What are some great tools for integrating security into DevOps?

SecurityDevOps
4.5k viewscircle icon2 Comments
Sort by:
CEO2 years ago

I recently did the devsecops implementation in my organization. This is what I use today:

I also gave a talk on the same topic at Teleport conference and also at OWASP meetup. Here is a table from my slide deck I presented:
 

Security check



Tools

1. Secure Access to Infrastructure 



Teleport

2. SAST



Semgrep

3. Secret Scanning



Trufflehog

4. IaC scanning



TerraScan

5. Dependencies



Dependabot

6. DAST/ IAST/ API Security Testing



Akto.io

Chief of DevOps and Partner in Healthcare and Biotech2 years ago

Integrating security into DevOps, often called DevSecOps and is essential for building and maintaining secure applications.

Here's a list of categories and DevSecOps tools:
- Static Application Security Testing (SAST) e.g SonarQube
- Dynamic Application Security Testing (DAST): OWASP Zed Attack Proxy (ZAP)
- Software Composition Analysis (SCA): WhiteSource
- Container Security:  Aqua Security

There are also some Continuous Integration/Continuous Deployment (CI/CD) Tools with security integrations:
- GitLab 
- GitHub 
- Azure DevOps

You can check out my videos on my youtube channel on how to build a
- DevSecOps Pipeline with GitLab: https://www.youtube.com/watch?v=sHK8uN5fBhs&list=PLrsbMazVPK_qhf3ahA_zRPlwBaGGhSu2P
- DevSecOps Pipeline with GitHub: https://www.youtube.com/watch?v=_m5KYEi1ThA&list=PLrsbMazVPK_pt9u_PiTGAb3s9aw8ashvQ

Content you might like

The difference between AIOps and DevSecOps is...

Misunderstood55%

Negligible38%

Non-existent — AIOps and DevSecOps are the same.6%

View Results

What percent of your business applications leverage third-party code?

1-10%13%

11-25%47%

26-50%14%

51-75%14%

75% or more9%

We don't leverage third party code1%

View Results

Can someone provide feedback on the Midpoint IGA product from Evolveum? Feedback about the product and engineering would be helpful..

We currently have a Netwitness platform that we are using specifically for packet capture and network analysis only. No SIEM, no response, strictly just packet capture and network analysis. We are looking to replace it as is, meaning we are looking for recommendations for packet capture and network analysis tools. No SIEM, No SOAR, no EDR.  Can anyone suggest a tool that works similarly that is also a SaaS product?

Does anyone have experience sharing with CIQ Ascender or other Ansible based management tool? We use Red Hat Automation Platform, though the cost is rather high per device, the number of end-points increasing. The Open Source AWX has no further development, raising concern on bug fix, up-to-date libs, etc. Any recommendation or experience that anyone could share?