The one thing that matters in securing DevOps (or any other SDLC)

ronnytey Frequent Contributor.
Frequent Contributor.
0 0 1,133

Whether your organization has adopted DevOps, Agile, or another software development process, your developers must be engaged in security testing if you are to minimize the risk of a security breach to the business.  This is a widely accepted strategy that was quantified in a recent Gartner DevSecOps survey where 59% of respondents listed integrating security as the highest ranked strategy for dealing with DevOps in regulated environments.  Additionally, Gartner states that in the 12 months prior to the survey, integrating security into DevOps was one of their fastest growing areas of interest from clients, with more than 600 inquiries.  The challenge is how to engage developers in security testing.  With the increasing number and complexity of applications, developers today are under more pressure to release code on time.  From many developers’ point of view, security testing is a separate task and a hindrance to delivering their code on time.  But, it doesn’t have to be that way.

Securing DevOps1.png

Application security testing must adapt to existing development processes and tools, not the other way around.  It is the one thing that matters most in successfully implementing application security in your software development organization.  It’s a significant change in the mindset of many security professionals who are accustomed to forcing developers to adopt to their processes.  The best application security testing tool isn’t worth much if it’s not being used, and developers today don’t have the time or the desire to learn new tools to run security testing.  That’s why the Fortify team has released RESTful APIs to enable the Fortify application security testing solutions to work with the most popular development tools, including IDE’s, such as Visual Studio and Eclipse, and application lifecycle management (ALM) systems, such as Jira and Micro Focus ALM/Octane. 

The Fortify team uses those APIs themselves to enable Fortify Security Assistant to flag security vulnerabilities from within the IDE as code is being written.  The API’s also enable static code analysis scans to be triggered automatically from within existing automation servers, such as Jenkins, making the process transparent to developers.  The scan results can then be synced with the most popular ALM systems so that identified vulnerabilities can be managed and tracked through an organization’s existing ALM system.  These integrations are available today through the Fortify Marketplace.

Securing DevOps2.png

Fortify’s ecosystem of tools, plug-ins, and solutions integrate security in our customers’ SDLC and enables the flexibility and agility to address their software development needs for shorter development cycles, increased frequency of releases, and more secure applications.  The key is to enable security testing to be part of the existing software development processes and tools so that developers never have to leave their current environments.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.