Puppet announced Puppet Comply, a new product built to work with Puppet Enterprise aimed at assessing, remediating, and enforcing infrastructure configuration compliance policies at scale across traditional and cloud environments.
DEVOPSdigest asked experts from across the IT industry — from analysts and consultants to users and the top vendors — for their opinions on the top tools to support DevSecOps. Part 4 covers code and data.
Start with The Top Tools to Support DevSecOps - Part 1
Start with The Top Tools to Support DevSecOps - Part 2
Start with The Top Tools to Support DevSecOps - Part 3
The DevOps and security relationship is not, to put it delicately, without its complications. Even seemingly simple tasks can put the two camps on opposite sides. But there is one area both disciplines can get behind: configuration management. Security professionals know how misconfigurations create huge security holes. And DevOps professionals see configuration management as nothing more than a necessary evil. So configuration management gets my vote as the top DevSecOps priority, as many of the recent data leaks in public clouds have been attributed to misconfiguration of cloud resources. Not all cloud security solutions are equally adept at config management, so look for solutions that continually monitor configurations, compare results to best practices, especially security best practices, and integrate configuration as part of a broader and more comprehensive cloud security approach.
Founder & Chief Product Officer, Lacework
SELF-PROVISIONED PRIVATE CLOUD
DevSecOps teams need immediate access to resources so they can engage in agile software development, but their IT departments are concerned about controlling the cost of public clouds and controlling access and security. The solution is a self-provisioned private cloud that gives each developer his/her own set of tools, making it possible for individual developers to create customized DevOps workbenches with single-click application and resource provisioning. With this solution, DevOps teams get the agile development platform they need while the IT department regains control over spending and security.
VP Product Management, ZeroStack
CODE ANALYSIS SCANNER
With an ever-faster cycle time from idea to production, and engineers using an increasing number of open source components in their software, you need a tool for scanning third-party libraries. This is vital for avoiding the use of wrong license types. As more and more small changes move to production, embedding static code analysis scanners in your daily pipelines helps you avoid pushing insecure software forward and speeds the feedback cycle to your engineers.
VP of Product Development, XebiaLabs
CODE LEVEL ANALYSIS TOOLS
DevSecOps is all about "shift-left", simply said, that means trying to avoid procrastination in security governance. That's why code-level analysis tools, enabling "white-box" testing by examining static code for vulnerabilities, should be seriously considered. As a matter of fact, the sooner vulnerabilities are detected the lower cost of fixing will be.
Product Marketing Director, Workload Automation, CA Automation
SOURCE CODE CONTROL
A robust, extensible system for source code control cannot be overemphasized. Your application code, your infrastructure code, all your important stuff is in one place, even if it is constantly changing. This provides a one-stop shop for all your security automation needs, very early on in the development process, where potential vulnerabilities are easier and cheaper to fix. Really, it's not just one tool. There is never One Thing that solves all (or even most!) of your problems. The real benefit is the capacity to run and maintain multiple tools as well as the ability to glue commercial tools together with custom code to make it all work for your specific environment.
Director, Product Security, Datadog
The most important tool that an organization needs to support DevSecOps is a code repository because security, like all other aspects of DevOps should be managed as code.
CTO and Co-founder, Tufin
POLICY AS CODE
In order to implement DevSecOps effectively, you need to automate cloud security and compliance at scale, and throughout the lifecycle. To do this, your policies must be expressed as source-controlled policy-as-code, and that code must be enforced before deployment, and all the way through the lifecycle. Manual checklists and audits are insufficient to govern fast-changing cloud infrastructure, and they bring significant risk due to human error. Enforcing policy only on provisioning opens you up to configuration drift, which is where most policy infractions occur. Policy-as-code enables true DevSecOps collaboration and provides the ability to automate security and compliance enforcement for the entire cloud infrastructure lifecycle, from design to provisioning to ongoing operations.
When compiling a list of the most important DevSecOps tools, it is essential to look back at recent high-profile breaches — where AWS access keys, API keys, passwords or other secrets were stolen. These breaches highlight the need for security and more specifically, secrets management, to play a more prominent part of the DevOps tool discussion. Secrets grant access to machines that contain valuable data and allow attackers to spread a breach. Tools that focus on secret management are key to securing DevOps. Ultimately, the most important DevSecOps tools are those that easily allow companies to identify and remove exposed secrets — making applications more secure without disrupting DevOps workflows or velocity.
Technology Evangelist, CyberArk
DevSecOps is about to encounter a major challenge and, as a direct consequence, a data masking solution will become the essential tool many organizations will need. The challenge is the General Data Protection Regulation (GDPR) which introduces new rules about data privacy for any organization holding the personal data of European citizens, and increased penalties for non-compliance. The outcome will be a change in the way databases are developed because many organizations use copies of production databases in development and testing to ensure changes are not breaking changes.
Personal data in those copies will now need to be masked using measures like pseudonymization, encryption, anonymization and aggregation. Static data masking tools will give organizations the ability to meet the new expectations for data privacy while at the same time retaining the advantages of applying DevOps principles and practices to database development. This is true DevSecOps at work.
CEO & Co-Founder, Redgate
The tool that is able to search, enrich and create useful information out of the petabytes of data that is being generated is the most important tool to support DevSecOps. Nobody seems to realize that one data source can be valuable for both Dev, Sec and Ops.That tool doesn't need to store all the data per se but it should at least be able to get it if needed.
Online Performance Consultant and Founder of Blue Factory Internet
Read The Top Tools to Support DevSecOps - Part 5, the last installment, offering some final thoughts about "tools" that are not necessarily technology.