Sign Up Login
Resource Center  >  Blog

DevSecOps Tooling Best Practices

Publication:
November 27, 2020
Author:
Oliver Moradov

DevOps teams have become successful in releasing code at speed, whether for webapps or APIs, but with the lack of testing automation, are releasing vulnerabilities at speed too.

To achieve DevSecOps, you need to bake security into your rapid-release cycles, requiring the adoption of effective tools and practices, to unify your teams across application development, QA testing, and of course your security teams, under a common DevSecOps methodology.

Below are some key aspects to consider when implementing tooling to your DevSecOps pipelines:

1. ‘Develop’ a Culture of Security…

Not really specific to tooling, but one of the main pillars that is critical to achieving DevSecOps – security culture; once you have management buy-in, it’s about collaboration between your development and security teams, breaking down the silos and creating champions for this change. These champions can serve as the go between that speaks the different languages of the pipeline itself

2. Empowering your teams to scale security testing, at speed

When adopting DevSecOps, you are shifting security testing left, i.e. into the hands of your developers, who need to be the first line of defense, enabling them to detect, prioritise and treat security defects like they do with functional defects, to fix them early.

To do this however, developers need tools they can actually use…not another tool built for security professionals that is going to be disabled and join your other shelfware. For modern development environments, you need a modern DAST with a Dev First security approach, that is simple and intuitive to use where you dont need to be a cyber security expert to configure the tests and understand the output. 

Having a DAST that tests both your WebApps and APIs will give you that single pane of glass, additional buy-in from your teams and longevity, reducing your TCO.

3. Security feedback loop

With scale and speed comes automation, requiring a DAST tool to detect your vulnerabilities early. You need to provide your developers with the ability to scan every build / commit from their dashboard and to then automatically raise tickets with GitHub or Jira for example, into a feedback loop, so that each security player in your team has visibility, from your developers, QA / security team, to the CISO. 

4. Accuracy of and Trust in the Tooling

Having a tool that is easy to use and integrated into your pipeline is great, but if it is setting off false alerts (false positives) and your builds are failing because of these, then your developers will soon make their feelings felt. The results need to be accurate and deliver actionable results with remediation guidelines for your developers to remediate early. The manual validation of vulnerabilities is slow and expensive and so a tool that removes these is essential to maintain the speed of DevOps while delivering security compliance. If you are a CISO, how can you effectively evaluate your risk, on demand, when your results are skewed with these false positives and are draining your internal security team as they scramble to manually validate the findings..?

Achieving DevSecOps with Bright

Bright enhances DevSecOps at its core, with a Dev First approach to test your WebApps and APIs

Key features of our technology include:

  • Shallow learning curve: to establish a culture of security testing across your pipelines
  • Built for Developers: We empower developers to detect and fix vulnerabilities on every build, enabling them to leverage multiple discovery methods to initiative a scan, including:
    • Crawling – for full automation
    • HAR files – generated per build/commit for scope defined testing or by QA Automation
    • OpenAPI (Swagger) files or Postman Collections – to test APIs or Single Page Applications
  • Smart Scanning functionality: leveraging sophisticated algorithms to carry out the right tests against the target, removing complexity for developers whilst ensuring scans are automatically optimised to maximise speed and prevent development drag
  • Built for Modern Technologies: Microservices, Single Page Applications, APIs (SOAP, REST, GraphQL) are all supported 
  • 0 (Zero) False Positives: The only tool with fully automated validation of every vulnerability detected, freeing up valuable time for your security team and saving a considerable amount money, to release fast and be secure by design
  • Seamless Integration: Rest API, CLI for developers, or with common tools such as CircleCI, Jenkins, Jira, GitLab, Github, AzureDevOps and more

To find out how you can leverage our technology to achieve DevSecOps for your WebApps and APIs, please do get in touch or request a demo here.

Related Articles:

Related topics

Dynamic Application Security Testing (DAST) is a crucial component in fortifying web applications against potential vulnerabilities. By taking a proactive stance, DAST systematically detects and addresses security flaws.

See more

By mapping Dynamic Application Security Testing (DAST) to the Payment Card Industry Data Security Standard (PCI DSS) requirements, organizations can

See more

What Is Mobile Application Security Testing?  Mobile application security testing is the process of assessing, analyzing, and evaluating the security

See more

Test Your Web App for 10,000+ Attacks

See Our Dynamic Application Security Testing (DAST) in Action

  • Find & fix vulnerabilities fast
  • Zero false positives
  • Developer friendly

and see how easy AppSec can be

Test Your Web App for 10,000+ Attacks

Integrate vulnerability testing into your DevOps pipeline. Find & fix vulnerabilities fast with zero false positives.
See Our Dynamic Application Security Testing (DAST) in Action
Testing variance Using Legacy Dast Using Dev-Centric Dast
% of orgs knowingly pushing vulnerable apps & APIs to prod 86% 50%
Time to remediate >Med vulns in prod 280 days <150 days
% of > Med vulns detected in CI, or earlier <5% ~55%
Dev time spent remediating vulns - Up to 60x faster
Happiness level of Engineering & AppSec teams - Significantly improved
Average cost of Data Breach (US) $7.86M $7.86M