►
From YouTube: Secure Software Supply Chain at IBM - Fumiko Satoh, IBM
Description
Secure Software Supply Chain at IBM - Fumiko Satoh, IBM
A
Okay,
hi
everyone.
Thank
you
very
much
for
having
that
good
opportunities
to
share
our
activities.
Allowance,
secure,
supporting
at
IBM
my
name,
isato
I'm
from
Alabama
research
at
Tokyo,
and
today
I
write
to
introduce
quickly
our
activities
allowed.
How
how
IBM
makes
surprise
software
support
and
secure
as
much
as
possible.
A
Okay-
and
this
is
an
introduction
of
my
me
and
my
name-
is
hamiko
and
yeah
working
at
IBM
research
and
my
recent
responsibility
is
reading
hybrid
cloud
and
security,
research
group
and
I'm
using
secure
Recent
research
interest
is
security
and
components
for
cloud
native,
and
so
then
now
we
are
working
for
how
we
can
yeah
make
secure
a
cloud
native
platform
and
also
that
we
need
we
will.
We
are
working
for
how
we
can
compliance
of
the
platform.
A
Yeah
yeah
today,
on
first
of
all,
I
would
like
to
show
this
chart
yeah.
This
is
a
software
life
cycle.
You
can
see
and
we
have
several
phases
in
this
life
cycle
so
and
the
design
and
develop
and
deploy.
And
then
we
will
move
to
the
meeting
maintenance,
veggies
of
course,
and
so
then
you
can
see
on
the
Black
Box
on
top
of
this,
and
this
box
shows
are
several
security
attacks
we
already
yeah
observed
so,
and
you
may
know,
and
we
find
several
attacks
at
every
phases
of
a
software
life
cycle.
A
So
the
maybe
the
most
famous
one
is
a
solar
mint.
You
can
see
the
maintenance
if
you
do
like
that,
but
and
this
attacks
is
only
for
our
maintenance
phase,
but
then
to
protect
this
software's
operating.
We
need
the
taco
all
of
these
phrases
as
much
as
possible
and
to
yeah
mitigate
the
security
risks.
A
Okay
and
so
to
tackle
this
difficult
problem,
so
there's
some
activities
and
there
is
some
a
lot
of
guidelines
and
so
on.
You
can
see
on
the
list
of
United
States
other
several
guidelines
to
make
it
to
make
secure
that
softwares
and
also
then
there
is
some
activities
at
the
open
source,
open
communities
like
this
open,
ssf,
of
course,
and
also
then
we
have
several
discussions
around.
A
And
that
is
one
of
the
key
aspect
to
share
the
details
of
the
yeah
software
software
and
open
source
materials
inside
the
software,
but
on
on
yeah
we
have
our
several
activities,
but
then
the
problem
is
how
we
can
adapt,
adapt
this
information
into
the
VR
software
development
cycle
and
also
software
maintenance
cycle
and
so
on.
A
So
you
can
see
that
the
figures
at
the
center
is
also
the
software
Circle.
So
you
can
see
several
several
inputs
and
output
that
we
need
to
tackle
to
make
secure.
A
A
So
you
know
at
code
means
making
automation
yeah
for
everyone
everything
so
and
in
this
principles
we
are
trying
to
automate
several
activities
inside
the
software
supporting
as
much
as
possible.
A
So
in
the
sense,
the
infrastructure
out
code
is
a
automation
or
brain
from
structure
on
deployment
and
configuration,
and
so
on,
and
also
the
software
supporting
can
be
automatic
as
possible
and
also
the
deployment
and
also
and
I.
Also.
Traditionally,
the
component
management
is
also
a
automated
in
the
software
separation
yeah.
This
is
a
initial
initial
principles
at
IVM,
so
in
that
sense
we
are
trying
to
level
it.
This
kind
of
open
technology
like
terraforma
text
and
so
on.
A
So-
and
this
is
a
second
one-
second,
by
principles
of
secure
software
supporting
it
is-
we
are
trying
to
mitigate
a
security
list
at
early
stage
as
much
as
possible
so
and
the
security
and
the
conference
is
yeah.
A
We
are
trying
to
have
some
complex
automation
so
that
one
of
the
key
technology
is
getting
some
evidence
for
all
the
teleliness
for
our
components:
audit
at
the
early
stage.
A
It
means
that
we
are,
we
also
having
leverage.
We
also
leverage
existing
tools
regarding
the
lab
and
so
on.
A
Okay-
and
this
is
a
sad
one,
so
the
yeah
I
have
a
I,
have
I
introduced
several
principles
and
Automation
and
the
mitigator
list
as
much
as
at
early
stage
as
much
as
possible.
And
so
then
we
are
trying
to
standalize
this
kind
of
print
parts.
A
And
also
try
to
reuse
either
several
Healthcare
development
strategies.
A
A
Oh,
so
then
we
are
trying
to
make
some
reference
architectures.
That
is,
we
are
trying
to
I'm
trying
to
introduce
later,
and
so
then
this.
This
is
a
very
important
activities
that
we
make
some
standardized
approach
inside
at
our
company
and
also
one
of
the
important
things
is.
We
are
trying
to
integrate
a
mix
of
tools
and
I
can
start
party
tours
and
open
source,
and
also
the
in-house
tourists
and
the
methodologies.
A
And
so
then
we
do
not
yeah
restrict
one
over
one
type,
once
a
specific
type
of
applications
like
in-house
or
some
third
parties
and
the
video
use
several
types
of
fruits.
That
makes
a
good
development.
A
And
also
some
another
important
thing
is:
we
are
trying
to
improve
this
kind
of
practices
continuously.
So
this
is
our
incremental
process
to
improve
this
principles,
yeah
to
get
some
new
technologies
and
new
tools
after
yeah
having
some
discussion
in
such
kind
of
this
open
community
and
some
cross
industry,
discussion
and
so
on.
A
A
So
in
that
sense
we
are,
of
course
our
security
and
also
software
development
is
post.
They
both
practices
and
also
then
devops
is
integrated
with
security
and
component
management.
A
So
the
this
figure
is
a
little
bit
conceptual
chart,
but
we
are
in
this
architecture.
We
are
trying
to
integrate
security
and
compliance
management
with
the
devops
as
much
as
possible,
so
you
can
see-
and
we
are
trying
to
devsec
phases
and
also
after
that,
we
are
trying
to
Ops
with
security
phase
and
then
I
will
feedback
to
the
devops
phase,
which
is
our
reference
activity
as
vampire
Prime.
A
So,
and
you
can
see,
this
is
a
1.5
Prime
that
shows
how
what
kind
of
approach
and
one
kind
of
tools
are
already
integrated
in
this
active
tool.
A
So
you
can
see
and
as
a
continuous
integration
means
software
development
phase,
and
so
we
are
trying
to
adopt
some
several
security
related
things
into
this
integration
phase
like
s-bomb
generation
and
also
on.
Of
course,
the
code
review
is
a
very,
very
yeah
in
general,
and
also
the
SS
OSS
license,
checks,
and
so
on,
and
here
is
benchmarks-
is
a
one
of
our
key
standards.
A
We
are
trying
to
check
and
keep
to
make
this
softeras
and
development,
and
this
is
just
an
example
of
our
activities
and
then
and
after
that,
we
remind
me
to
a
development
phase
which
includes
some
additional
security
and
compliance
activities,
including
automation,
automatic
checking
and
yeah,
and
compliance
checking
I
also
done.
One
is
the
important
things:
enforcement
of
for
signed
article
artifacts
as
a
development
of
this
software.
A
So
then,
after
that
other
management
and
operation
phase,
we
are
trying
to
check
the
compressed
State
continuously.
A
So,
and
here
you
can
see
some
continuous,
continuous
and
compliance
check
is
yeah
executed
by
how
can
I
say
that
hi,
by
getting
some
audit
logs
auditor
Readiness
I
also
done.
The
other
thing
on
the
reporting
is
also
automatic.
Oh
automated,
in
this
components
process
in
this
operation
process,
so
in
the
kind
of
technology
and
methods
I
already
integrated
in
this
development
phase,
so
that
IBM
has
a
trying
to
develop
softwares
to
make
secure
as
much
as
possible,
based
on
this
kind
of
one
popular
architecture.
A
Okay
and
the
lastly-
and
this
is
a
a
little
bit
specific
example-
how
we
adopt
this
difference
architecture
with
some
existing
Technologies
on
the
existing
policies
so,
and
so
maybe
yeah
you
can
imagine
that
we
have.
There
are
several
stakeholders
around
lots
of
the
development
process
so
that
there
is
some
developers
of
software
codes
and
also
then
we
have
the
devops
engineer
and
the
compress
manager
and
so
on.
A
So
then
we
need
to
some
policies
and
the
rulers
or
some
yeah
methodologies
to
integrate
this
kind
of
stake,
photos
with
technology
so-
and
these
are
just
a
quick
Zone
example-
and
we
are
trying
to
integrate
this
kind
of
stakeholders
by
leveraging
some
tools
like
a
slug
or
some
git
was,
of
course,
and
also
we
have
some
process.
We
have
some
process
to
to
trigger
these
stakeholders,
for
their
activities
like
on
yeah,
so
still
Source
called
commit
into
the
game.
A
Repository
will
be
a
triggered
to
to
a
lot
some
devops
Engineers
to
start
a
continuous
development
phase
with
security
and
compliance
posture,
and
also
the
the
continuous
compliance
phase,
security
components,
engineer
and
some
support
and
your
operation
on
the
support
team
will
be
worked
for
this
yeah
for
these
steps.
A
So
in
that
sense,
and
in
the
system
we
are
trying
to
integrate
and
deliver
the
existing
a
lot
of
tools
and
methodologies
and
guidelines
to
to
collaborate.
This
stakeholders
to
make
this
implementation.
A
So
then,
based
on
that
implementation,
so
now
we
support
34.
A
Okay,
the
lastly
and
I
like
to
show
on
additional
additional
information
of
IBM
point
of
view
so
and
you
can
see
some
blogs
at
the
website
that
is
selling
our
IBM
activities
for
a
security,
sorry
secure
separating
and
also
the
open
source
community,
and
so
the
of
course,
an
IBM
as
well
is
very
actively
collaborating
with
open
scissors.
So,
of
course
we
are
trying
we
are.
A
We
want
to
continue
the
kind
of
open
community
activities
yeah
to
make
the
softer
development
process
more
secure
and
much
possible
across
across
industry
and
across
company
yeah,
with
yeah
open
community
members.