The Top Tools to Support DevSecOps - Part 1
May 21, 2018

Today, cyber threats can come from so many directions, it is a daunting challenge to protect against them. Starting from the beginning, during the development stage, and following through to the operations stage is the comprehensive strategy that progressive organizations are adopting. This combination of DevOps and Security has earned the name DevSecOps.

The goal of DevSecOps is to make everyone in the software development life cycle responsible for security. While DevSecOps, much like DevOps itself, is more about changing IT culture and people's mindsets than employing certain types of technology, some tools can be an important support. But they have to be the right tools.

"Over the last five years, we have watched organizations attempt to achieve a complete security transformation by applying Band-Aids — such as the purchase of peripheral products or dismantling of solutions — only to find poor results and poor business alignment," said Matthew Shriner, VP, Security Professional Services, Micro Focus.

To find out what the right tools are, DEVOPSdigest asked experts from across the IT industry — from analysts and consultants to users and the top vendors — for their opinions on the top tools to support DevSecOps. Posted in 5 parts over the next two weeks, this list represents a cross-section of tools that can support your DevSecOps initiative, including development, DevOps, IT Ops and security tools. Part 1 covers the testing phase.

TEST AUTOMATION

DevSecOps is quickly becoming more mainstream as IT organizations continue to seek out solutions and tools to enable security testing in the development phase. While there is no magic do-it-all tool when it comes to security, bringing together DevOps and security through automated testing tools is a logical first step. Organizations are discovering how this "shift left" approach through automation can create repeatable and consistent processes to ensure a security standard, as new applications or processes are implemented. By building this kind of automation into your organization, you are enforcing the process without taking up extra resources or needing a separate security team.
Aruna Ravichandran
VP of DevOps Product and Solutions Marketing, CA Technologies

SECURITY UNIT TESTING

In working with our customers it has become clear that application security testing must adapt to the continuous development cycle created by DevOps and CI/CD environments. By enabling developers to test early and often in the development lifecycle and integrating into the existing development toolchains, Security Unit Testing tools that scan for application security flaws in real time while developers are working support developers to achieve their goals while simultaneously enabling organizations to adopt DevSecOps, making secure code one more dimension of quality code.
Janet Worthington
Product Manager, CA Veracode

APPLICATION SECURITY TESTING

The most important security tool for DevSecOps is the tool that is invisible to the DevOps programs main goal. DevOps main goal is to be flexible to change and to release software quickly. Security tools need to be part of the DevOps program but not in a way that changes the goals or timelines of the program itself. A few examples of these "invisible" or "non-intrusive" security tools are SAST (Static Application Security Testing) and IAST (Interactive Application Security Testing). Both SAST and DAST fit within the DevOps tool chain but provide security vulnerability information generated from the process as a side benefit to the actual goal of releasing software
Matt Rose
Global Director Application Security Strategy, Checkmarx

The most critical tool in the DevSecOps pipeline is IAST (Interactive Application Security Testing). Legacy static and dynamic scanners are disruptive with both the time they take to run and the amount of false positives they generate. IAST layers on existing DevOps pipelines without changing anything about how code is written, built, tested, or deployed. Because IAST runs in the background during normal development, CI/CD, and QA activities, it's not disruptive. Instead of a 500 page PDF file, developers can get highly accurate, real time vulnerability telemetry through integrations with all the tools they are already using. Using IAST, organizations can accelerate and fully automate secure code delivery and deployment, without an extra security step. And security teams can step away from the critical deployment path and focus on more important issues like threat modeling, security architecture, and runtime protection.
Jeff Williams
Co-Founder and CTO, Contrast Security

INTEGRATION TESTING

Bringing three disciplines together is fraught with challenges. It is critical to rapidly and effectively test integration points for functionality, operational efficiency, and security requirements. You can't really continuously deploy code, but you can continuously test. You need tools that enable the creation of testing environments, execution of test plans, and provide real-time feedback for all testing metrics. These tools also need to be able to validate deployments, identify when deployment issues arise, and reduce the mean-time-to-restore should you need to rollback unsuccessful code.
Tim Coats
Director of Applied Innovation, Trace3

THREAT MODELING

The most important tool needed to support DevSecOps is adopting Security by Design Principles. In particular, threat modeling during the software development design phase is valuable because at this early stage time pressure is lower than during the test or release phases. One example of threat modeling is the STRIDE framework where each user story for development considers the risks of Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege. Adopting a scalable, repeatable, and collaborative threat modeling process that integrates with existing workflows provides an effective tool to manage risk and also provides a great way to spread knowledge within an organization.
Jose Casinha
Chief Information Security Officer, OutSystems

OWASP

The most important tool to support DevSecOps is the Open Web Application Security Project's (OWASP) Top 10, a list of the most critical web application security risks. OWASP has been publishing this list since 2004, and shockingly, many of the same risks make the list year after year. Simply raising awareness of these risks among everyone involved in creating software (not just within a separate security team) is a great first step to changing the culture around security — and DevSecOps is first and foremost a cultural change.
Tim Buntel
DevOps Advocate, XebiaLabs

Read The Top Tools to Support DevSecOps - Part 2, covering DevOps and the SDLC.

Share this

Industry News

September 20, 2023

Oracle announced new application development capabilities to enable developers to rapidly build and deploy applications on Oracle Cloud Infrastructure (OCI).

September 20, 2023

Sonar announced zero-configuration, automatic analysis for programming languages C and C++ within SonarCloud.

September 20, 2023

DataStax announced a new JSON API for Astra DB – the database-as-a-service built on the open source Apache Cassandra® – delivering on one of the most highly requested user features, and providing a seamless experience for Javascript developers building AI applications.

September 19, 2023

Oracle announced the availability of Java 21.

September 19, 2023

Mirantis launched Lens AppIQ, available directly in Lens Desktop and as (Software as a Service) SaaS.

September 19, 2023

Buildkite announced the company has entered into a definitive agreement to acquire Packagecloud, a cloud-based software package management platform, in an all stock deal.

September 19, 2023

CrowdStrike has agreed to acquire Bionic, a provider of Application Security Posture Management (ASPM).

September 18, 2023

Perforce Software announces BlazeMeter's Test Data Pro, the latest addition to its continuous testing platform.

September 18, 2023

CloudBees announced a new cloud native DevSecOps platform that places platform engineers and developer experience front and center.

September 18, 2023

Akuity announced a new open source tool, Kargo, to implement change promotions across many application life cycle stages using GitOps principles.

September 14, 2023

CloudBees announced significant performance and scalability breakthroughs for Jenkins® with new updates to its CloudBees Continuous Integration (CI) software.

September 14, 2023

JFrog unveiled new capabilities that set the standard for quality, security, MLOps and integrity of software releases.

September 14, 2023

Enea launched the Enea Qosmos Threat Detection SDK.

September 13, 2023

Check Point® Software Technologies Ltd. announced the completion of its acquisition of Perimeter 81, a pioneering Security Service Edge (SSE) company, with a team of over 200 employees that serves more than 3,000 customers worldwide.