Finding The Right Tool Set for DevSecOps

When looking for the right tool set for DevSecOps, tool selection is often a teamwork effort and it usually starts with the team finding out what they are currently doing. Which tools have been previously used, why a new one is needed.

In making tool selection, basically, security teams should be aware of:

-The types of tests to be run. -The technologies in use. -The languages such tools support. -How light weight the tool is. -Checks for portability, flexibility and reliability -Can it be automated? -How long will it take the tool to produce results. Scans should be made easy and as quickly as possible.

Types of tools - Static application security testing (SAST)

Used in analyzing source code to find security vulnerabilities before it is compiled. It supports multiple languages. Some of the commercial SAST tools are: Fortify, Appscan,Checkmarx, Open-source - prakeman, findsecBug

• Dynamic Application Security Testing (DAST) Runs automated penetration scans, tries to hack into the website. Scans could take longer time to complete depending on application size. Commercial - Webinspect, Burp suite, Appspider. Open-source - ZAP - light weight and automatable.

• Interactive Application Security Testing (IAST) Security testing happens while app is used. It works using instrumentalism and is similar to performance monitoring tools. There is low false positive rates & immediate feedback. It provides immediate results to the team through chatups or by pushing effects into their defective tracker which is perfect for DevOps security testing. Commercial: contrast seeker.