There once was a time in software development where developers could design, build and then think about their software's security. However in today's highly connected, API-driven application environment, this approach is simply too risky as it exposes the software to vulnerabilities ...
DEVOPSdigest asked experts from across the IT industry — from analysts and consultants to users and the top vendors — for their opinions on the top tools to support DevSecOps. Part 2 covers DevOps and development.
Start with The Top Tools to Support DevSecOps - Part 1
Value stream management
DevSecOps is intimidating to enterprises because a comprehensive approach involves a variety of methods and testing across the lifecycle. The best way to begin a DevSecOps journey is to first understand what security objectives you want to address. Part of this first evaluation step involves looking at the DevSecOps tool landscape to understand what can be addressed and align capabilities with your objectives. Implementation will likely be incremental based on perceived payoffs but needs to be aligned with your DevOps strategy without losing site of automation and scalability needs. Value stream management (VSM) can be a useful approach for aligning GRC, DevOps, and DevSecOps activities.
Stephen D. Hendrick
Research Director, Application Development & Management, Enterprise Management Associates (EMA)
Missing from past lists of DevOps tools has been a discussion of how to automate security and compliance. I think this is an oversight. If DevOps is about people and processes more than tools, then it's important security professionals be brought along on the journey to high-velocity software delivery. Given the number of high-profile security breaches over the last few years — many based upon exploitation of previously-disclosed vulnerabilities — it's clear that whatever we're doing right now, including relying on manual processes, just isn't working. Integrating security practices right into the delivery process not only makes better software; it also enables teams to ship faster.
Director of Product Marketing, Chef
Real users in the IT Central Station community discuss various tools they use for DevSecOps. These include application security, SIEM, threat intelligence platforms, cloud workload security, and vulnerability management solutions. A common theme in reviews of these solutions is the need to automate as much as possible in order to successfully support the DevSecOps process.
Founder and CEO, IT Central Station
DevOps is about moving fast, delivering fast, making mistakes and fixing them fast. Therefore the most basic requirement of a DevSecOps tool is to adapt to the "need for speed." Automation is key to achieve this and leveraging existing automation techniques to cover some application security aspects can be a very valuable and efficient way to integrate security.
Director of Product Marketing & Cyber Security Evangelist, Checkmarx
DEVOPS AUTOMATION PLATFORM
I strongly believe that the tool that best supports DevSecOps initiatives is what I would call a DevOps tool. Namely, having a common automation platform across all your infrastructure that can deliver automated infrastructure as code. Being able to plan infrastructure and application changes in code, along with robust automated processes for deploying these changes, is what enables your security teams to "shift left" in the software delivery lifecycle, and to build their own automated processes for improving security agility and velocity.
Chief Technical Strategist, Puppet
The foremost question that organizations need to ask themselves is: "Why do I need DevSecOps?" Once your primary objectives are sorted, the process continues seamlessly, where security is integrated within the coding process to expose any possible vulnerabilities within your software application. Automation plays a key role for even setting up DevSecOps environments, where a strong DevSecOps strategy must leverage tools that boost Continuous Integration, Continuous Testing, Configuration Management and Deployment, Continuous Monitoring, and finally orchestration.
Marketing Manager, Cigniti Technologies
CONTINUOUS INTEGRATION AND DELIVERY (CI/CD)
The automated CI/CD pipeline is really the driving force behind all DevSecOps initiatives. That uncompromising, unfake-able, push to automate the end-to-end delivery of software is what forces teams to collaborate, tough decisions to be made on processes, and investment in modern infrastructure. It's hard to see a successful DevSecOps initiative without a solid CI solution at its core.
CONTAINER VISIBILITY AND MANAGEMENT
Containers enable the agility and stability required for a successful DevOps deployment. 2 Factor Discovery that provides not only visibility into the container workload but also mini os is paramount for security and enabling production deployment. First factor is discovering the container is on the system. Second factor is discovering applications, patches, services, etc in the container itself. Some of the first 2 Factor Discovery solutions date back to 2009 with the first container products. Recommend asking your discovery and/or security vendor if they have this capability before picking up a new solution.
Author and Strategist, iSpeak Cloud
Kubernetes is the operating system for the next decade and a prerequisite for all security services. Kubernetes already has a strong connection to secrets, machine identities, image signing, encryption and more; this makes it a great platform for DevSecOps teams. Security teams should ditch the old standalone ideas of what security looks like and embrace Kubernetes. The future of the DevOps is going to integrate with or run on Kubernetes.
VP of Security Strategy and Threat Intelligence, Venafi
I am a strong believer in fundamentals. Anytime I am faced with a broad question like this, I always go back to foundations. Construct a building on unstable soil, what is bound to happen to the building? I see DevSecOps the same way. Ultimately, you are only as secure as the code that is being written. Most practitioners in DevOps are familiar with the concept of "Shift-Left" when it comes to software testing and deployment. Truly, shift-left in DevSecOps is moving security closer to the developers to mitigate potential foundational security events before they start. A must-have tool that embraces and accelerates the adoption of these fundamental ideas would be an automated and scalable container security solution.
Brad Bussie, MBA, CISSP
Principal Security Strategist, Trace3
APPLICATION RELEASE ORCHESTRATION
It is 30 times cheaper to fix a security defect in Development vs. Production, yet Security is often treated as an afterthought and as a bottleneck. By adopting the use of a secure Application Release Orchestration solution, teams can build security and quality checks earlier into their software delivery process. By leveraging a delivery pipeline that can easily adapt to accommodate new process requirements, regulatory requirements (like GDPR), or technology, teams are able to evolve the pipeline, incrementally, in a managed and safe way. This model for continuous improvement, and the ability to rehearse these changes in lower (dev/qa) environments make it safer for developers to experiment with new technology, while giving operations teams the assurance that appropriate testing and approvals are in place before deploying into production.
CTO, Electric Cloud
In today's complex software delivery landscape, DevSecOps success in larger organizations depends on sharing information, status and plans in real-time across the enterprise. Executives must make and carry out informed decisions, and everyone in the organization must be aligned with the strategy. This can only be achieved by using an enterprise-ready lifecycle management system, to provide visibility into product and team backlogs, and the progress, status, quality, and security of each backlog item. It will provide insights into the continuous integration server, connecting each build to its associated backlog items, and offer stakeholders a live dashboard view of key performance indicators. As the organization grows, the lifecycle management system will scale alongside it, continuing to enable effective cross-team, cross-project and cross-portfolio collaboration, guaranteeing end-to-end compliance with security, privacy and other regulatory requirements, and supporting DevSecOps across the entire enterprise.
Solutions Marketing Manager, Application Delivery Management, Micro Focus
Read The Top Tools to Support DevSecOps - Part 3, covering security and monitoring.