►
From YouTube: Secure Software Supply Chain at IBM - Fumiko Satoh, IBM
Description
Secure Software Supply Chain at IBM - Fumiko Satoh, IBM
A
Okay,
hi
everyone.
Thank
you
very
much
for
having
that
good
opportunities
to
share
our
activities.
Allowance,
secure,
supporting
at
IBM
my
name,
isato
I'm
from
Alabama
research
at
Tokyo,
and
today
I
write
to
introduce
quickly
our
activities
allowed.
How
how
IBM
makes
surprise
software
support
and
secure
as
much
as
possible.
A
Okay-
and
this
is
an
introduction
of
my
me
and
my
name-
is
hamiko
and
yeah
working
at
IBM
research
and
my
recent
responsibility
is
reading
hybrid
cloud
and
security,
research
group
and
I'm
using
secure
Recent
research
interest
is
security
and
components
for
cloud
native,
and
so
then
now
we
are
working
for
how
we
can
yeah
make
secure
a
cloud
native
platform
and
also
that
we
need
we
will.
We
are
working
for
how
we
can
compliance
of
the
platform.
A
Yeah
yeah
today,
on
first
of
all,
I
would
like
to
show
this
chart
yeah.
This
is
a
software
life
cycle.
You
can
see
and
we
have
several
phases
in
this
life
cycle
so
and
the
design
and
develop
and
deploy.
And
then
we
will
move
to
the
meeting
maintenance,
veggies
of
course,
and
so
then
you
can
see
on
the
Black
Box
on
top
of
this,
and
this
box
shows
are
several
security
attacks
we
already
yeah
observed
so,
and
you
may
know,
and
we
find
several
attacks
at
every
phases
of
a
software
life
cycle.
A
So
the
maybe
the
most
famous
one
is
a
solar
mint.
You
can
see
the
maintenance
if
you
do
like
that,
but
and
this
attacks
is
only
for
our
maintenance
phase,
but
then
to
protect
this
software's
operating.
We
need
the
taco
all
of
these
phrases
as
much
as
possible
and
to
yeah
mitigate
the
security
risks.
A
Okay
and
so
to
tackle
this
difficult
problem,
so
there's
some
activities
and
there
is
some
a
lot
of
guidelines
and
so
on.
You
can
see
on
the
list
of
United
States
other
several
guidelines
to
make
it
to
make
secure
that
softwares
and
also
then
there
is
some
activities
at
the
open
source,
open
communities
like
this
open,
ssf,
of
course,
and
also
then
we
have
several
discussions
around.
A
A
A
So
in
the
sense,
the
infrastructure
out
code
is
a
automation
or
brain
from
structure
on
deployment
and
configuration,
and
so
on,
and
also
the
software
supporting
can
be
automatic
as
possible
and
also
the
deployment
and
also
and
I.
Also.
Traditionally,
the
component
management
is
also
a
automated
in
the
software
separation
yeah.
This
is
a
initial
initial
principles
at
IVM,
so
in
that
sense
we
are
trying
to
level
it.
This
kind
of
open
technology
like
terraforma
text
and
so
on.
A
A
A
A
Oh,
so
then
we
are
trying
to
make
some
reference
architectures.
That
is,
we
are
trying
to
I'm
trying
to
introduce
later,
and
so
then
this.
This
is
a
very
important
activities
that
we
make
some
standardized
approach
inside
at
our
company
and
also
one
of
the
important
things
is.
We
are
trying
to
integrate
a
mix
of
tools
and
I
can
start
party
tours
and
open
source,
and
also
the
in-house
tourists
and
the
methodologies.
A
A
And
also
some
another
important
thing
is:
we
are
trying
to
improve
this
kind
of
practices
continuously.
So
this
is
our
incremental
process
to
improve
this
principles,
yeah
to
get
some
new
technologies
and
new
tools
after
yeah
having
some
discussion
in
such
kind
of
this
open
community
and
some
cross
industry,
discussion
and
so
on.
A
A
A
So
the
this
figure
is
a
little
bit
conceptual
chart,
but
we
are
in
this
architecture.
We
are
trying
to
integrate
security
and
compliance
management
with
the
devops
as
much
as
possible,
so
you
can
see-
and
we
are
trying
to
devsec
phases
and
also
after
that,
we
are
trying
to
Ops
with
security
phase
and
then
I
will
feedback
to
the
devops
phase,
which
is
our
reference
activity
as
vampire
Prime.
A
So
you
can
see
and
as
a
continuous
integration
means
software
development
phase,
and
so
we
are
trying
to
adopt
some
several
security
related
things
into
this
integration
phase
like
s-bomb
generation
and
also
on.
Of
course,
the
code
review
is
a
very,
very
yeah
in
general,
and
also
the
SS
OSS
license,
checks,
and
so
on,
and
here
is
benchmarks-
is
a
one
of
our
key
standards.
A
We
are
trying
to
check
and
keep
to
make
this
softeras
and
development,
and
this
is
just
an
example
of
our
activities
and
then
and
after
that,
we
remind
me
to
a
development
phase
which
includes
some
additional
security
and
compliance
activities,
including
automation,
automatic
checking
and
yeah,
and
compliance
checking
I
also
done.
One
is
the
important
things:
enforcement
of
for
signed
article
artifacts
as
a
development
of
this
software.
A
So,
and
here
you
can
see
some
continuous,
continuous
and
compliance
check
is
yeah
executed
by
how
can
I
say
that
hi,
by
getting
some
audit
logs
auditor
Readiness
I
also
done.
The
other
thing
on
the
reporting
is
also
automatic.
Oh
automated,
in
this
components
process
in
this
operation
process,
so
in
the
kind
of
technology
and
methods
I
already
integrated
in
this
development
phase,
so
that
IBM
has
a
trying
to
develop
softwares
to
make
secure
as
much
as
possible,
based
on
this
kind
of
one
popular
architecture.
A
Okay
and
the
lastly-
and
this
is
a
a
little
bit
specific
example-
how
we
adopt
this
difference
architecture
with
some
existing
Technologies
on
the
existing
policies
so,
and
so
maybe
yeah
you
can
imagine
that
we
have.
There
are
several
stakeholders
around
lots
of
the
development
process
so
that
there
is
some
developers
of
software
codes
and
also
then
we
have
the
devops
engineer
and
the
compress
manager
and
so
on.
A
So
then
we
need
to
some
policies
and
the
rulers
or
some
yeah
methodologies
to
integrate
this
kind
of
stake,
photos
with
technology
so-
and
these
are
just
a
quick
Zone
example-
and
we
are
trying
to
integrate
this
kind
of
stakeholders
by
leveraging
some
tools
like
a
slug
or
some
git
was,
of
course,
and
also
we
have
some
process.
We
have
some
process
to
to
trigger
these
stakeholders,
for
their
activities
like
on
yeah,
so
still
Source
called
commit
into
the
game.
A
A
Okay,
the
lastly
and
I
like
to
show
on
additional
additional
information
of
IBM
point
of
view
so
and
you
can
see
some
blogs
at
the
website
that
is
selling
our
IBM
activities
for
a
security,
sorry
secure
separating
and
also
the
open
source
community,
and
so
the
of
course,
an
IBM
as
well
is
very
actively
collaborating
with
open
scissors.
So,
of
course
we
are
trying
we
are.