Modern application development organizations must integrate and automate DevOps security tools such as IAST into CI/CD pipelines to speed developers.
Software developers working on modern applications have embraced agile development, DevOps security tools, and continuous integration and continuous delivery (CI/CD) approaches. With consumers and enterprises increasingly relying on web and mobile apps for their software needs, developers have had to move away from monolithic on-premises applications that rely on a “big bang” launch of presentation, business logic, and data tier layers all at once, with a major release every six to 24 months. Today’s modern applications must be updated much more frequently. It turns out the best way to do this is to atomize the codebase into modules, or components, split among proprietary code, open source, microservices, and APIs.
Modern applications, which are required to scale to potentially millions of users around the world, with data capacities in exabytes and near-instantaneous processing, cannot work in a monolithic software paradigm. Indeed, the days of monolithic applications, when a single developer could understand everything about a codebase, are gone. And as agile development and CI/CD pipelines have increased flexibility and automation of code creation and delivery, so too has DevOps begun to automate security tools.
DevOps security tools
In keeping with the idea of modular or componentized modern applications, proponents of the concept do not want to just move their monolithic codebase into the cloud with an infrastructure-as-a-service (IaaS) platform like Amazon Web Services (AWS). They want to be able to pick and choose between best-of-breed technologies, including third-party DevOps security tools, as suggested by research showing that enterprises currently use only 15 out of over 150 cloud-native AWS services. While standard web applications may be OK using off-the-shelf IaaS security tools, modern applications need something more.
In Gartner’s Critical Capabilities Report for Application Security Testing, the analysts write, “Buyers often look for a single vendor platform that encompasses static application security testing, dynamic application security testing and other AST techniques. Although this may be sufficient for web application testing, modern applications and DevOps often require point solutions, such as tools for the security testing of APIs.”
Modern applications move fast
In the era of modern applications, software developers move fast, with a mantra of daily, even hourly, check-ins under DevOps, agile development, and CI/CD pipeline models. However, there’s a hurdle in this race toward “continuous innovation” in the modern application movement: The rapid evolution and fragmentation of the threat landscape and the requirement for security may reduce delivery velocity unless teams integrate DevOps security tools seamlessly into their DevOps workflows. And the effectiveness of DevOps security tools depends on their ability to be automated and tightly integrated across the entire software development life cycle (SDLC).
According to the Gartner report, “DevOps and modern applications focuses on rapid, iterative development styles, and is strongly influenced by how well tools integrate with the DevOps toolchain. The emphasis is on automation and creating an effective security footprint for developers that minimizes testing time.”
DevOps, automation, and IAST
In the end, whether you’re deploying monolithic applications on-premises, modern applications in the cloud with microservices, or a hybrid combination of the two, security cannot be afterthought in DevOps. When you automate DevOps security tools in the CI/CD pipeline, you can remediate potential security risks even before you move into production. And with the right DevOps security tool integrations, your teams can test code throughout the SDLC, becoming efficient at delivering secure, high-quality software faster.
The analysts in Gartner’s Critical Capabilities Report for Application Security Testing write that “security and risk management leaders responsible for application and security should embed AST in the software development life cycle by selecting solutions that work effectively with integrated development environments, provide bug tracking, conduct quality assurance, and support other application development and testing systems through plugins and full API enablement.”
One such DevOps security tool for modern applications is Seeker IAST, which works best with automated and CI/CD pipeline processes and integrates with SAST, DAST, and other application development and testing systems such as SCA. In fact, Synopsys received the highest scores in the DevOps and modern applications use case in the Gartner report. Download the report to learn more.
Gartner, Critical Capabilities for Application Security Testing, 18 April 2019, Ayal Tirosh, Mark Horvath, Dionisio Zumerle
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
*** This is a Security Bloggers Network syndicated blog from Software Integrity Blog authored by Derek Handova. Read the original post at: https://www.synopsys.com/blogs/software-security/devops-security-tools/