The Top Tools to Support DevSecOps - Part 4
May 29, 2018

DEVOPSdigest asked experts from across the IT industry — from analysts and consultants to users and the top vendors — for their opinions on the top tools to support DevSecOps. Part 4 covers code and data.

Start with The Top Tools to Support DevSecOps - Part 1

Start with The Top Tools to Support DevSecOps - Part 2

Start with The Top Tools to Support DevSecOps - Part 3

CONFIGURATION MANAGEMENT

The DevOps and security relationship is not, to put it delicately, without its complications. Even seemingly simple tasks can put the two camps on opposite sides. But there is one area both disciplines can get behind: configuration management. Security professionals know how misconfigurations create huge security holes. And DevOps professionals see configuration management as nothing more than a necessary evil. So configuration management gets my vote as the top DevSecOps priority, as many of the recent data leaks in public clouds have been attributed to misconfiguration of cloud resources. Not all cloud security solutions are equally adept at config management, so look for solutions that continually monitor configurations, compare results to best practices, especially security best practices, and integrate configuration as part of a broader and more comprehensive cloud security approach.
Sanjay Kalra
Founder & Chief Product Officer, Lacework

SELF-PROVISIONED PRIVATE CLOUD

DevSecOps teams need immediate access to resources so they can engage in agile software development, but their IT departments are concerned about controlling the cost of public clouds and controlling access and security. The solution is a self-provisioned private cloud that gives each developer his/her own set of tools, making it possible for individual developers to create customized DevOps workbenches with single-click application and resource provisioning. With this solution, DevOps teams get the agile development platform they need while the IT department regains control over spending and security.
Kamesh Pemmaraju
VP Product Management, ZeroStack

CODE ANALYSIS SCANNER

With an ever-faster cycle time from idea to production, and engineers using an increasing number of open source components in their software, you need a tool for scanning third-party libraries. This is vital for avoiding the use of wrong license types. As more and more small changes move to production, embedding static code analysis scanners in your daily pipelines helps you avoid pushing insecure software forward and speeds the feedback cycle to your engineers.
Andreas Prins
VP of Product Development, XebiaLabs

CODE LEVEL ANALYSIS TOOLS

DevSecOps is all about "shift-left", simply said, that means trying to avoid procrastination in security governance. That's why code-level analysis tools, enabling "white-box" testing by examining static code for vulnerabilities, should be seriously considered. As a matter of fact, the sooner vulnerabilities are detected the lower cost of fixing will be.
Yann Guernion
Product Marketing Director, Workload Automation, CA Automation

SOURCE CODE CONTROL

A robust, extensible system for source code control cannot be overemphasized. Your application code, your infrastructure code, all your important stuff is in one place, even if it is constantly changing. This provides a one-stop shop for all your security automation needs, very early on in the development process, where potential vulnerabilities are easier and cheaper to fix. Really, it's not just one tool. There is never One Thing that solves all (or even most!) of your problems. The real benefit is the capacity to run and maintain multiple tools as well as the ability to glue commercial tools together with custom code to make it all work for your specific environment.
Doug DePerry
Director, Product Security, Datadog

CODE REPOSITORY

The most important tool that an organization needs to support DevSecOps is a code repository because security, like all other aspects of DevOps should be managed as code.
Reuven Harrison
CTO and Co-founder, Tufin

POLICY AS CODE

In order to implement DevSecOps effectively, you need to automate cloud security and compliance at scale, and throughout the lifecycle. To do this, your policies must be expressed as source-controlled policy-as-code, and that code must be enforced before deployment, and all the way through the lifecycle. Manual checklists and audits are insufficient to govern fast-changing cloud infrastructure, and they bring significant risk due to human error. Enforcing policy only on provisioning opens you up to configuration drift, which is where most policy infractions occur. Policy-as-code enables true DevSecOps collaboration and provides the ability to automate security and compliance enforcement for the entire cloud infrastructure lifecycle, from design to provisioning to ongoing operations.
Josh Stella
CEO, Fugue

SECRETS MANAGEMENT

When compiling a list of the most important DevSecOps tools, it is essential to look back at recent high-profile breaches — where AWS access keys, API keys, passwords or other secrets were stolen. These breaches highlight the need for security and more specifically, secrets management, to play a more prominent part of the DevOps tool discussion. Secrets grant access to machines that contain valuable data and allow attackers to spread a breach. Tools that focus on secret management are key to securing DevOps. Ultimately, the most important DevSecOps tools are those that easily allow companies to identify and remove exposed secrets — making applications more secure without disrupting DevOps workflows or velocity.
John Walsh
Technology Evangelist, CyberArk

DATA MASKING

DevSecOps is about to encounter a major challenge and, as a direct consequence, a data masking solution will become the essential tool many organizations will need. The challenge is the General Data Protection Regulation (GDPR) which introduces new rules about data privacy for any organization holding the personal data of European citizens, and increased penalties for non-compliance. The outcome will be a change in the way databases are developed because many organizations use copies of production databases in development and testing to ensure changes are not breaking changes.
Personal data in those copies will now need to be masked using measures like pseudonymization, encryption, anonymization and aggregation. Static data masking tools will give organizations the ability to meet the new expectations for data privacy while at the same time retaining the advantages of applying DevOps principles and practices to database development. This is true DevSecOps at work.
Simon Galbraith
CEO & Co-Founder, Redgate

DATA MANAGEMENT

The tool that is able to search, enrich and create useful information out of the petabytes of data that is being generated is the most important tool to support DevSecOps. Nobody seems to realize that one data source can be valuable for both Dev, Sec and Ops.That tool doesn't need to store all the data per se but it should at least be able to get it if needed.
Coen Meerbeek
Online Performance Consultant and Founder of Blue Factory Internet

Read The Top Tools to Support DevSecOps - Part 5, the last installment, offering some final thoughts about "tools" that are not necessarily technology.

Share this

Industry News

February 27, 2020

Datadog announced an integration with Nessus from Tenable.

February 27, 2020

Talend announced the Winter ‘20 release of Talend Data Fabric.

February 27, 2020

Alcide announced that the Alcide Kubernetes Security Platform now supports compliance scans for PCI and GDPR, enabling DevOps to deliver regulatory compliance checks rapidly and seamlessly alongside Alcide’s leading Kubernetes security capabilities.

February 26, 2020

Perforce Software released a free tool for organizations considering open source software - OpenLogic Stack Builder.

February 26, 2020

Applause announced a new partnership with Infosys to provide broader end-to-end digital experience testing services to clients.

February 26, 2020

RapidMiner announced the release of its platform enhancement, RapidMiner 9.6. This update prioritizes people – not technology – at the center of the enterprise AI journey, providing new, unique experiences to empower users of varying backgrounds and abilities.

February 25, 2020

JFrog announced the availability of the "JFrog Platform," a hybrid, multi-cloud, universal DevOps platform.

February 25, 2020

Nureva added new agile canvas templates to Span Workspace, including a heat map developed by Jeff Sutherland, the co-creator of Scrum and founder of Scrum Inc. and Scrum@Scale.

February 25, 2020

Agiloft announced the addition of its new Agiloft AI Engine, complete with prebuilt AI Capabilities for contract management and an open AI integration that allows customers to incorporate custom-built AI tools into the no-code platform.

February 24, 2020

Cloudify announced that its latest product update - Cloudify version 5 - features an Environment as a Service component, designed to achieve consistent delivery and management of hybrid-cloud services and network infrastructures across CI/CD pipelines - at scale.

February 24, 2020

Checkmarx announced new enhancements to its Software Security Platform to empower more seamless implementation and automation of application security testing (AST) in modern development and DevOps environments.

February 24, 2020

Rapid7 and Snyk announced a strategic partnership to deliver end-to-end application security to organizations developing cloud native applications.

February 20, 2020

The American Council for Technology and Industry Advisory Council (ACT-IAC), the premier public-private partnership dedicated to advancing government through the application of information technology, officially announced the release of the DevOps Primer.

It was produced through a collaborative, volunteer effort by a working group from government and industry, hosted by the ACT-IAC Emerging Technology Community of Interest (COI).

February 20, 2020

DLT Solutions, a subsidiary of Tech Data, launched the Secure Software Factory (SSF), a framework that provides the U.S. public sector with consistent development and deployment of high-quality, scalable, resilient and secure software throughout an application’s lifecycle.

February 20, 2020

Netography announced the general availability of the company’s Security Operations Platform.