The Top Tools to Support DevSecOps - Part 2
May 22, 2018

DEVOPSdigest asked experts from across the IT industry — from analysts and consultants to users and the top vendors — for their opinions on the top tools to support DevSecOps. Part 2 covers DevOps and development.

Start with The Top Tools to Support DevSecOps - Part 1

Value stream management

DevSecOps is intimidating to enterprises because a comprehensive approach involves a variety of methods and testing across the lifecycle. The best way to begin a DevSecOps journey is to first understand what security objectives you want to address. Part of this first evaluation step involves looking at the DevSecOps tool landscape to understand what can be addressed and align capabilities with your objectives. Implementation will likely be incremental based on perceived payoffs but needs to be aligned with your DevOps strategy without losing site of automation and scalability needs. Value stream management (VSM) can be a useful approach for aligning GRC, DevOps, and DevSecOps activities.
Stephen D. Hendrick
Research Director, Application Development & Management, Enterprise Management Associates (EMA)


Missing from past lists of DevOps tools has been a discussion of how to automate security and compliance. I think this is an oversight. If DevOps is about people and processes more than tools, then it's important security professionals be brought along on the journey to high-velocity software delivery. Given the number of high-profile security breaches over the last few years — many based upon exploitation of previously-disclosed vulnerabilities — it's clear that whatever we're doing right now, including relying on manual processes, just isn't working. Integrating security practices right into the delivery process not only makes better software; it also enables teams to ship faster.
Julian Dunn
Director of Product Marketing, Chef

Real users in the IT Central Station community discuss various tools they use for DevSecOps. These include application security, SIEM, threat intelligence platforms, cloud workload security, and vulnerability management solutions. A common theme in reviews of these solutions is the need to automate as much as possible in order to successfully support the DevSecOps process.
Russell Rothstein
Founder and CEO, IT Central Station

DevOps is about moving fast, delivering fast, making mistakes and fixing them fast. Therefore the most basic requirement of a DevSecOps tool is to adapt to the "need for speed." Automation is key to achieve this and leveraging existing automation techniques to cover some application security aspects can be a very valuable and efficient way to integrate security.
Amit Ashbel
Director of Product Marketing & Cyber Security Evangelist, Checkmarx


I strongly believe that the tool that best supports DevSecOps initiatives is what I would call a DevOps tool. Namely, having a common automation platform across all your infrastructure that can deliver automated infrastructure as code. Being able to plan infrastructure and application changes in code, along with robust automated processes for deploying these changes, is what enables your security teams to "shift left" in the software delivery lifecycle, and to build their own automated processes for improving security agility and velocity.
Nigel Kersten
Chief Technical Strategist, Puppet

The foremost question that organizations need to ask themselves is: "Why do I need DevSecOps?" Once your primary objectives are sorted, the process continues seamlessly, where security is integrated within the coding process to expose any possible vulnerabilities within your software application. Automation plays a key role for even setting up DevSecOps environments, where a strong DevSecOps strategy must leverage tools that boost Continuous Integration, Continuous Testing, Configuration Management and Deployment, Continuous Monitoring, and finally orchestration.
Komal Lopez
Marketing Manager, Cigniti Technologies


The automated CI/CD pipeline is really the driving force behind all DevSecOps initiatives. That uncompromising, unfake-able, push to automate the end-to-end delivery of software is what forces teams to collaborate, tough decisions to be made on processes, and investment in modern infrastructure. It's hard to see a successful DevSecOps initiative without a solid CI solution at its core.
Antony Edwards
CTO, Eggplant


Containers enable the agility and stability required for a successful DevOps deployment. 2 Factor Discovery that provides not only visibility into the container workload but also mini os is paramount for security and enabling production deployment. First factor is discovering the container is on the system. Second factor is discovering applications, patches, services, etc in the container itself. Some of the first 2 Factor Discovery solutions date back to 2009 with the first container products. Recommend asking your discovery and/or security vendor if they have this capability before picking up a new solution.
Jeanne Morain
Author and Strategist, iSpeak Cloud

Kubernetes is the operating system for the next decade and a prerequisite for all security services. Kubernetes already has a strong connection to secrets, machine identities, image signing, encryption and more; this makes it a great platform for DevSecOps teams. Security teams should ditch the old standalone ideas of what security looks like and embrace Kubernetes. The future of the DevOps is going to integrate with or run on Kubernetes.
Kevin Bocek
VP of Security Strategy and Threat Intelligence, Venafi


I am a strong believer in fundamentals. Anytime I am faced with a broad question like this, I always go back to foundations. Construct a building on unstable soil, what is bound to happen to the building? I see DevSecOps the same way. Ultimately, you are only as secure as the code that is being written. Most practitioners in DevOps are familiar with the concept of "Shift-Left" when it comes to software testing and deployment. Truly, shift-left in DevSecOps is moving security closer to the developers to mitigate potential foundational security events before they start. A must-have tool that embraces and accelerates the adoption of these fundamental ideas would be an automated and scalable container security solution.
Brad Bussie, MBA, CISSP
Principal Security Strategist, Trace3


It is 30 times cheaper to fix a security defect in Development vs. Production, yet Security is often treated as an afterthought and as a bottleneck. By adopting the use of a secure Application Release Orchestration solution, teams can build security and quality checks earlier into their software delivery process. By leveraging a delivery pipeline that can easily adapt to accommodate new process requirements, regulatory requirements (like GDPR), or technology, teams are able to evolve the pipeline, incrementally, in a managed and safe way. This model for continuous improvement, and the ability to rehearse these changes in lower (dev/qa) environments make it safer for developers to experiment with new technology, while giving operations teams the assurance that appropriate testing and approvals are in place before deploying into production.
Anders Wallgren
CTO, Electric Cloud


In today's complex software delivery landscape, DevSecOps success in larger organizations depends on sharing information, status and plans in real-time across the enterprise. Executives must make and carry out informed decisions, and everyone in the organization must be aligned with the strategy. This can only be achieved by using an enterprise-ready lifecycle management system, to provide visibility into product and team backlogs, and the progress, status, quality, and security of each backlog item. It will provide insights into the continuous integration server, connecting each build to its associated backlog items, and offer stakeholders a live dashboard view of key performance indicators. As the organization grows, the lifecycle management system will scale alongside it, continuing to enable effective cross-team, cross-project and cross-portfolio collaboration, guaranteeing end-to-end compliance with security, privacy and other regulatory requirements, and supporting DevSecOps across the entire enterprise.
Malcolm Isaacs
Solutions Marketing Manager, Application Delivery Management, Micro Focus

Read The Top Tools to Support DevSecOps - Part 3, covering security and monitoring.

Share this

Industry News

April 14, 2021

SmartBear has integrated TestComplete, its UI test automation tool, with BitBar, its native mobile device cloud.

April 14, 2021

Elastic announced an expanded strategic partnership with Confluent to deliver the best integrated product experience to the Apache Kafka and Elasticsearch community.

April 14, 2021

Threat Stack announced its ability to support AWS Graviton2-based instances through the Threat Stack Cloud Security Platform.

April 13, 2021

Broadcom and Google Cloud announced a strategic collaboration to accelerate innovation and strengthen cloud services integration within the core software franchises of Broadcom.

April 13, 2021

Nylas announced the launch of Components, JavaScript UI/UX solutions that allow developers to bring productivity features to market faster without needing to design front-end elements from scratch.

April 13, 2021

Perforce Software announces its new version control desktop client — Helix Sync — enabling non-coders such as artists and designers to version digital assets, with a simple drag-and-drop UI.

April 12, 2021

ShiftLeft introduced ShiftLeft CORE, a unified code security platform.

April 12, 2021

GrammaTech announced a new version of its CodeSonar SAST (static application security testing) product that helps developers build safer and more secure code without disrupting workflows.

April 12, 2021

Panaya announced a strategic partnership with Being Guided, a Salesforce Consulting Partner, specializing in the CRM and Salesforce ecosystem, to bring Panaya's ForeSight solution to a wider audience.

April 08, 2021

Palo Alto Networks announced the second generation of Checkov, the static analysis tool for infrastructure as code (IaC).

April 08, 2021

Postman now allows any team with up to three members to collaborate in Postman with unlimited shared workspaces and unlimited shared requests at no cost.

April 08, 2021

Taos, an IBM company, has announced 24x5 managed service availability.

April 07, 2021

VMware unveiled expanded cloud workload protection capabilities to deliver security for containers and Kubernetes.

April 07, 2021

Catapult CX is launching the DevOps Institute’s (DOI) Assessment of DevOps Capabilities (ADOC).

April 07, 2021

Equinix announced that Tinkerbell, an all-in-one open source bare metal provisioning platform, has added significant new features since joining the Cloud Native Computing Foundation (CNCF) Sandbox program.