Today, cyber threats can come from so many directions, it is a daunting challenge to protect against them. Starting from the beginning, during the development stage, and following through to the operations stage is the comprehensive strategy that progressive organizations are adopting. This combination of DevOps and Security has earned the name DevSecOps.
The goal of DevSecOps is to make everyone in the software development life cycle responsible for security. While DevSecOps, much like DevOps itself, is more about changing IT culture and people's mindsets than employing certain types of technology, some tools can be an important support. But they have to be the right tools.
"Over the last five years, we have watched organizations attempt to achieve a complete security transformation by applying Band-Aids — such as the purchase of peripheral products or dismantling of solutions — only to find poor results and poor business alignment," said Matthew Shriner, VP, Security Professional Services, Micro Focus.
To find out what the right tools are, DEVOPSdigest asked experts from across the IT industry — from analysts and consultants to users and the top vendors — for their opinions on the top tools to support DevSecOps. Posted in 5 parts over the next two weeks, this list represents a cross-section of tools that can support your DevSecOps initiative, including development, DevOps, IT Ops and security tools. Part 1 covers the testing phase.
DevSecOps is quickly becoming more mainstream as IT organizations continue to seek out solutions and tools to enable security testing in the development phase. While there is no magic do-it-all tool when it comes to security, bringing together DevOps and security through automated testing tools is a logical first step. Organizations are discovering how this "shift left" approach through automation can create repeatable and consistent processes to ensure a security standard, as new applications or processes are implemented. By building this kind of automation into your organization, you are enforcing the process without taking up extra resources or needing a separate security team.
VP of DevOps Product and Solutions Marketing, CA Technologies
SECURITY UNIT TESTING
In working with our customers it has become clear that application security testing must adapt to the continuous development cycle created by DevOps and CI/CD environments. By enabling developers to test early and often in the development lifecycle and integrating into the existing development toolchains, Security Unit Testing tools that scan for application security flaws in real time while developers are working support developers to achieve their goals while simultaneously enabling organizations to adopt DevSecOps, making secure code one more dimension of quality code.
Product Manager, CA Veracode
APPLICATION SECURITY TESTING
The most important security tool for DevSecOps is the tool that is invisible to the DevOps programs main goal. DevOps main goal is to be flexible to change and to release software quickly. Security tools need to be part of the DevOps program but not in a way that changes the goals or timelines of the program itself. A few examples of these "invisible" or "non-intrusive" security tools are SAST (Static Application Security Testing) and IAST (Interactive Application Security Testing). Both SAST and DAST fit within the DevOps tool chain but provide security vulnerability information generated from the process as a side benefit to the actual goal of releasing software
Global Director Application Security Strategy, Checkmarx
The most critical tool in the DevSecOps pipeline is IAST (Interactive Application Security Testing). Legacy static and dynamic scanners are disruptive with both the time they take to run and the amount of false positives they generate. IAST layers on existing DevOps pipelines without changing anything about how code is written, built, tested, or deployed. Because IAST runs in the background during normal development, CI/CD, and QA activities, it's not disruptive. Instead of a 500 page PDF file, developers can get highly accurate, real time vulnerability telemetry through integrations with all the tools they are already using. Using IAST, organizations can accelerate and fully automate secure code delivery and deployment, without an extra security step. And security teams can step away from the critical deployment path and focus on more important issues like threat modeling, security architecture, and runtime protection.
Co-Founder and CTO, Contrast Security
Bringing three disciplines together is fraught with challenges. It is critical to rapidly and effectively test integration points for functionality, operational efficiency, and security requirements. You can't really continuously deploy code, but you can continuously test. You need tools that enable the creation of testing environments, execution of test plans, and provide real-time feedback for all testing metrics. These tools also need to be able to validate deployments, identify when deployment issues arise, and reduce the mean-time-to-restore should you need to rollback unsuccessful code.
Director of Applied Innovation, Trace3
The most important tool needed to support DevSecOps is adopting Security by Design Principles. In particular, threat modeling during the software development design phase is valuable because at this early stage time pressure is lower than during the test or release phases. One example of threat modeling is the STRIDE framework where each user story for development considers the risks of Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege. Adopting a scalable, repeatable, and collaborative threat modeling process that integrates with existing workflows provides an effective tool to manage risk and also provides a great way to spread knowledge within an organization.
Chief Information Security Officer, OutSystems
The most important tool to support DevSecOps is the Open Web Application Security Project's (OWASP) Top 10, a list of the most critical web application security risks. OWASP has been publishing this list since 2004, and shockingly, many of the same risks make the list year after year. Simply raising awareness of these risks among everyone involved in creating software (not just within a separate security team) is a great first step to changing the culture around security — and DevSecOps is first and foremost a cultural change.
DevOps Advocate, XebiaLabs
Read The Top Tools to Support DevSecOps - Part 2, covering DevOps and the SDLC.