The Top Tools to Support DevSecOps - Part 2
May 22, 2018

DEVOPSdigest asked experts from across the IT industry — from analysts and consultants to users and the top vendors — for their opinions on the top tools to support DevSecOps. Part 2 covers DevOps and development.

Start with The Top Tools to Support DevSecOps - Part 1

Value stream management

DevSecOps is intimidating to enterprises because a comprehensive approach involves a variety of methods and testing across the lifecycle. The best way to begin a DevSecOps journey is to first understand what security objectives you want to address. Part of this first evaluation step involves looking at the DevSecOps tool landscape to understand what can be addressed and align capabilities with your objectives. Implementation will likely be incremental based on perceived payoffs but needs to be aligned with your DevOps strategy without losing site of automation and scalability needs. Value stream management (VSM) can be a useful approach for aligning GRC, DevOps, and DevSecOps activities.
Stephen D. Hendrick
Research Director, Application Development & Management, Enterprise Management Associates (EMA)(link is external)

SECURITY AUTOMATION

Missing from past lists of DevOps tools has been a discussion of how to automate security and compliance. I think this is an oversight. If DevOps is about people and processes more than tools, then it's important security professionals be brought along on the journey to high-velocity software delivery. Given the number of high-profile security breaches over the last few years — many based upon exploitation of previously-disclosed vulnerabilities — it's clear that whatever we're doing right now, including relying on manual processes, just isn't working. Integrating security practices right into the delivery process not only makes better software; it also enables teams to ship faster.
Julian Dunn
Director of Product Marketing, Chef(link is external)

Real users in the IT Central Station community discuss various tools they use for DevSecOps. These include application security, SIEM, threat intelligence platforms, cloud workload security, and vulnerability management solutions. A common theme in reviews of these solutions is the need to automate as much as possible in order to successfully support the DevSecOps process.
Russell Rothstein
Founder and CEO, IT Central Station(link is external)

DevOps is about moving fast, delivering fast, making mistakes and fixing them fast. Therefore the most basic requirement of a DevSecOps tool is to adapt to the "need for speed." Automation is key to achieve this and leveraging existing automation techniques to cover some application security aspects can be a very valuable and efficient way to integrate security.
Amit Ashbel
Director of Product Marketing & Cyber Security Evangelist, Checkmarx(link is external)

DEVOPS AUTOMATION PLATFORM

I strongly believe that the tool that best supports DevSecOps initiatives is what I would call a DevOps tool. Namely, having a common automation platform across all your infrastructure that can deliver automated infrastructure as code. Being able to plan infrastructure and application changes in code, along with robust automated processes for deploying these changes, is what enables your security teams to "shift left" in the software delivery lifecycle, and to build their own automated processes for improving security agility and velocity.
Nigel Kersten
Chief Technical Strategist, Puppet(link is external)

The foremost question that organizations need to ask themselves is: "Why do I need DevSecOps?" Once your primary objectives are sorted, the process continues seamlessly, where security is integrated within the coding process to expose any possible vulnerabilities within your software application. Automation plays a key role for even setting up DevSecOps environments, where a strong DevSecOps strategy must leverage tools that boost Continuous Integration, Continuous Testing, Configuration Management and Deployment, Continuous Monitoring, and finally orchestration.
Komal Lopez
Marketing Manager, Cigniti Technologies(link is external)

CONTINUOUS INTEGRATION AND DELIVERY (CI/CD)

The automated CI/CD pipeline is really the driving force behind all DevSecOps initiatives. That uncompromising, unfake-able, push to automate the end-to-end delivery of software is what forces teams to collaborate, tough decisions to be made on processes, and investment in modern infrastructure. It's hard to see a successful DevSecOps initiative without a solid CI solution at its core.
Antony Edwards
CTO, Eggplant(link is external)

CONTAINER VISIBILITY AND MANAGEMENT

Containers enable the agility and stability required for a successful DevOps deployment. 2 Factor Discovery that provides not only visibility into the container workload but also mini os is paramount for security and enabling production deployment. First factor is discovering the container is on the system. Second factor is discovering applications, patches, services, etc in the container itself. Some of the first 2 Factor Discovery solutions date back to 2009 with the first container products. Recommend asking your discovery and/or security vendor if they have this capability before picking up a new solution.
Jeanne Morain
Author and Strategist, iSpeak Cloud(link is external)

Kubernetes is the operating system for the next decade and a prerequisite for all security services. Kubernetes already has a strong connection to secrets, machine identities, image signing, encryption and more; this makes it a great platform for DevSecOps teams. Security teams should ditch the old standalone ideas of what security looks like and embrace Kubernetes. The future of the DevOps is going to integrate with or run on Kubernetes.
Kevin Bocek
VP of Security Strategy and Threat Intelligence, Venafi(link is external)

CONTAINER SECURITY

I am a strong believer in fundamentals. Anytime I am faced with a broad question like this, I always go back to foundations. Construct a building on unstable soil, what is bound to happen to the building? I see DevSecOps the same way. Ultimately, you are only as secure as the code that is being written. Most practitioners in DevOps are familiar with the concept of "Shift-Left" when it comes to software testing and deployment. Truly, shift-left in DevSecOps is moving security closer to the developers to mitigate potential foundational security events before they start. A must-have tool that embraces and accelerates the adoption of these fundamental ideas would be an automated and scalable container security solution.
Brad Bussie, MBA, CISSP
Principal Security Strategist, Trace3(link is external)

APPLICATION RELEASE ORCHESTRATION

It is 30 times cheaper to fix a security defect in Development vs. Production, yet Security is often treated as an afterthought and as a bottleneck. By adopting the use of a secure Application Release Orchestration solution, teams can build security and quality checks earlier into their software delivery process. By leveraging a delivery pipeline that can easily adapt to accommodate new process requirements, regulatory requirements (like GDPR), or technology, teams are able to evolve the pipeline, incrementally, in a managed and safe way. This model for continuous improvement, and the ability to rehearse these changes in lower (dev/qa) environments make it safer for developers to experiment with new technology, while giving operations teams the assurance that appropriate testing and approvals are in place before deploying into production.
Anders Wallgren
CTO, Electric Cloud(link is external)

LIFECYCLE MANAGEMENT

In today's complex software delivery landscape, DevSecOps success in larger organizations depends on sharing information, status and plans in real-time across the enterprise. Executives must make and carry out informed decisions, and everyone in the organization must be aligned with the strategy. This can only be achieved by using an enterprise-ready lifecycle management system, to provide visibility into product and team backlogs, and the progress, status, quality, and security of each backlog item. It will provide insights into the continuous integration server, connecting each build to its associated backlog items, and offer stakeholders a live dashboard view of key performance indicators. As the organization grows, the lifecycle management system will scale alongside it, continuing to enable effective cross-team, cross-project and cross-portfolio collaboration, guaranteeing end-to-end compliance with security, privacy and other regulatory requirements, and supporting DevSecOps across the entire enterprise.
Malcolm Isaacs
Solutions Marketing Manager, Application Delivery Management, Micro Focus(link is external)

Read The Top Tools to Support DevSecOps - Part 3, covering security and monitoring.

Share this

Industry News

February 12, 2025

Genkit for Node.js is now at version 1.0 and ready for production use.

February 12, 2025

JFrog signed a strategic collaboration agreement (SCA) with Amazon Web Services (AWS).

February 12, 2025

mabl launched of two new innovations, mabl Tools for Playwright and mabl GenAI Test Creation, expanding testing capabilities beyond the bounds of traditional QA teams.

February 11, 2025

Check Point® Software Technologies Ltd.(link is external) announced a strategic partnership with leading cloud security provider Wiz to address the growing challenges enterprises face securing hybrid cloud environments.

February 11, 2025

Jitterbit announced its latest AI-infused capabilities within the Harmony platform, advancing AI from low-code development to natural language processing (NLP).

February 11, 2025

Rancher Government Solutions (RGS) and Sequoia Holdings announced a strategic partnership to enhance software supply chain security, classified workload deployments, and Kubernetes management for the Department of Defense (DOD), Intelligence Community (IC), and federal civilian agencies.

February 10, 2025

Harness and Traceable have entered into a definitive merger agreement, creating an advanced AI-native DevSecOps platform.

February 10, 2025

Endor Labs announced a partnership with GitHub that makes it easier than ever for application security teams and developers to accurately identify and remediate the most serious security vulnerabilities—all without leaving GitHub.

February 07, 2025

Are you using OpenTelemetry? Are you planning to use it? Click here to take the OpenTelemetry survey(link is external).

February 06, 2025

GitHub announced a wave of new features and enhancements to GitHub Copilot to streamline coding tasks based on an organization’s specific ways of working.

February 06, 2025

Mirantis launched k0rdent, an open-source Distributed Container Management Environment (DCME) that provides a single control point for cloud native applications – on-premises, on public clouds, at the edge – on any infrastructure, anywhere.

February 06, 2025

Hitachi Vantara announced a new co-engineered solution with Cisco designed for Red Hat OpenShift, a hybrid cloud application platform powered by Kubernetes.

February 06, 2025

Onapsis announced Onapsis Control Central for SAP application security testing and custom code security supporting RISE with SAP transformations.

February 05, 2025

Progress(link is external) announced its recognition in the 2025 Gartner Magic Quadrant for Digital Experience Platforms.

February 05, 2025

Copado announced comprehensive DevOps support for Salesforce Data Cloud deployments, enabling organizations to streamline the development and deployment of Agentforce solutions.