What security testing tools have you used that integrated well with your DevOps pipeline automation?
It depends on your requirements, the list of security testing tools you can find at https://www.owasp.org/index.php/Appendix_A:_Testing_Tools.
With regards to including security testing into continuous delivery pipeline you can consider using i.e. Apache JMeter (http://jmeter.apache.org/) - free and open source multiprotocol load testing tools. JMeter is mostly designed for performance testing, however it is very flexible and you can utilize it for security testing as well. See https://www.blazemeter.com/blog/security-testing-with-jmeter-learn-how guide for more details on several use cases
Security starts way before testing actually. Make sure security is already part of the way you develop.
We use an external bureau that does our security tests. That guarantees us an independant view of our security.
Appvance offers App-Pen as part of the CI/CD/DevOps flow of functional, performance and security tests. The App-Pen can be automatically driven by existing functional scripts, covering more of the application without writing any code. http://www.appvance.ai
I recommend the MicroFocus Fortify SCA tool.
checkout this DevOps friendly , SaaS security offering: https://software.microfocus.com/en-us/products/application-security-testing/overview --> you will like what you see..
Synopsys, not an open source but high quality
[Full disclosure - I work at Parasoft]
Parasoft has static code analysis tools for C, C++, Java and .NET. There are lightweight engines for them that will easily fit into your continuous integration setup like Jenkins, etc. There is also reporting and analytics component called DTP that will accept data from the engines mentioned above as well as 3rd party tools and really anything in your CI toolchain. DTP has special reports for CWE compliance that show you findings based on the "technical impact" that is part of CWSS and CWRAF. This makes it really easy to focus on what matters most for you.
You can also add a vulnerability scan to your CI/CD pipeline with Qualys, either on-site or in the cloud. It's a non-trivial task to filter out the false-positives, but once you're able to account for all the output in your baseline, you can quickly focus in on deltas from build to build. A new Qualys profile (I think they're called) with new vulnerabilities will generate a barrage of new complaints to assess, but that's A Good Thing(tm). Pre-testing every push to Prod will make your auditors happy, too.
[Full disclosure - I work for Fortify Software]
Fortify SCA (Static Code Analyzer) can support your DevOps system in a variety of ways, so the choices are all yours, which can make this tough. I just wanted to share some of our On-premise and On-line options below to get you started. Bear in mind that the normal process is to test code with SCA, then upload and review the results in Fortify SSC Server, then publish the annotated/prioritized results to your connected defect system (ALM, Octane, Jira, Bugzilla, TFS, et al). We have sped up the manual process of issue review with our included Audit Assistant feature.
* Maven, ANT, Jenkins, TFS, fortify CloudScan, build-time scanning = YES
* VSTS (BYOLicense): https://marketplace.visualstudio.com/items?itemName=fortifyvsts.hpe-security-fortify-vsts (For SCA SAST and also WebIsnpect DAST)
* Bamboo: https://marketplace.atlassian.com/plugins/com.fortify.plugins.atlassian.bamboo.sca.bamboo-fortify-sca-plugin/server/overview
* Fortify Marketplace lists numerous add-ons: https://marketplace.microfocus.com/fortify
Example: FortifyBugTrackerUtility: https://marketplace.microfocus.com/fortify/content/fortify-bugtracker-utility
* Fortify On Demand (FOD:) SaaS offering where our staff run your scans, similar to Veracode's off-premise offering. Lots and lots of plugins included, plus a Swagger-based RESTful API.
* Various CLI tools and a Swagger-based RESTful API for SSC Server....
* Documentation: https://community.softwaregrp.com/t5/Fortify-Product-Documentation/ct-p/fortify-product-documentation
Using "Microfocus (HPE) Fortify SCA" with integrated "VSTS/TFS".
But you need take some effort to implement your CI/CD pipeline with custom scripts (autogenerated bat files e.t.c).
The only DevOps friendly WAF in the market is from Wallarm (wallarm.com <http://wallarm.com/>), it meets the requirement from DevOps best practices
It has a real hybrid architecture and has integrated DAST scanner and active treath verification.
Consider using either
1) veracode application security
2) HPE Security Fortify Application Defender