The Top Tools to Support DevSecOps - Part 1
May 21, 2018

Today, cyber threats can come from so many directions, it is a daunting challenge to protect against them. Starting from the beginning, during the development stage, and following through to the operations stage is the comprehensive strategy that progressive organizations are adopting. This combination of DevOps and Security has earned the name DevSecOps.

The goal of DevSecOps is to make everyone in the software development life cycle responsible for security. While DevSecOps, much like DevOps itself, is more about changing IT culture and people's mindsets than employing certain types of technology, some tools can be an important support. But they have to be the right tools.

"Over the last five years, we have watched organizations attempt to achieve a complete security transformation by applying Band-Aids — such as the purchase of peripheral products or dismantling of solutions — only to find poor results and poor business alignment," said Matthew Shriner, VP, Security Professional Services, Micro Focus.

To find out what the right tools are, DEVOPSdigest asked experts from across the IT industry — from analysts and consultants to users and the top vendors — for their opinions on the top tools to support DevSecOps. Posted in 5 parts over the next two weeks, this list represents a cross-section of tools that can support your DevSecOps initiative, including development, DevOps, IT Ops and security tools. Part 1 covers the testing phase.

TEST AUTOMATION

DevSecOps is quickly becoming more mainstream as IT organizations continue to seek out solutions and tools to enable security testing in the development phase. While there is no magic do-it-all tool when it comes to security, bringing together DevOps and security through automated testing tools is a logical first step. Organizations are discovering how this "shift left" approach through automation can create repeatable and consistent processes to ensure a security standard, as new applications or processes are implemented. By building this kind of automation into your organization, you are enforcing the process without taking up extra resources or needing a separate security team.
Aruna Ravichandran
VP of DevOps Product and Solutions Marketing, CA Technologies

SECURITY UNIT TESTING

In working with our customers it has become clear that application security testing must adapt to the continuous development cycle created by DevOps and CI/CD environments. By enabling developers to test early and often in the development lifecycle and integrating into the existing development toolchains, Security Unit Testing tools that scan for application security flaws in real time while developers are working support developers to achieve their goals while simultaneously enabling organizations to adopt DevSecOps, making secure code one more dimension of quality code.
Janet Worthington
Product Manager, CA Veracode

APPLICATION SECURITY TESTING

The most important security tool for DevSecOps is the tool that is invisible to the DevOps programs main goal. DevOps main goal is to be flexible to change and to release software quickly. Security tools need to be part of the DevOps program but not in a way that changes the goals or timelines of the program itself. A few examples of these "invisible" or "non-intrusive" security tools are SAST (Static Application Security Testing) and IAST (Interactive Application Security Testing). Both SAST and DAST fit within the DevOps tool chain but provide security vulnerability information generated from the process as a side benefit to the actual goal of releasing software
Matt Rose
Global Director Application Security Strategy, Checkmarx

The most critical tool in the DevSecOps pipeline is IAST (Interactive Application Security Testing). Legacy static and dynamic scanners are disruptive with both the time they take to run and the amount of false positives they generate. IAST layers on existing DevOps pipelines without changing anything about how code is written, built, tested, or deployed. Because IAST runs in the background during normal development, CI/CD, and QA activities, it's not disruptive. Instead of a 500 page PDF file, developers can get highly accurate, real time vulnerability telemetry through integrations with all the tools they are already using. Using IAST, organizations can accelerate and fully automate secure code delivery and deployment, without an extra security step. And security teams can step away from the critical deployment path and focus on more important issues like threat modeling, security architecture, and runtime protection.
Jeff Williams
Co-Founder and CTO, Contrast Security

INTEGRATION TESTING

Bringing three disciplines together is fraught with challenges. It is critical to rapidly and effectively test integration points for functionality, operational efficiency, and security requirements. You can't really continuously deploy code, but you can continuously test. You need tools that enable the creation of testing environments, execution of test plans, and provide real-time feedback for all testing metrics. These tools also need to be able to validate deployments, identify when deployment issues arise, and reduce the mean-time-to-restore should you need to rollback unsuccessful code.
Tim Coats
Director of Applied Innovation, Trace3

THREAT MODELING

The most important tool needed to support DevSecOps is adopting Security by Design Principles. In particular, threat modeling during the software development design phase is valuable because at this early stage time pressure is lower than during the test or release phases. One example of threat modeling is the STRIDE framework where each user story for development considers the risks of Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege. Adopting a scalable, repeatable, and collaborative threat modeling process that integrates with existing workflows provides an effective tool to manage risk and also provides a great way to spread knowledge within an organization.
Jose Casinha
Chief Information Security Officer, OutSystems

OWASP

The most important tool to support DevSecOps is the Open Web Application Security Project's (OWASP) Top 10, a list of the most critical web application security risks. OWASP has been publishing this list since 2004, and shockingly, many of the same risks make the list year after year. Simply raising awareness of these risks among everyone involved in creating software (not just within a separate security team) is a great first step to changing the culture around security — and DevSecOps is first and foremost a cultural change.
Tim Buntel
DevOps Advocate, XebiaLabs

Read The Top Tools to Support DevSecOps - Part 2, covering DevOps and the SDLC.

Share this

Industry News

March 23, 2023

Ambassador Labs released Telepresence for Docker, designed to make it easy for developer teams to build, test and deliver apps at scale across Kubernetes.

March 23, 2023

Fermyon Technologies introduced Spin 1.0, a major new release of the serverless functions framework based on WebAssembly.

March 23, 2023

Torc announced the acquisition of coding performance measurement application Codealike to empower software developers with even more data that increases skills, job opportunities and enterprise value.

March 23, 2023

Progress announced a free online training and certification program for Progress® OpenEdge®, the flagship Progress application development platform.

March 22, 2023

Opsera announced five patents have been issued to enable enterprise engineering leaders and teams to gain unprecedented end-to-end visibility into their software delivery and accelerate the speed and security of delivery, all while maximizing their investment.

March 22, 2023

DuploCloud announced the general availability of its on-prem solution built on top of Kubernetes, focusing on containerized workloads with near term plans to integrate with on-prem compute, storage and networking vendors.

March 22, 2023

Postman announced the general availability of Postman Flows, a visual tool for creating API applications. Postman Flows simplifies building software by using APIs as the building blocks, allowing anyone to produce workflows, integrations, and automations in a collaborative environment without needing to write a single line of code.

March 22, 2023

SecureAuth announced an alliance partnership with HashiCorp®, enabling organizations to leverage SecureAuth’s advanced passwordless authentication and Multi-Factor Authentication (MFA) device recognition.

March 22, 2023

Backslash Security, a new cloud-native application security solution for enterprise AppSec teams, emerged from stealth.

March 21, 2023

OpenText launched the latest version of ValueEdge -- an innovative modular, cloud-based DevOps and value stream management (VSM) platform.

March 21, 2023

Oracle announced the availability of Java 20, the latest version of the programming language and development platform.

March 21, 2023

Rafay Systems introduced Environment Manager, a solution that empowers enterprise platform teams to improve the developer experience by delivering self-service capabilities for provisioning full-stack environments.

March 20, 2023

To meet the growing demand for Oracle Container Engine for Kubernetes (OKE) with global organizations, Oracle Cloud Infrastructure (OCI) is introducing new capabilities that can boost the reliability and efficiency of large-scale Kubernetes environments while simplifying operations and reducing costs.

March 20, 2023

Perforce Software joined the Amazon Web Services (AWS) Independent Software Vendor (ISV) Accelerate Program and listed its free Enhanced Studio Pack (ESP) in AWS Marketplace.

March 20, 2023

Aembit, an identity platform that lets DevOps and Security teams discover, manage, enforce, and audit access between federated workloads, announced its official launch alongside $16.6M in seed financing from cybersecurity specialist investors Ballistic Ventures and Ten Eleven Ventures.