Parasoft(link is external) is showcasing its latest product innovations at embedded world Exhibition, booth 4-318(link is external), including new GenAI integration with Microsoft Visual Studio Code (VS Code) to optimize test automation of safety-critical applications while reducing development time, cost, and risk.
The Top Tools to Support DevSecOps - Part 1
May 21, 2018
Today, cyber threats can come from so many directions, it is a daunting challenge to protect against them. Starting from the beginning, during the development stage, and following through to the operations stage is the comprehensive strategy that progressive organizations are adopting. This combination of DevOps and Security has earned the name DevSecOps.
The goal of DevSecOps is to make everyone in the software development life cycle responsible for security. While DevSecOps, much like DevOps itself, is more about changing IT culture and people's mindsets than employing certain types of technology, some tools can be an important support. But they have to be the right tools.
"Over the last five years, we have watched organizations attempt to achieve a complete security transformation by applying Band-Aids — such as the purchase of peripheral products or dismantling of solutions — only to find poor results and poor business alignment," said Matthew Shriner, VP, Security Professional Services, Micro Focus(link is external).
To find out what the right tools are, DEVOPSdigest asked experts from across the IT industry — from analysts and consultants to users and the top vendors — for their opinions on the top tools to support DevSecOps. Posted in 5 parts over the next two weeks, this list represents a cross-section of tools that can support your DevSecOps initiative, including development, DevOps, IT Ops and security tools. Part 1 covers the testing phase.
TEST AUTOMATION
DevSecOps is quickly becoming more mainstream as IT organizations continue to seek out solutions and tools to enable security testing in the development phase. While there is no magic do-it-all tool when it comes to security, bringing together DevOps and security through automated testing tools is a logical first step. Organizations are discovering how this "shift left" approach through automation can create repeatable and consistent processes to ensure a security standard, as new applications or processes are implemented. By building this kind of automation into your organization, you are enforcing the process without taking up extra resources or needing a separate security team.
Aruna Ravichandran
VP of DevOps Product and Solutions Marketing, CA Technologies(link is external)
SECURITY UNIT TESTING
In working with our customers it has become clear that application security testing must adapt to the continuous development cycle created by DevOps and CI/CD environments. By enabling developers to test early and often in the development lifecycle and integrating into the existing development toolchains, Security Unit Testing tools that scan for application security flaws in real time while developers are working support developers to achieve their goals while simultaneously enabling organizations to adopt DevSecOps, making secure code one more dimension of quality code.
Janet Worthington
Product Manager, CA Veracode(link is external)
APPLICATION SECURITY TESTING
The most important security tool for DevSecOps is the tool that is invisible to the DevOps programs main goal. DevOps main goal is to be flexible to change and to release software quickly. Security tools need to be part of the DevOps program but not in a way that changes the goals or timelines of the program itself. A few examples of these "invisible" or "non-intrusive" security tools are SAST (Static Application Security Testing) and IAST (Interactive Application Security Testing). Both SAST and DAST fit within the DevOps tool chain but provide security vulnerability information generated from the process as a side benefit to the actual goal of releasing software
Matt Rose
Global Director Application Security Strategy, Checkmarx(link is external)
The most critical tool in the DevSecOps pipeline is IAST (Interactive Application Security Testing). Legacy static and dynamic scanners are disruptive with both the time they take to run and the amount of false positives they generate. IAST layers on existing DevOps pipelines without changing anything about how code is written, built, tested, or deployed. Because IAST runs in the background during normal development, CI/CD, and QA activities, it's not disruptive. Instead of a 500 page PDF file, developers can get highly accurate, real time vulnerability telemetry through integrations with all the tools they are already using. Using IAST, organizations can accelerate and fully automate secure code delivery and deployment, without an extra security step. And security teams can step away from the critical deployment path and focus on more important issues like threat modeling, security architecture, and runtime protection.
Jeff Williams
Co-Founder and CTO, Contrast Security(link is external)
INTEGRATION TESTING
Bringing three disciplines together is fraught with challenges. It is critical to rapidly and effectively test integration points for functionality, operational efficiency, and security requirements. You can't really continuously deploy code, but you can continuously test. You need tools that enable the creation of testing environments, execution of test plans, and provide real-time feedback for all testing metrics. These tools also need to be able to validate deployments, identify when deployment issues arise, and reduce the mean-time-to-restore should you need to rollback unsuccessful code.
Tim Coats
Director of Applied Innovation, Trace3(link is external)
THREAT MODELING
The most important tool needed to support DevSecOps is adopting Security by Design Principles. In particular, threat modeling during the software development design phase is valuable because at this early stage time pressure is lower than during the test or release phases. One example of threat modeling is the STRIDE framework where each user story for development considers the risks of Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege. Adopting a scalable, repeatable, and collaborative threat modeling process that integrates with existing workflows provides an effective tool to manage risk and also provides a great way to spread knowledge within an organization.
Jose Casinha
Chief Information Security Officer, OutSystems(link is external)
OWASP
The most important tool to support DevSecOps is the Open Web Application Security Project's (OWASP) Top 10, a list of the most critical web application security risks. OWASP has been publishing this list since 2004, and shockingly, many of the same risks make the list year after year. Simply raising awareness of these risks among everyone involved in creating software (not just within a separate security team) is a great first step to changing the culture around security — and DevSecOps is first and foremost a cultural change.
Tim Buntel
DevOps Advocate, XebiaLabs(link is external)
Read The Top Tools to Support DevSecOps - Part 2, covering DevOps and the SDLC.
Industry News
March 06, 2025
JFrog announced general availability of its integration with NVIDIA NIM microservices, part of the NVIDIA AI Enterprise software platform.
March 06, 2025
CloudCasa by Catalogic announce an integration with SUSE® Rancher Prime via a new Rancher Prime Extension.
March 05, 2025
MacStadium(link is external) announced the extended availability of Orka(link is external) Cluster 3.2, establishing the market’s first enterprise-grade macOS virtualization solution available across multiple deployment options.
March 05, 2025
JFrog is partnering with Hugging Face, host of a repository of public machine learning (ML) models — the Hugging Face Hub — designed to achieve more robust security scans and analysis forevery ML model in their library.
March 05, 2025
Copado launched DevOps Automation Agent on Salesforce's AgentExchange, a global ecosystem marketplace powered by AppExchange for leading partners building new third-party agents and agent actions for Agentforce.
March 05, 2025
Harness completed its merger with Traceable, effective March 4, 2025.
March 04, 2025
JFrog released JFrog ML, an MLOps solution as part of the JFrog Platform designed to enable development teams, data scientists and ML engineers to quickly develop and deploy enterprise-ready AI applications at scale.
March 04, 2025
Progress announced the addition of Web Application Firewall (WAF) functionality to Progress® MOVEit® Cloud managed file transfer (MFT) solution.
March 04, 2025
Couchbase launched Couchbase Edge Server, an offline-first, lightweight database server and sync solution designed to provide low latency data access, consolidation, storage and processing for applications in resource-constrained edge environments.
March 04, 2025
Sonatype announced end-to-end AI Software Composition Analysis (AI SCA) capabilities that enable enterprises to harness the full potential of AI.
March 03, 2025
Aviatrix® announced the launch of the Aviatrix Kubernetes Firewall.
March 03, 2025
ScaleOps announced the general availability of their Pod Placement feature, a solution that helps companies manage Kubernetes infrastructure.
March 03, 2025
Cloudsmith raised a $23 million Series B funding round led by TCV, with participation from Insight Partners and existing investors.
February 27, 2025
IBM has completed its acquisition of HashiCorp, whose products automate and secure the infrastructure that underpins hybrid cloud applications and generative AI.
