I believe we need to cover the SDLC from start to end as much as possible while ensuring that this does not mean too many dashboards and also keeping the cost of development in mind.
1. IDE Checks: This is the 1st step in shift left approach. Many open source tools integrate easily with IDE (VSC, Eclipse) etc and allow developers to do a check even before they commit code on local branch. We have leveraged SonarLint (https://www.sonarlint.org/) which covers a vast spectrum of programming languages and IDEs.
2. SAST: Many open source tools available in this space which do a check around security vulnerability, security hotpots etc. We use SonarQube.
3. SCA: Check against open source security vulnerabilities and license compliance is very important. WhiteSource is what we use here.
4. IaaC scan: We need tools to manage and analyze infrastructure as code (IaC) scan results across platforms and be able to resolve the issues.
5. Monitoring: Once application is deployed into production, we need tools to monitor it live and be able to check for vulnerabilities and other issues which happen when 100's of users are using the application from across the globe.
There are other areas like DAST, IAST which become important depending on size, complexity and business needs.
Search for a product comparison in Application Security Testing (AST)
It depends on the budget, business and technology portfolio of the enterprise.
If you predominantly web-based and service architecture-oriented technology portfolio, Veracode set of tools (Green-light, Veracode SAST, Veracode DAST) is a good option. Veracode is good if you have enterprise-level DevSecOps transformation. But Veracode may not work well for legacy systems.
I have also used Microfocus Fortify effectively. Just on SCA, universally used Sonarqube with standard plugins is I prefer as it is easy to use. All these tools are very used to integrate into DevSecOps Application Pipeline.
Everything in technology focuses on People, Process & Technology. What binds these together is business requirements and understanding the needs of each Line Of Business. Often each Line of Business requires completely different requirements, but what tools help you meet that unified vision and executive dashboard reporting to measure your KPIs.
Why so much Fortify? It has been around 17 years, while it is old it is constantly evolving. It is the only Hybrid (Cloud & On-Premise Solution), it provides the flexibility needed for most customers. There is a reason why over 50% of Cigital (Synopsys) business is managing Fortify and not Synopsys tool suite. Deloitte, Accenture, IBM & Saltworks makes a lot of money managing Fortify. One thing you won’t hear from Gartner, Fortify SAST & DAST surpasses their competitors’ revenue by over 70%.
CEO & Co-Founder at a computer software company with 11-50 employees
User
2020-08-24T13:01:40Z
Aug 24, 2020
Depends on budget and the larger approach to security, compliance, and risk. There are many solutions and approaches out there but many limit the ability to scale DevSecOps beyond an experiment and justify to business leaders. Standard response: SCA, SAST, DAST, IAST. Many of these tools are disconnected and some slow down performance quit a bit, especially your traditional household names. What are your goals and what are your constraints to developing a program?
Director, Digital Architecture at a pharma/biotech company with 10,001+ employees
Real User
2021-06-01T11:48:30Z
Jun 1, 2021
The detailed answers below are a good summary. How are teams pulling all these tools together and orchestrating in terms of agile stories and feedback loops? Azure DevOps, JIRA, ServiceNow, Other?
Hello community,
I work for a small computer software company.
With all the CPIs you keep track of across your cybersecurity program, how are you keeping track and reporting on the value?
Thank you.
Information Technology Infrastructure Specialist at TLIC
Apr 25, 2023
Come on guys, the correct answer to this is the Microsoft Admin Portal and your Azure Admin and the Security and Compliance centers. Everyone wants to buy new SaaS when most of the Controls and Safeguards are built into MS. Steven Palange, steven_palange@tlic.com reach out for any and all your SaaS renewals.
Cybersecurity Architect at a manufacturing company with 10,001+ employees
Apr 26, 2023
For small companies, utilize the tooling you already have in place like the MS Office or the Atlassian Suite, etc. Ultimately, as you grow towards enterprise scale, Archer and ServiceNow (Governance, Risk, Compliance) can help with everything from compliance workflow to tracking incidence response. As a Cyber Architect in a corporate Fortune 500, we use a medley of integration with our SIEM, Vulnerability Tool, and all the collected data can be accessed by Tableau to generate a dynamic web graph. When you start tracking vulnerabilities and incidents, the data you accumulate can be expressed in your appropriate CPI. If you lack data for a particular CPI, then you may a gap in your cyber program.
Regional Manager/ Service Delivery Manager at a tech services company with 201-500 employees
Feb 19, 2023
Hi, some of the best cloud compliance reporting tools are as below-
* Checkpoint CloudGuard Dome9
* Nutanix Xi Beam
* Qualys Cloud Platform
* Sophos Cloud Optix
* Symantec Control Compliance Suite
There is probably no single tool that can completely unify cloud compliance reporting across all cloud providers and compliance frameworks. That's a pretty big ask (but a good one).
But there are, of course, tools that streamline compliance reporting and make the process easier to manage across multiple cloud environments and compliance standards. These compliance management platforms can help identify compliance gaps, enforce policies, and generate compliance reports.
Prisma Cloud enables you to monitor, view, and report on cloud infrastructure health and your compliance posture. You can create reports with both summary and detailed findings of security and compliance risks and it also offers a Compliance Dashboard and the ability to create custom compliance standards.
Check Point CloudGuard Posture Management looks to automate conformance to regulatory requirements and security best practices. It provides compliance posture management for AWS, Azure, Google Cloud, Alibaba Cloud, and Kubernetes and claims to reference over 50 compliance frameworks. It also enables customization of cloud compliance with its proprietary Governance Specification Language.
Touting 65 out-of-the-box frameworks, CIS Benchmarks, and custom compliance checks, Orca Security is an agentless solution that works across multiple cloud platforms. It exposes and prioritizes issues so that compliance gaps can be addressed strategically.
Another option is Chef Compliance, which leverages certified, curated audit and remediation content and aims to make sure assets are always in compliance with CIS benchmarks and DISA STIGs. It supports multiple cloud providers and compliance frameworks.
Perhaps lesser-known, CloudCheckr helps maintain security and compliance in the cloud and monitors cloud infrastructure against dozens of standards including PCI DSS, HIPAA, CIS, and NIST.
Cloud One - Conformity, from Trend Micro, works toward security, compliance, and governance of cloud infrastructure with real-time monitoring and auto-remediation features for AWS, Microsoft Azure, and Google Cloud.
Dear professionals,
Welcome back to PeerSpot's Community Spotlight! Below you can find the latest hot topics posted by your fellow PeerSpot Community members. Read articles, answer questions, and contribute to discussions that are relevant to you and your expertise. Or ask your peers for insight on topics that interest you!
Trending
Here are some topics that your peers are discussi...
Director of Community at PeerSpot (formerly IT Central Station)
Aug 2, 2022
@Chris Childerhose, @PraveenKambhampati, @Deena Nouril, @Shibu Babuchandran and @reviewer1925439,
Thank you for contributing your articles and sharing your professional knowledge with 618K PeerSpot community members around the globe as well as with a much bigger readers audience!
What is OWASP?
The OWASP or Open Web Application Security Project is a nonprofit foundation dedicated to improving software security. It operates under an open community model, meaning that anyone can participate in and contribute to OWASP-related online chats and projects. The OWASP ensures that its offerings (online tools, videos, forums, events, etc.) remain free and are easily accessible t...
I believe we need to cover the SDLC from start to end as much as possible while ensuring that this does not mean too many dashboards and also keeping the cost of development in mind.
1. IDE Checks: This is the 1st step in shift left approach. Many open source tools integrate easily with IDE (VSC, Eclipse) etc and allow developers to do a check even before they commit code on local branch. We have leveraged SonarLint (https://www.sonarlint.org/) which covers a vast spectrum of programming languages and IDEs.
2. SAST: Many open source tools available in this space which do a check around security vulnerability, security hotpots etc. We use SonarQube.
3. SCA: Check against open source security vulnerabilities and license compliance is very important. WhiteSource is what we use here.
4. IaaC scan: We need tools to manage and analyze infrastructure as code (IaC) scan results across platforms and be able to resolve the issues.
5. Monitoring: Once application is deployed into production, we need tools to monitor it live and be able to check for vulnerabilities and other issues which happen when 100's of users are using the application from across the globe.
There are other areas like DAST, IAST which become important depending on size, complexity and business needs.
It depends on the budget, business and technology portfolio of the enterprise.
If you predominantly web-based and service architecture-oriented technology portfolio, Veracode set of tools (Green-light, Veracode SAST, Veracode DAST) is a good option. Veracode is good if you have enterprise-level DevSecOps transformation. But Veracode may not work well for legacy systems.
I have also used Microfocus Fortify effectively. Just on SCA, universally used Sonarqube with standard plugins is I prefer as it is easy to use. All these tools are very used to integrate into DevSecOps Application Pipeline.
Everything in technology focuses on People, Process & Technology. What binds these together is business requirements and understanding the needs of each Line Of Business. Often each Line of Business requires completely different requirements, but what tools help you meet that unified vision and executive dashboard reporting to measure your KPIs.
Why so much Fortify? It has been around 17 years, while it is old it is constantly evolving. It is the only Hybrid (Cloud & On-Premise Solution), it provides the flexibility needed for most customers. There is a reason why over 50% of Cigital (Synopsys) business is managing Fortify and not Synopsys tool suite. Deloitte, Accenture, IBM & Saltworks makes a lot of money managing Fortify. One thing you won’t hear from Gartner, Fortify SAST & DAST surpasses their competitors’ revenue by over 70%.
Depends on budget and the larger approach to security, compliance, and risk. There are many solutions and approaches out there but many limit the ability to scale DevSecOps beyond an experiment and justify to business leaders. Standard response: SCA, SAST, DAST, IAST. Many of these tools are disconnected and some slow down performance quit a bit, especially your traditional household names. What are your goals and what are your constraints to developing a program?
The detailed answers below are a good summary. How are teams pulling all these tools together and orchestrating in terms of agile stories and feedback loops? Azure DevOps, JIRA, ServiceNow, Other?
Hi we think that is essential a tool for applying static analysis technologies for Code Quality and Security