Genkit for Node.js is now at version 1.0 and ready for production use.
Today, cyber threats can come from so many directions, it is a daunting challenge to protect against them. Starting from the beginning, during the development stage, and following through to the operations stage is the comprehensive strategy that progressive organizations are adopting. This combination of DevOps and Security has earned the name DevSecOps.
The goal of DevSecOps is to make everyone in the software development life cycle responsible for security. While DevSecOps, much like DevOps itself, is more about changing IT culture and people's mindsets than employing certain types of technology, some tools can be an important support. But they have to be the right tools.
"Over the last five years, we have watched organizations attempt to achieve a complete security transformation by applying Band-Aids — such as the purchase of peripheral products or dismantling of solutions — only to find poor results and poor business alignment," said Matthew Shriner, VP, Security Professional Services, Micro Focus(link is external).
To find out what the right tools are, DEVOPSdigest asked experts from across the IT industry — from analysts and consultants to users and the top vendors — for their opinions on the top tools to support DevSecOps. Posted in 5 parts over the next two weeks, this list represents a cross-section of tools that can support your DevSecOps initiative, including development, DevOps, IT Ops and security tools. Part 1 covers the testing phase.
TEST AUTOMATION
DevSecOps is quickly becoming more mainstream as IT organizations continue to seek out solutions and tools to enable security testing in the development phase. While there is no magic do-it-all tool when it comes to security, bringing together DevOps and security through automated testing tools is a logical first step. Organizations are discovering how this "shift left" approach through automation can create repeatable and consistent processes to ensure a security standard, as new applications or processes are implemented. By building this kind of automation into your organization, you are enforcing the process without taking up extra resources or needing a separate security team.
Aruna Ravichandran
VP of DevOps Product and Solutions Marketing, CA Technologies(link is external)
SECURITY UNIT TESTING
In working with our customers it has become clear that application security testing must adapt to the continuous development cycle created by DevOps and CI/CD environments. By enabling developers to test early and often in the development lifecycle and integrating into the existing development toolchains, Security Unit Testing tools that scan for application security flaws in real time while developers are working support developers to achieve their goals while simultaneously enabling organizations to adopt DevSecOps, making secure code one more dimension of quality code.
Janet Worthington
Product Manager, CA Veracode(link is external)
APPLICATION SECURITY TESTING
The most important security tool for DevSecOps is the tool that is invisible to the DevOps programs main goal. DevOps main goal is to be flexible to change and to release software quickly. Security tools need to be part of the DevOps program but not in a way that changes the goals or timelines of the program itself. A few examples of these "invisible" or "non-intrusive" security tools are SAST (Static Application Security Testing) and IAST (Interactive Application Security Testing). Both SAST and DAST fit within the DevOps tool chain but provide security vulnerability information generated from the process as a side benefit to the actual goal of releasing software
Matt Rose
Global Director Application Security Strategy, Checkmarx(link is external)
The most critical tool in the DevSecOps pipeline is IAST (Interactive Application Security Testing). Legacy static and dynamic scanners are disruptive with both the time they take to run and the amount of false positives they generate. IAST layers on existing DevOps pipelines without changing anything about how code is written, built, tested, or deployed. Because IAST runs in the background during normal development, CI/CD, and QA activities, it's not disruptive. Instead of a 500 page PDF file, developers can get highly accurate, real time vulnerability telemetry through integrations with all the tools they are already using. Using IAST, organizations can accelerate and fully automate secure code delivery and deployment, without an extra security step. And security teams can step away from the critical deployment path and focus on more important issues like threat modeling, security architecture, and runtime protection.
Jeff Williams
Co-Founder and CTO, Contrast Security(link is external)
INTEGRATION TESTING
Bringing three disciplines together is fraught with challenges. It is critical to rapidly and effectively test integration points for functionality, operational efficiency, and security requirements. You can't really continuously deploy code, but you can continuously test. You need tools that enable the creation of testing environments, execution of test plans, and provide real-time feedback for all testing metrics. These tools also need to be able to validate deployments, identify when deployment issues arise, and reduce the mean-time-to-restore should you need to rollback unsuccessful code.
Tim Coats
Director of Applied Innovation, Trace3(link is external)
THREAT MODELING
The most important tool needed to support DevSecOps is adopting Security by Design Principles. In particular, threat modeling during the software development design phase is valuable because at this early stage time pressure is lower than during the test or release phases. One example of threat modeling is the STRIDE framework where each user story for development considers the risks of Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege. Adopting a scalable, repeatable, and collaborative threat modeling process that integrates with existing workflows provides an effective tool to manage risk and also provides a great way to spread knowledge within an organization.
Jose Casinha
Chief Information Security Officer, OutSystems(link is external)
OWASP
The most important tool to support DevSecOps is the Open Web Application Security Project's (OWASP) Top 10, a list of the most critical web application security risks. OWASP has been publishing this list since 2004, and shockingly, many of the same risks make the list year after year. Simply raising awareness of these risks among everyone involved in creating software (not just within a separate security team) is a great first step to changing the culture around security — and DevSecOps is first and foremost a cultural change.
Tim Buntel
DevOps Advocate, XebiaLabs(link is external)
Read The Top Tools to Support DevSecOps - Part 2, covering DevOps and the SDLC.
Industry News
JFrog signed a strategic collaboration agreement (SCA) with Amazon Web Services (AWS).
mabl launched of two new innovations, mabl Tools for Playwright and mabl GenAI Test Creation, expanding testing capabilities beyond the bounds of traditional QA teams.
Check Point® Software Technologies Ltd.(link is external) announced a strategic partnership with leading cloud security provider Wiz to address the growing challenges enterprises face securing hybrid cloud environments.
Jitterbit announced its latest AI-infused capabilities within the Harmony platform, advancing AI from low-code development to natural language processing (NLP).
Rancher Government Solutions (RGS) and Sequoia Holdings announced a strategic partnership to enhance software supply chain security, classified workload deployments, and Kubernetes management for the Department of Defense (DOD), Intelligence Community (IC), and federal civilian agencies.
Harness and Traceable have entered into a definitive merger agreement, creating an advanced AI-native DevSecOps platform.
Endor Labs announced a partnership with GitHub that makes it easier than ever for application security teams and developers to accurately identify and remediate the most serious security vulnerabilities—all without leaving GitHub.
Are you using OpenTelemetry? Are you planning to use it? Click here to take the OpenTelemetry survey(link is external).
GitHub announced a wave of new features and enhancements to GitHub Copilot to streamline coding tasks based on an organization’s specific ways of working.
Mirantis launched k0rdent, an open-source Distributed Container Management Environment (DCME) that provides a single control point for cloud native applications – on-premises, on public clouds, at the edge – on any infrastructure, anywhere.
Hitachi Vantara announced a new co-engineered solution with Cisco designed for Red Hat OpenShift, a hybrid cloud application platform powered by Kubernetes.
Onapsis announced Onapsis Control Central for SAP application security testing and custom code security supporting RISE with SAP transformations.
Progress(link is external) announced its recognition in the 2025 Gartner Magic Quadrant for Digital Experience Platforms.
Copado announced comprehensive DevOps support for Salesforce Data Cloud deployments, enabling organizations to streamline the development and deployment of Agentforce solutions.