IBM announced IBM Test Accelerator for Z, a solution designed to revolutionize testing on IBM Z, a tool that expedites the shift-left approach, fostering smooth collaboration between z/OS developers and testers.
DEVOPSdigest asked experts from across the IT industry — from analysts and consultants to users and the top vendors — for their opinions on the top tools to support DevSecOps. Part 4 covers code and data.
Start with The Top Tools to Support DevSecOps - Part 1
Start with The Top Tools to Support DevSecOps - Part 2
Start with The Top Tools to Support DevSecOps - Part 3
CONFIGURATION MANAGEMENT
The DevOps and security relationship is not, to put it delicately, without its complications. Even seemingly simple tasks can put the two camps on opposite sides. But there is one area both disciplines can get behind: configuration management. Security professionals know how misconfigurations create huge security holes. And DevOps professionals see configuration management as nothing more than a necessary evil. So configuration management gets my vote as the top DevSecOps priority, as many of the recent data leaks in public clouds have been attributed to misconfiguration of cloud resources. Not all cloud security solutions are equally adept at config management, so look for solutions that continually monitor configurations, compare results to best practices, especially security best practices, and integrate configuration as part of a broader and more comprehensive cloud security approach.
Sanjay Kalra
Founder & Chief Product Officer, Lacework
SELF-PROVISIONED PRIVATE CLOUD
DevSecOps teams need immediate access to resources so they can engage in agile software development, but their IT departments are concerned about controlling the cost of public clouds and controlling access and security. The solution is a self-provisioned private cloud that gives each developer his/her own set of tools, making it possible for individual developers to create customized DevOps workbenches with single-click application and resource provisioning. With this solution, DevOps teams get the agile development platform they need while the IT department regains control over spending and security.
Kamesh Pemmaraju
VP Product Management, ZeroStack
CODE ANALYSIS SCANNER
With an ever-faster cycle time from idea to production, and engineers using an increasing number of open source components in their software, you need a tool for scanning third-party libraries. This is vital for avoiding the use of wrong license types. As more and more small changes move to production, embedding static code analysis scanners in your daily pipelines helps you avoid pushing insecure software forward and speeds the feedback cycle to your engineers.
Andreas Prins
VP of Product Development, XebiaLabs
CODE LEVEL ANALYSIS TOOLS
DevSecOps is all about "shift-left", simply said, that means trying to avoid procrastination in security governance. That's why code-level analysis tools, enabling "white-box" testing by examining static code for vulnerabilities, should be seriously considered. As a matter of fact, the sooner vulnerabilities are detected the lower cost of fixing will be.
Yann Guernion
Product Marketing Director, Workload Automation, CA Automation
SOURCE CODE CONTROL
A robust, extensible system for source code control cannot be overemphasized. Your application code, your infrastructure code, all your important stuff is in one place, even if it is constantly changing. This provides a one-stop shop for all your security automation needs, very early on in the development process, where potential vulnerabilities are easier and cheaper to fix. Really, it's not just one tool. There is never One Thing that solves all (or even most!) of your problems. The real benefit is the capacity to run and maintain multiple tools as well as the ability to glue commercial tools together with custom code to make it all work for your specific environment.
Doug DePerry
Director, Product Security, Datadog
CODE REPOSITORY
The most important tool that an organization needs to support DevSecOps is a code repository because security, like all other aspects of DevOps should be managed as code.
Reuven Harrison
CTO and Co-founder, Tufin
POLICY AS CODE
In order to implement DevSecOps effectively, you need to automate cloud security and compliance at scale, and throughout the lifecycle. To do this, your policies must be expressed as source-controlled policy-as-code, and that code must be enforced before deployment, and all the way through the lifecycle. Manual checklists and audits are insufficient to govern fast-changing cloud infrastructure, and they bring significant risk due to human error. Enforcing policy only on provisioning opens you up to configuration drift, which is where most policy infractions occur. Policy-as-code enables true DevSecOps collaboration and provides the ability to automate security and compliance enforcement for the entire cloud infrastructure lifecycle, from design to provisioning to ongoing operations.
Josh Stella
CEO, Fugue
SECRETS MANAGEMENT
When compiling a list of the most important DevSecOps tools, it is essential to look back at recent high-profile breaches — where AWS access keys, API keys, passwords or other secrets were stolen. These breaches highlight the need for security and more specifically, secrets management, to play a more prominent part of the DevOps tool discussion. Secrets grant access to machines that contain valuable data and allow attackers to spread a breach. Tools that focus on secret management are key to securing DevOps. Ultimately, the most important DevSecOps tools are those that easily allow companies to identify and remove exposed secrets — making applications more secure without disrupting DevOps workflows or velocity.
John Walsh
Technology Evangelist, CyberArk
DATA MASKING
DevSecOps is about to encounter a major challenge and, as a direct consequence, a data masking solution will become the essential tool many organizations will need. The challenge is the General Data Protection Regulation (GDPR) which introduces new rules about data privacy for any organization holding the personal data of European citizens, and increased penalties for non-compliance. The outcome will be a change in the way databases are developed because many organizations use copies of production databases in development and testing to ensure changes are not breaking changes.
Personal data in those copies will now need to be masked using measures like pseudonymization, encryption, anonymization and aggregation. Static data masking tools will give organizations the ability to meet the new expectations for data privacy while at the same time retaining the advantages of applying DevOps principles and practices to database development. This is true DevSecOps at work.
Simon Galbraith
CEO & Co-Founder, Redgate
DATA MANAGEMENT
The tool that is able to search, enrich and create useful information out of the petabytes of data that is being generated is the most important tool to support DevSecOps. Nobody seems to realize that one data source can be valuable for both Dev, Sec and Ops.That tool doesn't need to store all the data per se but it should at least be able to get it if needed.
Coen Meerbeek
Online Performance Consultant and Founder of Blue Factory Internet
Read The Top Tools to Support DevSecOps - Part 5, the last installment, offering some final thoughts about "tools" that are not necessarily technology.
Industry News
StreamNative launched Ursa, a Kafka-compatible data streaming engine built on top of lakehouse storage.
GitKraken acquired code health innovator, CodeSee.
ServiceNow introduced a new no‑code development studio and new automation capabilities to accelerate and scale digital transformation across the enterprise.
Security Innovation has added new skills assessments to its Base Camp training platform for software security training.
CAST introduced CAST Highlight Extensions Marketplace — an integrated marketplace for the software intelligence product where users can effortlessly browse and download a diverse range of extensions and plugins.
Red Hat and Elastic announced an expanded collaboration to deliver next-generation search experiences supporting retrieval augmented generation (RAG) patterns using Elasticsearch as a preferred vector database solution integrated on Red Hat OpenShift AI.
Traceable AI announced an Early Access Program for its new Generative AI API Security capabilities.
StackHawk announced a new integration with Microsoft Defender for Cloud to help organizations build software more securely.
MacStadium announced that it has obtained Cloud Security Alliance (CSA) Security, Trust & Assurance Registry (STAR) Level 1, meaning that MacStadium has publicly documented its compliance with CSA’s Cloud Controls Matrix (CCM), and that it joined the Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment.
The Cloud Native Computing Foundation® (CNCF®) released the two-day schedule for CloudNativeSecurityCon North America 2024 happening in Seattle, Washington from June 26-27, 2024.
Sumo Logic announced new AI and security analytics capabilities that allow security and development teams to align around a single source of truth and collect and act on data insights more quickly.
Red Hat is announcing an optional additional 12-month EUS term for OpenShift 4.14 and subsequent even-numbered Red Hat OpenShift releases in the 4.x series.
HAProxy Technologies announced the launch of HAProxy Enterprise 2.9.
ArmorCode announced the general availability of AI Correlation in the ArmorCode ASPM Platform.