. The inventory and evidence are collected as part of every CI pipeline run and are available in a standard format and at a defined location.

The continuous delivery (CD) pipeline generates all of the evidence and change request summary content. The pipeline deploys the build artifacts to a specific environment, such as staging or production, and then collects, creates, and uploads all existing log files, evidence, and artifacts to the evidence locker.

You can configure the change request to be automatically or manually approved. There is also a provision for emergency deployments.

I invite you to try the IBM Cloud reference implementation of DevSecOps today. Get started with the detailed tutorial or watch the videos about setting up CI and CD toolchain templates located on the IBM Cloud DevSecOps documentation page.

Additional resources