The Top Tools to Support DevSecOps - Part 2
May 22, 2018

DEVOPSdigest asked experts from across the IT industry — from analysts and consultants to users and the top vendors — for their opinions on the top tools to support DevSecOps. Part 2 covers DevOps and development.

Start with The Top Tools to Support DevSecOps - Part 1

Value stream management

DevSecOps is intimidating to enterprises because a comprehensive approach involves a variety of methods and testing across the lifecycle. The best way to begin a DevSecOps journey is to first understand what security objectives you want to address. Part of this first evaluation step involves looking at the DevSecOps tool landscape to understand what can be addressed and align capabilities with your objectives. Implementation will likely be incremental based on perceived payoffs but needs to be aligned with your DevOps strategy without losing site of automation and scalability needs. Value stream management (VSM) can be a useful approach for aligning GRC, DevOps, and DevSecOps activities.
Stephen D. Hendrick
Research Director, Application Development & Management, Enterprise Management Associates (EMA)


Missing from past lists of DevOps tools has been a discussion of how to automate security and compliance. I think this is an oversight. If DevOps is about people and processes more than tools, then it's important security professionals be brought along on the journey to high-velocity software delivery. Given the number of high-profile security breaches over the last few years — many based upon exploitation of previously-disclosed vulnerabilities — it's clear that whatever we're doing right now, including relying on manual processes, just isn't working. Integrating security practices right into the delivery process not only makes better software; it also enables teams to ship faster.
Julian Dunn
Director of Product Marketing, Chef

Real users in the IT Central Station community discuss various tools they use for DevSecOps. These include application security, SIEM, threat intelligence platforms, cloud workload security, and vulnerability management solutions. A common theme in reviews of these solutions is the need to automate as much as possible in order to successfully support the DevSecOps process.
Russell Rothstein
Founder and CEO, IT Central Station

DevOps is about moving fast, delivering fast, making mistakes and fixing them fast. Therefore the most basic requirement of a DevSecOps tool is to adapt to the "need for speed." Automation is key to achieve this and leveraging existing automation techniques to cover some application security aspects can be a very valuable and efficient way to integrate security.
Amit Ashbel
Director of Product Marketing & Cyber Security Evangelist, Checkmarx


I strongly believe that the tool that best supports DevSecOps initiatives is what I would call a DevOps tool. Namely, having a common automation platform across all your infrastructure that can deliver automated infrastructure as code. Being able to plan infrastructure and application changes in code, along with robust automated processes for deploying these changes, is what enables your security teams to "shift left" in the software delivery lifecycle, and to build their own automated processes for improving security agility and velocity.
Nigel Kersten
Chief Technical Strategist, Puppet

The foremost question that organizations need to ask themselves is: "Why do I need DevSecOps?" Once your primary objectives are sorted, the process continues seamlessly, where security is integrated within the coding process to expose any possible vulnerabilities within your software application. Automation plays a key role for even setting up DevSecOps environments, where a strong DevSecOps strategy must leverage tools that boost Continuous Integration, Continuous Testing, Configuration Management and Deployment, Continuous Monitoring, and finally orchestration.
Komal Lopez
Marketing Manager, Cigniti Technologies


The automated CI/CD pipeline is really the driving force behind all DevSecOps initiatives. That uncompromising, unfake-able, push to automate the end-to-end delivery of software is what forces teams to collaborate, tough decisions to be made on processes, and investment in modern infrastructure. It's hard to see a successful DevSecOps initiative without a solid CI solution at its core.
Antony Edwards
CTO, Eggplant


Containers enable the agility and stability required for a successful DevOps deployment. 2 Factor Discovery that provides not only visibility into the container workload but also mini os is paramount for security and enabling production deployment. First factor is discovering the container is on the system. Second factor is discovering applications, patches, services, etc in the container itself. Some of the first 2 Factor Discovery solutions date back to 2009 with the first container products. Recommend asking your discovery and/or security vendor if they have this capability before picking up a new solution.
Jeanne Morain
Author and Strategist, iSpeak Cloud

Kubernetes is the operating system for the next decade and a prerequisite for all security services. Kubernetes already has a strong connection to secrets, machine identities, image signing, encryption and more; this makes it a great platform for DevSecOps teams. Security teams should ditch the old standalone ideas of what security looks like and embrace Kubernetes. The future of the DevOps is going to integrate with or run on Kubernetes.
Kevin Bocek
VP of Security Strategy and Threat Intelligence, Venafi


I am a strong believer in fundamentals. Anytime I am faced with a broad question like this, I always go back to foundations. Construct a building on unstable soil, what is bound to happen to the building? I see DevSecOps the same way. Ultimately, you are only as secure as the code that is being written. Most practitioners in DevOps are familiar with the concept of "Shift-Left" when it comes to software testing and deployment. Truly, shift-left in DevSecOps is moving security closer to the developers to mitigate potential foundational security events before they start. A must-have tool that embraces and accelerates the adoption of these fundamental ideas would be an automated and scalable container security solution.
Brad Bussie, MBA, CISSP
Principal Security Strategist, Trace3


It is 30 times cheaper to fix a security defect in Development vs. Production, yet Security is often treated as an afterthought and as a bottleneck. By adopting the use of a secure Application Release Orchestration solution, teams can build security and quality checks earlier into their software delivery process. By leveraging a delivery pipeline that can easily adapt to accommodate new process requirements, regulatory requirements (like GDPR), or technology, teams are able to evolve the pipeline, incrementally, in a managed and safe way. This model for continuous improvement, and the ability to rehearse these changes in lower (dev/qa) environments make it safer for developers to experiment with new technology, while giving operations teams the assurance that appropriate testing and approvals are in place before deploying into production.
Anders Wallgren
CTO, Electric Cloud


In today's complex software delivery landscape, DevSecOps success in larger organizations depends on sharing information, status and plans in real-time across the enterprise. Executives must make and carry out informed decisions, and everyone in the organization must be aligned with the strategy. This can only be achieved by using an enterprise-ready lifecycle management system, to provide visibility into product and team backlogs, and the progress, status, quality, and security of each backlog item. It will provide insights into the continuous integration server, connecting each build to its associated backlog items, and offer stakeholders a live dashboard view of key performance indicators. As the organization grows, the lifecycle management system will scale alongside it, continuing to enable effective cross-team, cross-project and cross-portfolio collaboration, guaranteeing end-to-end compliance with security, privacy and other regulatory requirements, and supporting DevSecOps across the entire enterprise.
Malcolm Isaacs
Solutions Marketing Manager, Application Delivery Management, Micro Focus

Read The Top Tools to Support DevSecOps - Part 3, covering security and monitoring.

Share this

Industry News

August 10, 2020

Red Hat announced the launch of Red Hat remote certification exams.

August 10, 2020

Signal Sciences announced an integration with Microsoft Azure App Service for the Signal Sciences next-gen Web Application Firewall (WAF) and Runtime Application Self-Protection (RASP) solution.

August 10, 2020

Copado announced Copado Government Cloud to help government agencies accelerate the time-to-value of Salesforce digital transformation projects.

August 06, 2020

Push Technology announced the launch of a new Kafka Adapter for their Diffusion Intelligent Data Mesh.

August 06, 2020

Appvia announced the launch of its Cost Prediction and Visibility tool, integrated within the latest version of its Kore platform.

August 06, 2020

LogiGear announced the newest addition to the TestArchitect™ family, TestArchitect Gondola.

August 05, 2020 announced a partnership with HashiCorp, a provider in multi-cloud infrastructure automation software.

August 05, 2020

Digitate, a software venture of Tata Consultancy Services, announced the release of ignio™ AI.Assurance, an autonomous assurance product that enables enterprises to deliver better software faster, enhancing their business performance.

August 05, 2020

Harness acquired self-service Continuous Integration firm, the creator of the open-source project Drone.

August 04, 2020

Aqua Security announced that its Cloud Native Security Platform is available through Red Hat® Marketplace, an open cloud marketplace that makes it easier to discover and access certified software for container-based environments across the hybrid cloud.

August 04, 2020

Threat Stack announced the availability of Threat Stack Container Security Monitoring for AWS Fargate.

August 04, 2020

OpenLogic by Perforce now provides an enterprise-class alternative to Oracle Java by offering OpenJDK distributions backed by OpenLogic support.

August 03, 2020

MuseDev launched on Github Marketplace the Early Access version of its code analysis platform, Muse, to help developers find and fix critical security, performance, and reliability bugs, efficiently, before they reach QA or production.

August 03, 2020

Styra announced Rego Policy Builder for the Styra Declarative Authorization Service (DAS).

August 03, 2020

Felicis Ventures has invested an additional $5M in Sourcegraph, bringing the total raised to over $46M, including a $23M Series B in March 2020 led by Craft Ventures.