Home Blog DevOps Top 7 DevSecOps Tools
CNN recently estimated that in the first six months of 2018, the cryptocurrency market lost approximately $731 million to hackers and theft. One of the most famous software breaches―which caused major panic in the market―involved Cointhumb, a cryptocurrency exchange with more than 1 million users. In this breach, hackers stole around $32 million from customers’ wallets. In their official statement , Cointhumb explained that a vulnerability in the wallet application, created by a new code introduced only a couple of weeks prior to the hack, granted easy access to sensitive information such as customers’ tokens and keys. Exploiters used this to access cryptocurrencies addresses and transfer the money out of the crypto addresses.
Another big hack, which led to a $20 million theft , was caused by a missing firewall configuration. In this case, several cryptocurrency vendors generated a “local” instance of the ethereum blockchain using geth , and forgot to block outside access to the node, allowing hackers to simply access and transfer the coins to their blocks.
Cryptocurrency is one of today’s hottest buzzwords, but it’s not the only software industry exposed to hackers, theft, and security weaknesses. Almost every website and application―mobile and desktop―are in danger. Cyber theft, ethical hacking, ransomware, and denial of service software are only some of the threats softwareneed to protect against. During the last ten years, security awareness has risen―and many different agendas, methodologies, and tools have been created to tighten security for the software world. One of these methodologies is DevSecOps.
DevSecOps: The New Hero in TownFor many years, security wasn’t part of the development and release process. In the early 2000s, neither small or enterprise organizations executed any protection validation, as they didn’t understand the added value or potential risk. Over the years, however, as valuable information became more computerized―and protecting it became both more crucial and more difficult―the security agenda was positioned at the center of the software development and production process. In some cases, however, security still does not get the appropriate attention.
Today, many security activities are executed outside the development lifecycle, sometimes only once before a version release. Raising security awareness, feature security review, security testing, and other security activities do not hold enough weight in the release-to-production approval process. This often results in late code and infrastructure adjustments which lead to changes in schedule, postponing release dates, and failing to meet organization goals. The DevSecOps methodology can solve these problems and more. As explained in CSO , “ DevSecOps is about introducing security earlier in the life cycle of application development, thus minimizing vulnerabilities and bringing security closer to IT and business objectives.”
Integrating security into the agile lifecycle by running static code analysis on every commit, executing automatic security tests as part of the CI/CD process, and various other methods, helps R&D teams improve multiple aspects of their applications. For example, code is more secure as it’s being written, the application is continuously validated for common security threats, and possible breach points are detected as part of the application deployment.
Production monitoring is also part of the DevSecOps agenda. Monitoring plans and methods are constantly built, executed, tested and perfected on test environments, allowing early detection of network misconfigurations and upgrade of security principles and metrics to fit new hazards and risks.
With DevSecOps, security officers are constantly aware of application protection and can calmly and confidently approve a specific build for release. Most importantly, the security awareness of the organization as a whole increases, and more attention and budget are directed toward the goal of achieving a secure production environment.
Top DevSecOps ToolsFusing security into the R&D lifecycle might sound simple, but it requires integrating with many tools in the development ecosystem, involving new personas in the CI and CD processes, and creating visibility for new types of information, metrics, and KPIs. Still, there are numerous products that can help make integration and visibility easier, improving the efficiency of the DevSecOps process. The seven tools listed below are the top in the market right now, based on ability to integrate with R&D and DevOps workflows, added value to the DevOps process, and popularity among users.
Continuum SecurityContinuum Security helps manage and test the security of products. It consists of two modules: IriusRisk and BDD Security. IriusRisk allows R&D teams to create a threat model, break it down into security requirements, and manage the security risks throughout the SDLC. BDD Security addresses security quality needs, providing an open-source test framework solution that allows users to test functional and non-functional security scenarios written in BDD language. It also offers out-of-the-box reporting and easy embedding into the continuous integration process. Continuum Security offers three pricing models: community, SaaS-hosted, and on-premises.
ThreatModeler ThreatModeler is a standalone tool with a rich API that provides two-way integrations to almost all tools in the CI/CD toolchain. This means that all of the ThreatModeler modules can benefit from the information created by all stakeholders. ThreatModeler also supplies a set of dashboards which allow everyone to influence application security. ThreatModeler’s Intelligent Threat Engine utilizes functional information from an application’s components to automatically identify each component’s security threats. It does this while gathering associated security requirements, test cases, and code review guidelines―and it identifies problematic code to provide the information needed to build a protection plan. The Automated Threat Intelligence Framework helps keep users up-to-date on the latest real-life security threats with an automatically generated threat tree that provides a hierarchical view of all