2018-02-15 19:18:00 UTC

What Application Security Solution Do You Use That Is DevOps Friendly?


What security testing tools have you used that integrated well with your DevOps pipeline automation?

Guest
1313 Answers
author avatar
Real User

It depends on your requirements, the list of security testing tools you can find at https://www.owasp.org/index.php/Appendix_A:_Testing_Tools.

With regards to including security testing into continuous delivery pipeline you can consider using i.e. Apache JMeter (http://jmeter.apache.org/) - free and open source multiprotocol load testing tools. JMeter is mostly designed for performance testing, however it is very flexible and you can utilize it for security testing as well. See https://www.blazemeter.com/blog/security-testing-with-jmeter-learn-how guide for more details on several use cases

2018-02-26 06:01:00 UTC
author avatar
TOP 20Real User

Security starts way before testing actually. Make sure security is already part of the way you develop.

We use an external bureau that does our security tests. That guarantees us an independant view of our security.

2018-02-22 08:23:35 UTC
author avatar
Vendor

Appvance offers App-Pen as part of the CI/CD/DevOps flow of functional, performance and security tests. The App-Pen can be automatically driven by existing functional scripts, covering more of the application without writing any code. http://www.appvance.ai

2018-02-23 18:45:43 UTC
author avatar
User

I recommend the MicroFocus Fortify SCA tool.

2018-02-23 14:37:12 UTC
author avatar
Vendor

checkout this DevOps friendly , SaaS security offering: https://software.microfocus.com/en-us/products/application-security-testing/overview --> you will like what you see..

2018-02-22 11:30:29 UTC
author avatar
Real User

Synopsys, not an open source but high quality

2018-02-22 06:48:48 UTC
author avatar
TOP 20Real User
2018-02-22 05:55:49 UTC
author avatar
Vendor

[Full disclosure - I work at Parasoft]

Parasoft has static code analysis tools for C, C++, Java and .NET. There are lightweight engines for them that will easily fit into your continuous integration setup like Jenkins, etc. There is also reporting and analytics component called DTP that will accept data from the engines mentioned above as well as 3rd party tools and really anything in your CI toolchain. DTP has special reports for CWE compliance that show you findings based on the "technical impact" that is part of CWSS and CWRAF. This makes it really easy to focus on what matters most for you.

2018-02-22 00:03:05 UTC
author avatar
Vendor

You can also add a vulnerability scan to your CI/CD pipeline with Qualys, either on-site or in the cloud. It's a non-trivial task to filter out the false-positives, but once you're able to account for all the output in your baseline, you can quickly focus in on deltas from build to build. A new Qualys profile (I think they're called) with new vulnerabilities will generate a barrage of new complaints to assess, but that's A Good Thing(tm). Pre-testing every push to Prod will make your auditors happy, too.

2018-02-21 18:23:31 UTC
author avatar
Vendor

[Full disclosure - I work for Fortify Software]

Fortify SCA (Static Code Analyzer) can support your DevOps system in a variety of ways, so the choices are all yours, which can make this tough. I just wanted to share some of our On-premise and On-line options below to get you started. Bear in mind that the normal process is to test code with SCA, then upload and review the results in Fortify SSC Server, then publish the annotated/prioritized results to your connected defect system (ALM, Octane, Jira, Bugzilla, TFS, et al). We have sped up the manual process of issue review with our included Audit Assistant feature.

* Maven, ANT, Jenkins, TFS, fortify CloudScan, build-time scanning = YES

* VSTS (BYOLicense): https://marketplace.visualstudio.com/items?itemName=fortifyvsts.hpe-security-fortify-vsts (For SCA SAST and also WebIsnpect DAST)

* Bamboo: https://marketplace.atlassian.com/plugins/com.fortify.plugins.atlassian.bamboo.sca.bamboo-fortify-sca-plugin/server/overview

* Fortify Marketplace lists numerous add-ons: https://marketplace.microfocus.com/fortify
Example: FortifyBugTrackerUtility: https://marketplace.microfocus.com/fortify/content/fortify-bugtracker-utility

* Fortify On Demand (FOD:) SaaS offering where our staff run your scans, similar to Veracode's off-premise offering. Lots and lots of plugins included, plus a Swagger-based RESTful API.

* Various CLI tools and a Swagger-based RESTful API for SSC Server....

* Documentation: https://community.softwaregrp.com/t5/Fortify-Product-Documentation/ct-p/fortify-product-documentation

[Full disclosure - I work for Fortify Software]

2018-02-21 15:09:23 UTC
author avatar
TOP 5Real User

Using "Microfocus (HPE) Fortify SCA" with integrated "VSTS/TFS".

But you need take some effort to implement your CI/CD pipeline with custom scripts (autogenerated bat files e.t.c).

2018-02-21 14:53:27 UTC
author avatar
User

The only DevOps friendly WAF in the market is from Wallarm (wallarm.com <http://wallarm.com/>), it meets the requirement from DevOps best practices

It has a real hybrid architecture and has integrated DAST scanner and active treath verification.

2018-02-21 14:35:04 UTC
author avatar
User

Consider using either
1) veracode application security
2) HPE Security Fortify Application Defender

2018-02-21 13:58:06 UTC
Find out what your peers are saying about Veracode, Checkmarx, Micro Focus and others in Application Security Testing (AST). Updated: December 2019.
390,232 professionals have used our research since 2012.