2020-08-23T18:24:00Z
Rony_Sklar - PeerSpot reviewer
Community Manager at PeerSpot (formerly IT Central Station)
  • 5
  • 732

What tools do you rely on for building a DevSecOps pipeline?

What are the different types of tools that should be used together in DevSecOps?

What are the specific tools that you like to use when working on your DevSecOps pipeline? 

What is essential, and what is a nice-to-have? 

6
PeerSpot user
6 Answers
Thomas Ryan - PeerSpot reviewer
Founder at Saltworks Security
User
Top 5
2021-06-01T01:05:36Z
Jun 1, 2021

Everything in technology focuses on People, Process & Technology. What binds these together is business requirements and understanding the needs of each Line Of Business. Often each Line of Business requires completely different requirements, but what tools help you meet that unified vision and executive dashboard reporting to measure your KPIs.



  1. Code Repos – GitHub, GitLab

  2. Build Servers – Azure DevOps, Jenkins, Bamboo, TeamCIty

  3. Code Quality - SonarQube

  4. Software Composition Analysis (SCA) – Sonatype (Fortify Integration), Snyk, & BlackDuck

  5. Static Analysis (SAST) – Fortify On Premise, Fortify OnDemand (or Hybrid) CheckMarx (Fills the APEX, Perl, Groovy, etc.. gap that Fortify doesn’t cover)

  6. Infrastructure As Code (IaaC) – Aqua Security

  7. IAST – Not widely adapted due to agent limitations.

  8. DAST – WebInspect

    1. ScanCentral provides the most automation and scalability

    2. Highly Flexible API for Automation



  9. Metric Reporting – SaltMiner (Saltworks Security), Fortify SSC, Fortify OnDemand

  10. IDE (Eclipse, Visual Studio, JetBrains) – Fortify

  11. Continuous Monitoring - BitDiscovery


Why so much Fortify? It has been around 17 years, while it is old it is constantly evolving. It is the only Hybrid (Cloud & On-Premise Solution), it provides the flexibility needed for most customers. There is a reason why over 50% of Cigital (Synopsys) business is managing Fortify and not Synopsys tool suite. Deloitte, Accenture, IBM & Saltworks makes a lot of money managing Fortify. One thing you won’t hear from Gartner, Fortify SAST & DAST surpasses their competitors’ revenue by over 70%.

Search for a product comparison in Application Security Testing (AST)
Vishal-Goyal - PeerSpot reviewer
Chief Architect at Peristent Systems
Real User
Top 5Leaderboard
2021-05-31T09:29:13Z
May 31, 2021

I believe we need to cover the SDLC from start to end as much as possible while ensuring that this does not mean too many dashboards and also keeping the cost of development in mind.


1. IDE Checks: This is the 1st step in shift left approach. Many open source tools integrate easily with IDE (VSC, Eclipse) etc and allow developers to do a check even before they commit code on local branch. We have leveraged SonarLint (https://www.sonarlint.org/) which covers a vast spectrum of programming languages and IDEs.


2. SAST: Many open source tools available in this space which do a check around security vulnerability, security hotpots etc. We use SonarQube.


3. SCA: Check against open source security vulnerabilities and license compliance is very important. WhiteSource is what we use here.


4. IaaC scan: We need tools to manage and analyze infrastructure as code (IaC) scan results across platforms and be able to resolve the issues.


5. Monitoring: Once application is deployed into production, we need tools to monitor it live and be able to check for vulnerabilities and other issues which happen when 100's of users are using the application from across the globe.


There are other areas like DAST, IAST which become important depending on size, complexity and business needs.

RS
Transformation Leader at TEKsystems (ex Aston Carter)
Real User
Leaderboard
2021-05-31T07:28:35Z
May 31, 2021

It depends on the budget, business and technology portfolio of the enterprise. 


If you predominantly web-based and service architecture-oriented technology portfolio, Veracode set of tools (Green-light, Veracode SAST, Veracode DAST) is a good option. Veracode is good if you have enterprise-level DevSecOps transformation. But Veracode may not work well for legacy systems. 


I have also used Microfocus Fortify effectively. Just on SCA, universally used Sonarqube with standard plugins is I prefer as it is easy to use. All these tools are very used to integrate into DevSecOps Application Pipeline.

SA
Director, Digital Architecture at a pharma/biotech company with 10,001+ employees
Real User
2021-06-01T11:48:30Z
Jun 1, 2021

The detailed answers below are a good summary.  How are teams pulling all these tools together and orchestrating in terms of agile stories and feedback loops?  Azure DevOps, JIRA, ServiceNow, Other?

JV
CEO & Co-Founder at a computer software company with 11-50 employees
User
2020-08-24T13:01:40Z
Aug 24, 2020

Depends on budget and the larger approach to security, compliance, and risk. There are many solutions and approaches out there but many limit the ability to scale DevSecOps beyond an experiment and justify to business leaders. Standard response: SCA, SAST, DAST, IAST. Many of these tools are disconnected and some slow down performance quit a bit, especially your traditional household names. What are your goals and what are your constraints to developing a program?

Giorgio Riva - PeerSpot reviewer
Technical Director at Quence srl
User
2020-08-24T07:33:04Z
Aug 24, 2020

Hi we think that is essential a tool for applying static analysis technologies for Code Quality and Security

Find out what your peers are saying about Sonar, Veracode, GitLab and others in Application Security Testing (AST). Updated: October 2022.
654,218 professionals have used our research since 2012.
Related Questions
JW
User at Ant Financial
Mar 31, 2022
Hi security professionals, Companies like Fuzzbuzz, Forallsecure are introducing fuzzing platforms to the public. Have you ever used this or an alternative tool in your company?  How has your experience been with that fuzzing tool? Thanks for the help!
See 1 answer
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Mar 31, 2022
Hi @NagarajSheshachalam ​, @Nachu Subramanian , @KashifJamil ​, @Cuneyt KALPAKOGLU Phd. ​and @Jangsun KIM ​, Can you please help @JerryWang1 ​in answering this question or advising how to get the answers?
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Jan 27, 2022
Hi infosec professionals. What are your top choices of tools to use for mobile penetration testing this year? Thanks for sharing your knowledge!
See 2 answers
MH
Cloud Solution architect at VaporVM
Jan 21, 2022
Saminda Jayawardene - PeerSpot reviewer
Compliance Manager at a tech services company with 201-500 employees
Jan 27, 2022
Portswigger  
Related Articles
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Aug 2, 2022
Dear professionals, Welcome back to PeerSpot's Community Spotlight! Below you can find the latest hot topics posted by your fellow PeerSpot Community members. Read articles, answer questions, and contribute to discussions that are relevant to you and your expertise. Or ask your peers for insight on topics that interest you! Trending Here are some topics that your peers are discussi...
See 1 comment
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Aug 2, 2022
@Chris Childerhose, @PraveenKambhampati, @Deena Nouril, @Shibu Babuchandran and @reviewer1925439, Thank you for contributing your articles and sharing your professional knowledge with 618K PeerSpot community members around the globe as well as with a much bigger readers audience!
Deena Nouril - PeerSpot reviewer
Tech Blogger
Aug 5, 2022
What is OWASP? The OWASP or Open Web Application Security Project is a nonprofit foundation dedicated to improving software security. It operates under an open community model, meaning that anyone can participate in and contribute to OWASP-related online chats and projects. The OWASP ensures that its offerings (online tools, videos, forums, events, etc.) remain free and are easily accessible t...
See 2 comments
Ben Arbeit - PeerSpot reviewer
Manager at a retailer with 51-200 employees
Jul 31, 2022
Thanks for this informative article.
Jairo Willian Pereira - PeerSpot reviewer
Information Security Manager at a financial services firm with 5,001-10,000 employees
Aug 5, 2022
OWASP is nice, but very specific and currently limited. How about trying ISO-24772 for all?
Related Articles
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Aug 2, 2022
Community Spotlight #19
Dear professionals, Welcome back to PeerSpot's Community Spotlight! Below you can find the lates...
Deena Nouril - PeerSpot reviewer
Tech Blogger
Aug 5, 2022
What is OWASP Top 10 in 2022
What is OWASP? The OWASP or Open Web Application Security Project is a nonprofit foundation dedi...
Download Free Report
Download our free Container Security Report and find out what your peers are saying about Palo Alto Networks, Snyk, F5, and more! Updated: October 2022.
DOWNLOAD NOW
654,218 professionals have used our research since 2012.