28 DevSecOps tools for baking security into the development process

Catch and remediate application vulnerabilities earlier and help integrate security in the the development process with these five categories of DevSecOps tools.

DevSecOps is the process of integrating security into the entire application development process — when there’s an ideal opportunity to fortify your app from the inside out against potential threats. DevSecOps is gaining traction because many organizations are developing applications frequently to satisfy customer or business partner demands, notes Michael Isbitski, senior director analyst, security technology and infrastructure at Gartner.

“Agile development methodologies and DevOps practices help them achieve this,” Isbitski explains. “Cloud-native application architecture has also become a significant contributor to the DevSecOps movement, which promotes use of public cloud providers, container technology and container platforms to provide the compute for applications.” DevSecOps integrates and automates security processes and tooling into all the DevOps workflow, he adds, “so that it’s seamless and continuous, rather than the traditional approaches that were point-in-time and potentially disruptive.”

Given the continual rise and perniciousness of cybersecurity threats, it’s no wonder that the global DevSecOps market is expected to grow from $1.47 billion in 2018 to $13.63 billion by 2026, according to Data Bridge Market Research.

Making up that market is a wide variety of DevSecOps tools. Below is a roundup of tools in the core categories.

Alerts: Notifying developers of anomalies 

It can be too easy to miss security vulnerabilities when developing applications. The following DevSecOps tools provide developers with alerts and notifications about potential security anomalies and defects so they can investigate and fix before getting too far along in the process. Some tools such as open-source Alerta are dedicated to alerts, while others like Contrast Assess also have testing and other features.

Alerta: This open-source tool consolidates and deduplicates alerts from a variety of sources, providing a quick visualization. Alerta integrates with Prometheus, Riemann, Nagios, Cloudwatch and other monitoring/management services for developers. An alert API allows you to customize Alerta to your needs.

Contrast Assess: An interactive application security testing (IAST) tool, Contrast Assess integrates with your apps and works continually in the background to monitor code and alert you when a security flaw is discovered. It claims to allow non-security developers to identify and fix vulnerabilities on their own.

Contrast Protect: This runtime application self-protection (RASP) tool uses the same embedded agent as Contrast Assess. Contrast Protect looks for exploits and unknown threats in the production environment and reports them to a security information and event management (SIEM) console, firewall or other security tool.

ElastAlert: Another open-source tool, ElastAlert provides a framework for receiving alerts in near real-time on security anomalies, spikes and other patterns from Elasticsearch data. It queries Elasticsearch and compares the data against a set of rules. When a match occurs, ElastAlert issues alerts with recommended actions.

Automation: Discovering and remediating defects

Most DevSecOps tools offer some level of automation. The tools in this category automatically scan for, discover and remediate security defects in varying degrees, from if this, then that (IFTTT)-like event-driven automations to deep learning technology.

CodeAI: Designed to automatically find and fix security vulnerabilities in source code via deep learning technology, this tool claims to provide developers with a list of solutions to consider rather than simply a list of security problems. The vendor, QbitLogic, says it has “trained” CodeAI on millions of real-world bug-fix samples.

Parasoft tool suite: Parasoft offers a variety of automated tools that include application development security testing, including Parasoft C/C++test for identifying defects early in development, Parasoft Insure++ for finding erratic programming and memory-access errors, Parasoft Jtest for Java software development testing, and Parasoft dotTEST to complement Visual Studio tools with deep static analysis and advanced coverage.

Red Hat Ansible Automation: This tool includes three modules — Ansible Tower, Ansible Engine and Red Hat Ansible Network Automation — that can be used individually or together as agentless IT automation technology. Though not exclusively a security tool, Ansible Automation let’s you define rules to determine what you consider secure for your software development projects.

StackStorm: Billed as “IFTTTT for Ops,” this open-source tool offers event-driven automations that provide, among other things, scripted remediations and responses when security flaws are detected, continuous deployment and ChatOps optimization.

Veracode: This company offers a widely used set of automated security tools in DevSecOps environments. Veracode tools include Greenlight, which automatically scans code as it’s written; Developer Sandbox, which scan code in your sandbox for vulneratiblities; Software Composition Analysis (SCA), which identifies vulnerable components; and Static Analysis, which identifies application flaws.

Dashboards: Visibility into the development process

Dedicated DevSecOps dashboard tools allow viewing and sharing of security information from the beginning of development through operations in one graphical view. Keep in mind that some DevSecOps apps such as ThreatModeler and Parasoft also include dashboards. 

Grafana: This open-source analytics platform allows you to create custom dashboards that aggregate all relevant data to visualize and query security data. Don’t want to build your own dashboard? You might find what you need among the community-built dashboards available on its website.

Kibana: If you use Elasticsearch, this open-source tool integrates thousands of log entries into a unified graphical view of operational data, time series analytics, application monitoring and more.

Threat modeling: To identify and prioritize application risk 

Threat modeling DevSecOps tools are designed to identify, predict and define threats across the complete attack surface, so that you can make proactive security decisions. Some tools automatically build threat models from information users provide about their systems and applications and provide a visual interface to help security and non-security professionals explore threats and their potential impacts. 

IriusRisk:  This cloud or on-premise solution from Continuum Security automates risk and requirement analyses as well as the design of threat models and technical security requirements using a questionnaire-based interface. IriusRisk also lets you manage the code-building and security-testing phases.

ThreatModeler: This automated threat modeling system is available in both AppSec and cloud editions. After providing functional information about your applications or systems, ThreatModeler automatically analyzes the data and identifies potential threats across the entire attack surface based on updated threat intelligence.

OWASP Threat Dragon: An open-source, web-based tool that offers system diagramming and a rules engine for automatically modeling and mitigating threats,  Threat Dragon promises an easy-to-use interface and seamless integration with other software development lifecycle (SDLC) tools.

Testing: Find security flaws before go-live 

Testing applications in development for potential vulnerabilities is a critical element of DevSecOps, as it allows you to identify security flaws before they can be exploited. The following tools are particularly strong in application security testing, though other DevSecOps tools, such as those from Parasoft, often include testing capabilities.  

BDD-Security: This open-source framework from Continuum Security enables developers to test functional and non-functional security scenarios written in Behavior-Driven Development (BDD) language for an agile development process. The BDD-Security framework is designed so that security features are independent of application-specific navigation logic, enabling the same security requirements to be applied more easily to multiple applications.

Checkmarx CxSAST:  A SAST tool that can scan uncompiled/unbuilt source code across 25 coding and scripting languages and identify hundreds of security vulnerabilities early in the SDLC, CxSAST integrates with all Integrated Development Environments (IDEs) and is part of the Checkmarx Software Exposure Platform, which the company says builds security in through all DevOps stages, as well as its Interactive Application Security Testing (IAST) tool for detecting security flaws in running applications.

Chef InSpec:  This open-source tool automates security tests to help ensure compliance, security and other policy requirements that are run against traditional servers as well as containers and cloud APIs at every development stage.

Fortify: From Micro Focus, Fortify promises end-to-end application security with options for testing on-premise and on-demand to cover the entire software development lifecycle. Fortify on Demand is Micro Focus’s “application security as a service” offering that integrates static, dynamic and mobile application security testing with continuous monitoring for web apps in production.

Gauntlt: Another open-source option, Gauntlt is a popular testing framework designed to enable easy security testing and communication between groups such as security, development and operations teams. GauntIt promises easy attack generation for testing and the ability to easily hook into your existing tools and processes.  

Synopsys suite: Synopsys offers several application security testing tools including Coverity, a SAST tool that automates testing and integrates into continuous integration/continuous delivery (CI/CD) pipelines; Black Duck, an SCA tool designed to detect and manage security from the use of open source and third-party code in applications and containers; SeekerIAST, which identifies runtime security vulnerabilities that could expose sensitive data; and a variety of managed services for application security testing.

Other DevSecOps tools to consider 

The following DevSecOps tools include features and capabilities offered by tools in the categories above but are different from those tools in one way or another. 

Aqua Security:  Designed to manage security across an entire CI/CD pipeline and runtime environment for end-to-end security, Aqua is for containers and cloud-native applications across all platforms and clouds.

Dome9 Arc: Acquired by Check Point, Dome9 Arc lets developers integrate security and compliance into the building, deployment, and running of public cloud applications. It provides automated testing and security enforcement.  

GitLab: This tool builds DevSecOps architecture into the CI/CD process. GitLab promises to test every piece of code upon commit, enable developers to remediate security vulnerabilities while working in code, and provide a dashboard of all vulnerabilities.

Red Hat OpenShift: This tool promises built-in security for container-based applications such as role-based access controls, Security-Enhanced Linux (SELinux)-enabled isolation, and checks throughout the container build process. 

RedLock (formerly Evident.io): From Palo Alto Networks, RedLock is designed for the deployment stage, helping developers quickly discover and remediate security threats across resource configurations, network architecture, and user activities, especially on Amazon S3 and EBS volumes.

SD Elements: From Security Compass, SD Elements is an automation platform designed to collect information about your software, identify threats and countermeasures, and highlight relevant security controls to help enterprises achieve their security and compliance objectives.

WhiteHat Sentinel Application Security Platform: This solution promises application security throughout the entire SDLC. It’s designed for agile development teams that need security integrated into their tools and security teams that need continuous testing to keep apps secure in production. 

WhiteSource: Designed to ddress open-source vulnerabilities, WhiteSource can be integrated into your build process regardless of programming languages, build tools or development environments. WhiteSource continuously checks the security and licensing of open source components using a constantly updated database of open source repositories.

Copyright © 2019 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline