Because of DevOps’ agile, continuous, and fast nature, building in security is essential, but many organizations struggle to do so. While that struggle is often a cultural lack of organizational priority, or even a process challenge, good tools can help enterprises to put the Sec in DevOps. These tools help organizations to help keep security embedded within DevOps organizations by making developers, operations teams, and security teams on the same page when it comes to managing risks.
The need for DevSecOps is growing, fueled by rapid expansion of custom code development, Emergen Research estimates the demand for DevSecOps tools will grow from $2.55 billion in 2020 to just over $23 billion by 2028. Below is a roundup of some of the most important tools in the core DevSecOps categories.
DevOps moves fast, so the ability to secure these organizations must be just as fast and what can’t be prevented must be met with a rapid response. The tools in this section help keep developers, security, and operations teams informed to be able to respond to troubles at speed.
There’s often a lot of overlap in DevSecOps tools, which is why some of these tools focus on alerting and others may provide additional capabilities, such as workflow tracking and remediation. What’s important is finding the alerting tools that fit within your organization for managing the alerts regarding the events that arise and vulnerabilities discovered within the development pipeline.
Many operations and development teams already rely on Pagerduty, or tools like it, to manage events within their environments. When it comes to DevSecOps, Pagerduty can loop security teams in with the security related events within the pipeline, and integrate in with other security tools for cloud, vulnerability managers, security information and event managers that also monitor the broader environment. This helps make security everyone’s job.
Ever since the first security incident and intrusion detection tools issued alerts, security and operations teams have been flooded with alerts. Tools like xMatters try to divert most of the flood of data and mitigate alert fatigue by enabling teams to focus on notifications that matter to them. Thresholds and triggers can be set to filter alerts, certain alerts can trigger an automated response, and alerts for certain events can be correlated, so that one incident doesn’t trigger 300 notifications.
DevSecOps teams need alerts from everywhere, and tools like Alerta can accept alerts from the usual sources, Syslog, SNMP, Prometheus, Nagios, Zabbix, Sensu, netdata, any tool that can issue a URL request, as well as through scripts such as Python. Alerts can be deduplicated, correlated, and customized.
ElastAlert is an open-source tool that provides a framework for receiving alerts in near real-time on security anomalies, spikes and other patterns from Elasticsearch data. It queries Elasticsearch and compares the data against a set of rules. When a match occurs, ElastAlert issues alerts with recommended actions.
Secure application development
Shifting application security from something that is done after an application is built, or worse yet, after it’s shipped into production to the development process is central to DevSecOps. This requires developers to take more responsibility for the security of the code they develop, and security teams to help developers when necessary. Succeeding here requires the right software security assessment tools.
Checkmarx Static Application Security Testing
Checkmarx Static Application Security Testing (SAST) performs application source code scans that help development teams keep the code they commit secure. It integrates with development and application release orchestration tools found in development pipelines, build automation software, bug tracking systems and more. Unlike many traditional SAST tools, Checkmarx SAST can analyze new or changed code only.
The Veracode Platform provides application security tools that fit right into a DevSecOps environment. Among these is Veracode Static Analysis, which vets code before it’s been compiled and helps developers to fix code right in the integrated developer environment (IDE). Another is Veracode Software Composition analysis, which helps identify vulnerabilities in open-source components.
Burp Suite Enterprise Edition
Burp Suite Enterprise Edition by PortSwigger can perform automatic recurring dynamic scans across applications. Its pre-built integrations for continuous integration pipelines, support for Jira, and API help developers integrate security testing in their existing software development processes.
Synopsys offers several application security testing tools including Coverity, a SAST tool that automates testing and integrates into continuous integration/continuous delivery (CI/CD) pipelines; Black Duck, a software composition analysis (SCA) tool designed to detect and manage risks that come from the use of open source and third-party code in applications and containers; Seeker IAST (Interactive Application Security Testing), which identifies runtime security vulnerabilities that could expose sensitive data; and managed services for application security testing.
Parasoft offers automated tools to perform application development security testing. These include Parasoft C/C++test to identify defects early in development, Parasoft Insure++ to find erratic programming and memory-access errors, Parasoft Jtest for Java software development testing and Parasoft dotTEST to complement Visual Studio tools with deep static analysis.
DevSecOps dashboards: Security visibility into continuous development pipelines
Dedicated DevSecOps dashboards enable the graphic viewing and sharing of security information from the outset of the development process out through production. While other DevSecOps tools provide dashboards, these applications are dedicated to custom dashboard creation and some teams will find them invaluable.
Grafana is an open-source analytics platform that enables the creation of custom dashboards to aggregate relevant data so that it can be visualized and queried. If building a dashboard from scratch sounds like a chore, there are many community-built dashboards available on the site.
For organizations that use Elasticsearch, open-source Kibana will integrates thousands of log entries into a unified graphical view of operational data, time series analytics, application monitoring and more.
Threat modeling: Predicting the threats that target applications
Threat modeling tools help security teams to define, identify and hopefully accurately anticipate the threats that could target applications and predict just how they may be targeted. This way, design and development teams can avoid potentially costly or even disastrous security outcomes before the first line of code is even written. Some tools automatically build threat models from information users provide about their systems and applications and then generate a visual interface that helps teams to explore the threats and their potential impacts.
IriusRisk is a cloud or on-premises application that automates risk and requirement analyses. It also designs threat models and technical security requirements using a questionnaire-based interface and helps manage the code-building and security-testing phases.
This automated threat modeling system automatically analyzes data and identifies potential threats across the entire attack surface based on available threat intelligence. ThreatModeler provides visualizations of attack surface, security requirements, and prioritized steps to mitigate threats.
OWASP Threat Dragon
This open-source, web-based tool offers system diagramming and a rules engine to automatically model and mitigate threats. Threat Dragon boasts an easy-to-use interface and seamless integration with other software development lifecycle (SDLC) tools.
Other DevSecOps tools to consider
The following DevSecOps tools include features and capabilities offered by tools in the categories above but are different in varying ways.
Open-source Chef InSpec automates security tests at every development stage to help ensure compliance, security and other policy requirements that are run against traditional servers, containers, and cloud APIs.
Another open-source option, Gauntlt is a popular testing framework designed to enable easy security testing and communication between security, development, and operations teams. GauntIt promises easy attack generation for testing and the ability to easily hook into existing tools and processes.
Red Hat Ansible Automation
This tool includes three modules — Ansible Tower, Ansible Engine and Red Hat Ansible Network Automation. Each application can be used individually or automated and work together. Though not exclusively a security tool, Ansible Automation enables teams to define security rules within their secure software development pipeline.
Billed as “IFTTTT [if this then that] for Ops,” open-source StackStorm offers event-driven automations that provide scripted remediations and responses when security flaws are detected, plus continuous deployment, ChatOps optimization and more.
Designed to manage security across an entire development pipeline and runtime environment, Aqua supports containers and cloud-native applications across all platforms and clouds.
This tool builds DevSecOps architecture into the development process. GitLab promises to test every piece of code upon commit, enable developers to remediate security vulnerabilities while working in code, and provide a dashboard of all vulnerabilities.
Red Hat OpenShift
Red Hat OpenShift promises built-in security capabilities for container-based applications, such as role-based access controls, Security-Enhanced Linux (SELinux)-enabled isolation and checks throughout the container build process.
From Security Compass, SD Elements is an automation platform designed to collect information about software, identify threats and countermeasures and highlight relevant security controls to help enterprises achieve their security and compliance objectives.
Designed to address open-source vulnerabilities, WhiteSource can be integrated into the build process regardless of programming languages, build tools or development environments. WhiteSource continuously checks the security and licensing of open-source components using a constantly updated database of open-source repositories.
Copyright © 2022 IDG Communications, Inc.