The Top Tools to Support DevSecOps - Part 4
May 29, 2018

DEVOPSdigest asked experts from across the IT industry — from analysts and consultants to users and the top vendors — for their opinions on the top tools to support DevSecOps. Part 4 covers code and data.

Start with The Top Tools to Support DevSecOps - Part 1

Start with The Top Tools to Support DevSecOps - Part 2

Start with The Top Tools to Support DevSecOps - Part 3

CONFIGURATION MANAGEMENT

The DevOps and security relationship is not, to put it delicately, without its complications. Even seemingly simple tasks can put the two camps on opposite sides. But there is one area both disciplines can get behind: configuration management. Security professionals know how misconfigurations create huge security holes. And DevOps professionals see configuration management as nothing more than a necessary evil. So configuration management gets my vote as the top DevSecOps priority, as many of the recent data leaks in public clouds have been attributed to misconfiguration of cloud resources. Not all cloud security solutions are equally adept at config management, so look for solutions that continually monitor configurations, compare results to best practices, especially security best practices, and integrate configuration as part of a broader and more comprehensive cloud security approach.
Sanjay Kalra
Founder & Chief Product Officer, Lacework

SELF-PROVISIONED PRIVATE CLOUD

DevSecOps teams need immediate access to resources so they can engage in agile software development, but their IT departments are concerned about controlling the cost of public clouds and controlling access and security. The solution is a self-provisioned private cloud that gives each developer his/her own set of tools, making it possible for individual developers to create customized DevOps workbenches with single-click application and resource provisioning. With this solution, DevOps teams get the agile development platform they need while the IT department regains control over spending and security.
Kamesh Pemmaraju
VP Product Management, ZeroStack

CODE ANALYSIS SCANNER

With an ever-faster cycle time from idea to production, and engineers using an increasing number of open source components in their software, you need a tool for scanning third-party libraries. This is vital for avoiding the use of wrong license types. As more and more small changes move to production, embedding static code analysis scanners in your daily pipelines helps you avoid pushing insecure software forward and speeds the feedback cycle to your engineers.
Andreas Prins
VP of Product Development, XebiaLabs

CODE LEVEL ANALYSIS TOOLS

DevSecOps is all about "shift-left", simply said, that means trying to avoid procrastination in security governance. That's why code-level analysis tools, enabling "white-box" testing by examining static code for vulnerabilities, should be seriously considered. As a matter of fact, the sooner vulnerabilities are detected the lower cost of fixing will be.
Yann Guernion
Product Marketing Director, Workload Automation, CA Automation

SOURCE CODE CONTROL

A robust, extensible system for source code control cannot be overemphasized. Your application code, your infrastructure code, all your important stuff is in one place, even if it is constantly changing. This provides a one-stop shop for all your security automation needs, very early on in the development process, where potential vulnerabilities are easier and cheaper to fix. Really, it's not just one tool. There is never One Thing that solves all (or even most!) of your problems. The real benefit is the capacity to run and maintain multiple tools as well as the ability to glue commercial tools together with custom code to make it all work for your specific environment.
Doug DePerry
Director, Product Security, Datadog

CODE REPOSITORY

The most important tool that an organization needs to support DevSecOps is a code repository because security, like all other aspects of DevOps should be managed as code.
Reuven Harrison
CTO and Co-founder, Tufin

POLICY AS CODE

In order to implement DevSecOps effectively, you need to automate cloud security and compliance at scale, and throughout the lifecycle. To do this, your policies must be expressed as source-controlled policy-as-code, and that code must be enforced before deployment, and all the way through the lifecycle. Manual checklists and audits are insufficient to govern fast-changing cloud infrastructure, and they bring significant risk due to human error. Enforcing policy only on provisioning opens you up to configuration drift, which is where most policy infractions occur. Policy-as-code enables true DevSecOps collaboration and provides the ability to automate security and compliance enforcement for the entire cloud infrastructure lifecycle, from design to provisioning to ongoing operations.
Josh Stella
CEO, Fugue

SECRETS MANAGEMENT

When compiling a list of the most important DevSecOps tools, it is essential to look back at recent high-profile breaches — where AWS access keys, API keys, passwords or other secrets were stolen. These breaches highlight the need for security and more specifically, secrets management, to play a more prominent part of the DevOps tool discussion. Secrets grant access to machines that contain valuable data and allow attackers to spread a breach. Tools that focus on secret management are key to securing DevOps. Ultimately, the most important DevSecOps tools are those that easily allow companies to identify and remove exposed secrets — making applications more secure without disrupting DevOps workflows or velocity.
John Walsh
Technology Evangelist, CyberArk

DATA MASKING

DevSecOps is about to encounter a major challenge and, as a direct consequence, a data masking solution will become the essential tool many organizations will need. The challenge is the General Data Protection Regulation (GDPR) which introduces new rules about data privacy for any organization holding the personal data of European citizens, and increased penalties for non-compliance. The outcome will be a change in the way databases are developed because many organizations use copies of production databases in development and testing to ensure changes are not breaking changes.
Personal data in those copies will now need to be masked using measures like pseudonymization, encryption, anonymization and aggregation. Static data masking tools will give organizations the ability to meet the new expectations for data privacy while at the same time retaining the advantages of applying DevOps principles and practices to database development. This is true DevSecOps at work.
Simon Galbraith
CEO & Co-Founder, Redgate

DATA MANAGEMENT

The tool that is able to search, enrich and create useful information out of the petabytes of data that is being generated is the most important tool to support DevSecOps. Nobody seems to realize that one data source can be valuable for both Dev, Sec and Ops.That tool doesn't need to store all the data per se but it should at least be able to get it if needed.
Coen Meerbeek
Online Performance Consultant and Founder of Blue Factory Internet

Read The Top Tools to Support DevSecOps - Part 5, the last installment, offering some final thoughts about "tools" that are not necessarily technology.

Share this

Industry News

October 17, 2019

Acquia announced the availability of its new Developer Studio, a suite of tools designed to improve the productivity of Drupal developers.

October 17, 2019

Talend announced Talend Cloud is now available on Microsoft Azure, offering a secure and scalable Integration Platform-as-a-Service for collecting, transforming and cleaning data.

With embedded data quality and native integration performance, Talend Cloud on Microsoft Azure delivers the trusted data companies need to make real-time business decisions, accelerate advanced analytics, and meet regulatory compliance requirements.

October 17, 2019

Cognizant entered into an agreement to acquire Contino, a privately-held technology consulting firm.

October 16, 2019

Red Hat announced Red Hat OpenShift 4.2, the latest version of Red Hat’s enterprise Kubernetes platform designed to deliver a more powerful developer experience.

October 16, 2019

Gluware announced Gluware Automation v3.6, which extends the platform API capabilities including integrations with the Mist and Ansible platforms and introduces lifecycle management and infrastructure integration enhancements.

October 16, 2019

XebiaLabs announced that Wipro has renewed and extended its partnership with XebiaLabs as their Strategic Enterprise DevOps Partner across the globe.

October 15, 2019

Puppet announced enhancements to its current product portfolio and the public beta of a new project focused on providing a simplified continuous deployment workflow.

October 15, 2019

DBmaestro expanded its database automation platform to enable CI/CD and release automation for MySQL, MariaDB and Amazon RDS with DBmaestro DevOps Platform v2019.4.

October 15, 2019

Radware announced the launch of Radware Kubernetes Web Application Firewall (WAF), a comprehensive and highly scalable application security solution for Kubernetes-based environments.

October 10, 2019

CloudBees launched a new partner program that expands ISV partners’ ability to align with CloudBees offerings and the global Jenkins community.

October 08, 2019

Nureva announced a key update to the Jira Software integration with Span Workspace, Nureva’s cloud-based digital canvas for visual planning and collaboration.

October 08, 2019

Fugue announced support for Open Policy Agent (OPA), an open source general-purpose policy engine and language for cloud infrastructure.

October 03, 2019

Redgate announced the launch of SQL Compare v14, the latest version of its industry standard tool for quickly and accurately comparing and deploying SQL Server databases.

October 03, 2019

Harness announced the release of Continuous Insights, a new capability of its CD platform that enables organizations to see clearly into software delivery performance across their engineering and development teams without needing to manually collect, correlate, and report metrics that might take days or weeks.

October 03, 2019

OutSystems and Workato announced a partnership aimed at allowing organizations to rapidly realize innovation, time to value, productivity, and mission-critical objectives through readily available application connectors.