The Top Tools to Support DevSecOps - Part 4
May 29, 2018

DEVOPSdigest asked experts from across the IT industry — from analysts and consultants to users and the top vendors — for their opinions on the top tools to support DevSecOps. Part 4 covers code and data.

Start with The Top Tools to Support DevSecOps - Part 1

Start with The Top Tools to Support DevSecOps - Part 2

Start with The Top Tools to Support DevSecOps - Part 3

CONFIGURATION MANAGEMENT

The DevOps and security relationship is not, to put it delicately, without its complications. Even seemingly simple tasks can put the two camps on opposite sides. But there is one area both disciplines can get behind: configuration management. Security professionals know how misconfigurations create huge security holes. And DevOps professionals see configuration management as nothing more than a necessary evil. So configuration management gets my vote as the top DevSecOps priority, as many of the recent data leaks in public clouds have been attributed to misconfiguration of cloud resources. Not all cloud security solutions are equally adept at config management, so look for solutions that continually monitor configurations, compare results to best practices, especially security best practices, and integrate configuration as part of a broader and more comprehensive cloud security approach.
Sanjay Kalra
Founder & Chief Product Officer, Lacework

SELF-PROVISIONED PRIVATE CLOUD

DevSecOps teams need immediate access to resources so they can engage in agile software development, but their IT departments are concerned about controlling the cost of public clouds and controlling access and security. The solution is a self-provisioned private cloud that gives each developer his/her own set of tools, making it possible for individual developers to create customized DevOps workbenches with single-click application and resource provisioning. With this solution, DevOps teams get the agile development platform they need while the IT department regains control over spending and security.
Kamesh Pemmaraju
VP Product Management, ZeroStack

CODE ANALYSIS SCANNER

With an ever-faster cycle time from idea to production, and engineers using an increasing number of open source components in their software, you need a tool for scanning third-party libraries. This is vital for avoiding the use of wrong license types. As more and more small changes move to production, embedding static code analysis scanners in your daily pipelines helps you avoid pushing insecure software forward and speeds the feedback cycle to your engineers.
Andreas Prins
VP of Product Development, XebiaLabs

CODE LEVEL ANALYSIS TOOLS

DevSecOps is all about "shift-left", simply said, that means trying to avoid procrastination in security governance. That's why code-level analysis tools, enabling "white-box" testing by examining static code for vulnerabilities, should be seriously considered. As a matter of fact, the sooner vulnerabilities are detected the lower cost of fixing will be.
Yann Guernion
Product Marketing Director, Workload Automation, CA Automation

SOURCE CODE CONTROL

A robust, extensible system for source code control cannot be overemphasized. Your application code, your infrastructure code, all your important stuff is in one place, even if it is constantly changing. This provides a one-stop shop for all your security automation needs, very early on in the development process, where potential vulnerabilities are easier and cheaper to fix. Really, it's not just one tool. There is never One Thing that solves all (or even most!) of your problems. The real benefit is the capacity to run and maintain multiple tools as well as the ability to glue commercial tools together with custom code to make it all work for your specific environment.
Doug DePerry
Director, Product Security, Datadog

CODE REPOSITORY

The most important tool that an organization needs to support DevSecOps is a code repository because security, like all other aspects of DevOps should be managed as code.
Reuven Harrison
CTO and Co-founder, Tufin

POLICY AS CODE

In order to implement DevSecOps effectively, you need to automate cloud security and compliance at scale, and throughout the lifecycle. To do this, your policies must be expressed as source-controlled policy-as-code, and that code must be enforced before deployment, and all the way through the lifecycle. Manual checklists and audits are insufficient to govern fast-changing cloud infrastructure, and they bring significant risk due to human error. Enforcing policy only on provisioning opens you up to configuration drift, which is where most policy infractions occur. Policy-as-code enables true DevSecOps collaboration and provides the ability to automate security and compliance enforcement for the entire cloud infrastructure lifecycle, from design to provisioning to ongoing operations.
Josh Stella
CEO, Fugue

SECRETS MANAGEMENT

When compiling a list of the most important DevSecOps tools, it is essential to look back at recent high-profile breaches — where AWS access keys, API keys, passwords or other secrets were stolen. These breaches highlight the need for security and more specifically, secrets management, to play a more prominent part of the DevOps tool discussion. Secrets grant access to machines that contain valuable data and allow attackers to spread a breach. Tools that focus on secret management are key to securing DevOps. Ultimately, the most important DevSecOps tools are those that easily allow companies to identify and remove exposed secrets — making applications more secure without disrupting DevOps workflows or velocity.
John Walsh
Technology Evangelist, CyberArk

DATA MASKING

DevSecOps is about to encounter a major challenge and, as a direct consequence, a data masking solution will become the essential tool many organizations will need. The challenge is the General Data Protection Regulation (GDPR) which introduces new rules about data privacy for any organization holding the personal data of European citizens, and increased penalties for non-compliance. The outcome will be a change in the way databases are developed because many organizations use copies of production databases in development and testing to ensure changes are not breaking changes.
Personal data in those copies will now need to be masked using measures like pseudonymization, encryption, anonymization and aggregation. Static data masking tools will give organizations the ability to meet the new expectations for data privacy while at the same time retaining the advantages of applying DevOps principles and practices to database development. This is true DevSecOps at work.
Simon Galbraith
CEO & Co-Founder, Redgate

DATA MANAGEMENT

The tool that is able to search, enrich and create useful information out of the petabytes of data that is being generated is the most important tool to support DevSecOps. Nobody seems to realize that one data source can be valuable for both Dev, Sec and Ops.That tool doesn't need to store all the data per se but it should at least be able to get it if needed.
Coen Meerbeek
Online Performance Consultant and Founder of Blue Factory Internet

Read The Top Tools to Support DevSecOps - Part 5, the last installment, offering some final thoughts about "tools" that are not necessarily technology.

Share this

Industry News

October 22, 2020

Puppet announced Puppet Comply, a new product built to work with Puppet Enterprise aimed at assessing, remediating, and enforcing infrastructure configuration compliance policies at scale across traditional and cloud environments.

October 22, 2020

Harness announced two new modules: Continuous Integration Enterprise and Continuous Features.

October 22, 2020

Render announced automatic preview environments which are essential for rapid and collaborative development of modern applications.

October 21, 2020

Conducto is launching a toolkit for simplifying complex CI/CD and data science pipelines, having raised $3 million in seed funding led by Jump Capital.

October 21, 2020

Snyk Intel vulnerability database will be integrated into IBM Cloud security capabilities to enhance security for enterprise workloads.

October 21, 2020

Accurics announced $20 million across seed and series A financing raised in the past six months, with Intel Capital leading the Series A and ClearSky leading the seed.

October 20, 2020

Splunk announced the Splunk Observability Suite, the most comprehensive and powerful combination of monitoring, investigation, and troubleshooting solutions designed to help organizations become cloud-ready and accelerate their digital transformation.

October 20, 2020

Tricentis announced Vision AI, the core technology that will now power Tosca.

October 20, 2020

MuseDev has extended its code analysis platform to deliver bug reports via Github's code scanning UI.

October 20, 2020

Digital Shadows announced the ability to detect exposed access keys.

October 19, 2020

StackRox and Robin.io announced a new partnership bringing together Robin’s application-focused approach to Kubernetes data management with StackRox’s Kubernetes-native security and compliance capabilities.

October 19, 2020

PubNub announced new Chat UI Kits to streamline chat development.

October 19, 2020

Secure Code Warrior announced support for GitHub’s new code scanning functionality in conjunction with a new collaboration with Snyk.

October 15, 2020

Couchbase announced version 2.8 of Couchbase Lite and Couchbase Sync Gateway for mobile and edge computing applications.

October 15, 2020

Kong unveiled the private beta release of Kong Konnect, a full-stack platform for cloud native applications delivered as a service.