The Top Tools to Support DevSecOps - Part 2
May 22, 2018

DEVOPSdigest asked experts from across the IT industry — from analysts and consultants to users and the top vendors — for their opinions on the top tools to support DevSecOps. Part 2 covers DevOps and development.

Start with The Top Tools to Support DevSecOps - Part 1

Value stream management

DevSecOps is intimidating to enterprises because a comprehensive approach involves a variety of methods and testing across the lifecycle. The best way to begin a DevSecOps journey is to first understand what security objectives you want to address. Part of this first evaluation step involves looking at the DevSecOps tool landscape to understand what can be addressed and align capabilities with your objectives. Implementation will likely be incremental based on perceived payoffs but needs to be aligned with your DevOps strategy without losing site of automation and scalability needs. Value stream management (VSM) can be a useful approach for aligning GRC, DevOps, and DevSecOps activities.
Stephen D. Hendrick
Research Director, Application Development & Management, Enterprise Management Associates (EMA)

SECURITY AUTOMATION

Missing from past lists of DevOps tools has been a discussion of how to automate security and compliance. I think this is an oversight. If DevOps is about people and processes more than tools, then it's important security professionals be brought along on the journey to high-velocity software delivery. Given the number of high-profile security breaches over the last few years — many based upon exploitation of previously-disclosed vulnerabilities — it's clear that whatever we're doing right now, including relying on manual processes, just isn't working. Integrating security practices right into the delivery process not only makes better software; it also enables teams to ship faster.
Julian Dunn
Director of Product Marketing, Chef

Real users in the IT Central Station community discuss various tools they use for DevSecOps. These include application security, SIEM, threat intelligence platforms, cloud workload security, and vulnerability management solutions. A common theme in reviews of these solutions is the need to automate as much as possible in order to successfully support the DevSecOps process.
Russell Rothstein
Founder and CEO, IT Central Station

DevOps is about moving fast, delivering fast, making mistakes and fixing them fast. Therefore the most basic requirement of a DevSecOps tool is to adapt to the "need for speed." Automation is key to achieve this and leveraging existing automation techniques to cover some application security aspects can be a very valuable and efficient way to integrate security.
Amit Ashbel
Director of Product Marketing & Cyber Security Evangelist, Checkmarx

DEVOPS AUTOMATION PLATFORM

I strongly believe that the tool that best supports DevSecOps initiatives is what I would call a DevOps tool. Namely, having a common automation platform across all your infrastructure that can deliver automated infrastructure as code. Being able to plan infrastructure and application changes in code, along with robust automated processes for deploying these changes, is what enables your security teams to "shift left" in the software delivery lifecycle, and to build their own automated processes for improving security agility and velocity.
Nigel Kersten
Chief Technical Strategist, Puppet

The foremost question that organizations need to ask themselves is: "Why do I need DevSecOps?" Once your primary objectives are sorted, the process continues seamlessly, where security is integrated within the coding process to expose any possible vulnerabilities within your software application. Automation plays a key role for even setting up DevSecOps environments, where a strong DevSecOps strategy must leverage tools that boost Continuous Integration, Continuous Testing, Configuration Management and Deployment, Continuous Monitoring, and finally orchestration.
Komal Lopez
Marketing Manager, Cigniti Technologies

CONTINUOUS INTEGRATION AND DELIVERY (CI/CD)

The automated CI/CD pipeline is really the driving force behind all DevSecOps initiatives. That uncompromising, unfake-able, push to automate the end-to-end delivery of software is what forces teams to collaborate, tough decisions to be made on processes, and investment in modern infrastructure. It's hard to see a successful DevSecOps initiative without a solid CI solution at its core.
Antony Edwards
CTO, Eggplant

CONTAINER VISIBILITY AND MANAGEMENT

Containers enable the agility and stability required for a successful DevOps deployment. 2 Factor Discovery that provides not only visibility into the container workload but also mini os is paramount for security and enabling production deployment. First factor is discovering the container is on the system. Second factor is discovering applications, patches, services, etc in the container itself. Some of the first 2 Factor Discovery solutions date back to 2009 with the first container products. Recommend asking your discovery and/or security vendor if they have this capability before picking up a new solution.
Jeanne Morain
Author and Strategist, iSpeak Cloud

Kubernetes is the operating system for the next decade and a prerequisite for all security services. Kubernetes already has a strong connection to secrets, machine identities, image signing, encryption and more; this makes it a great platform for DevSecOps teams. Security teams should ditch the old standalone ideas of what security looks like and embrace Kubernetes. The future of the DevOps is going to integrate with or run on Kubernetes.
Kevin Bocek
VP of Security Strategy and Threat Intelligence, Venafi

CONTAINER SECURITY

I am a strong believer in fundamentals. Anytime I am faced with a broad question like this, I always go back to foundations. Construct a building on unstable soil, what is bound to happen to the building? I see DevSecOps the same way. Ultimately, you are only as secure as the code that is being written. Most practitioners in DevOps are familiar with the concept of "Shift-Left" when it comes to software testing and deployment. Truly, shift-left in DevSecOps is moving security closer to the developers to mitigate potential foundational security events before they start. A must-have tool that embraces and accelerates the adoption of these fundamental ideas would be an automated and scalable container security solution.
Brad Bussie, MBA, CISSP
Principal Security Strategist, Trace3

APPLICATION RELEASE ORCHESTRATION

It is 30 times cheaper to fix a security defect in Development vs. Production, yet Security is often treated as an afterthought and as a bottleneck. By adopting the use of a secure Application Release Orchestration solution, teams can build security and quality checks earlier into their software delivery process. By leveraging a delivery pipeline that can easily adapt to accommodate new process requirements, regulatory requirements (like GDPR), or technology, teams are able to evolve the pipeline, incrementally, in a managed and safe way. This model for continuous improvement, and the ability to rehearse these changes in lower (dev/qa) environments make it safer for developers to experiment with new technology, while giving operations teams the assurance that appropriate testing and approvals are in place before deploying into production.
Anders Wallgren
CTO, Electric Cloud

LIFECYCLE MANAGEMENT

In today's complex software delivery landscape, DevSecOps success in larger organizations depends on sharing information, status and plans in real-time across the enterprise. Executives must make and carry out informed decisions, and everyone in the organization must be aligned with the strategy. This can only be achieved by using an enterprise-ready lifecycle management system, to provide visibility into product and team backlogs, and the progress, status, quality, and security of each backlog item. It will provide insights into the continuous integration server, connecting each build to its associated backlog items, and offer stakeholders a live dashboard view of key performance indicators. As the organization grows, the lifecycle management system will scale alongside it, continuing to enable effective cross-team, cross-project and cross-portfolio collaboration, guaranteeing end-to-end compliance with security, privacy and other regulatory requirements, and supporting DevSecOps across the entire enterprise.
Malcolm Isaacs
Solutions Marketing Manager, Application Delivery Management, Micro Focus

Read The Top Tools to Support DevSecOps - Part 3, covering security and monitoring.

The Latest

August 15, 2018

Microservices are a hot topic in IT circles these days. The idea of a modular approach to system building – where you have numerous, smaller software services that talk to each other instead of monolithic components – has many benefits ...

August 13, 2018

Agile is expanding within the enterprise. Agile adoption is growing within organizations, both more broadly and deeply, according to the 12th annual State of Agile report from CollabNet VersionOne. A higher percentage of respondents this year report that "all or almost all" of their teams are agile, and that agile principles and practices are being adopted at higher levels in the organization ...

August 09, 2018

For the past 13 years, the Ponemon Institute has examined the cost associated with data breaches of less than 100,000 records, finding that the costs have steadily risen over the course of the study. The average cost of a data breach was $3.86 million in the 2018 study, compared to $3.50 million in 2014 – representing nearly 10 percent net increase over the past 5 years of the study ...

August 08, 2018

Hidden costs in data breaches – such as lost business, negative impact on reputation and employee time spent on recovery – are difficult and expensive to manage, according to the 2018 Cost of a Data Breach Study, sponsored by IBM Security and conducted by Ponemon Institute. The study found that the average cost of a data breach globally is $3.86 million ...

August 06, 2018

The previous chapter in this WhiteHat Security series discussed dependencies as the second step of the Twelve-Factor App. This next chapter examines the security component of step three of the Twelve-Factor methodology — storing configurations within the environment.

Share this