2018-02-15T19:18:00Z

What Application Security Solution Do You Use That Is DevOps Friendly?


What security testing tools have you used that integrated well with your DevOps pipeline automation?

Guest
1313 Answers

author avatar
Real User

It depends on your requirements, the list of security testing tools you can find at https://www.owasp.org/index.php/Appendix_A:_Testing_Tools.

With regards to including security testing into continuous delivery pipeline you can consider using i.e. Apache JMeter (http://jmeter.apache.org/) - free and open source multiprotocol load testing tools. JMeter is mostly designed for performance testing, however it is very flexible and you can utilize it for security testing as well. See https://www.blazemeter.com/blog/security-testing-with-jmeter-learn-how guide for more details on several use cases

2018-02-26T06:01:00Z
author avatar
Real User

Security starts way before testing actually. Make sure security is already part of the way you develop.

We use an external bureau that does our security tests. That guarantees us an independant view of our security.

2018-02-22T08:23:35Z
author avatar
Vendor

Appvance offers App-Pen as part of the CI/CD/DevOps flow of functional, performance and security tests. The App-Pen can be automatically driven by existing functional scripts, covering more of the application without writing any code. http://www.appvance.ai

2018-02-23T18:45:43Z
author avatar
User

I recommend the MicroFocus Fortify SCA tool.

2018-02-23T14:37:12Z
author avatar
Vendor

checkout this DevOps friendly , SaaS security offering: https://software.microfocus.com/en-us/products/application-security-testing/overview --> you will like what you see..

2018-02-22T11:30:29Z
author avatar
Real User

Synopsys, not an open source but high quality

2018-02-22T06:48:48Z
author avatar
Vendor

[Full disclosure - I work at Parasoft]

Parasoft has static code analysis tools for C, C++, Java and .NET. There are lightweight engines for them that will easily fit into your continuous integration setup like Jenkins, etc. There is also reporting and analytics component called DTP that will accept data from the engines mentioned above as well as 3rd party tools and really anything in your CI toolchain. DTP has special reports for CWE compliance that show you findings based on the "technical impact" that is part of CWSS and CWRAF. This makes it really easy to focus on what matters most for you.

2018-02-22T00:03:05Z
author avatar
Vendor

You can also add a vulnerability scan to your CI/CD pipeline with Qualys, either on-site or in the cloud. It's a non-trivial task to filter out the false-positives, but once you're able to account for all the output in your baseline, you can quickly focus in on deltas from build to build. A new Qualys profile (I think they're called) with new vulnerabilities will generate a barrage of new complaints to assess, but that's A Good Thing(tm). Pre-testing every push to Prod will make your auditors happy, too.

2018-02-21T18:23:31Z
author avatar
Vendor

[Full disclosure - I work for Fortify Software]

Fortify SCA (Static Code Analyzer) can support your DevOps system in a variety of ways, so the choices are all yours, which can make this tough. I just wanted to share some of our On-premise and On-line options below to get you started. Bear in mind that the normal process is to test code with SCA, then upload and review the results in Fortify SSC Server, then publish the annotated/prioritized results to your connected defect system (ALM, Octane, Jira, Bugzilla, TFS, et al). We have sped up the manual process of issue review with our included Audit Assistant feature.

* Maven, ANT, Jenkins, TFS, fortify CloudScan, build-time scanning = YES

* VSTS (BYOLicense): https://marketplace.visualstudio.com/items?itemName=fortifyvsts.hpe-security-fortify-vsts (For SCA SAST and also WebIsnpect DAST)

* Bamboo: https://marketplace.atlassian.com/plugins/com.fortify.plugins.atlassian.bamboo.sca.bamboo-fortify-sca-plugin/server/overview

* Fortify Marketplace lists numerous add-ons: https://marketplace.microfocus.com/fortify
Example: FortifyBugTrackerUtility: https://marketplace.microfocus.com/fortify/content/fortify-bugtracker-utility

* Fortify On Demand (FOD:) SaaS offering where our staff run your scans, similar to Veracode's off-premise offering. Lots and lots of plugins included, plus a Swagger-based RESTful API.

* Various CLI tools and a Swagger-based RESTful API for SSC Server....

* Documentation: https://community.softwaregrp.com/t5/Fortify-Product-Documentation/ct-p/fortify-product-documentation

[Full disclosure - I work for Fortify Software]

2018-02-21T15:09:23Z
author avatar
Top 20Real User

Using "Microfocus (HPE) Fortify SCA" with integrated "VSTS/TFS".

But you need take some effort to implement your CI/CD pipeline with custom scripts (autogenerated bat files e.t.c).

2018-02-21T14:53:27Z
author avatar
User

The only DevOps friendly WAF in the market is from Wallarm (wallarm.com ), it meets the requirement from DevOps best practices

It has a real hybrid architecture and has integrated DAST scanner and active treath verification.

2018-02-21T14:35:04Z
author avatar
User

Consider using either
1) veracode application security
2) HPE Security Fortify Application Defender

2018-02-21T13:58:06Z
Find out what your peers are saying about Veracode, Checkmarx, PortSwigger and others in Application Security Testing (AST). Updated: October 2020.
442,845 professionals have used our research since 2012.