Welcome!

Open Source Cloud Authors: Yeshim Deniz, Liz McMillan, Pat Romanski, Elizabeth White, Zakia Bouachraoui

Related Topics: @DevOpsSummit, Containers Expo Blog, Cloud Security

@DevOpsSummit: Article

What Is DevSecOps? How to Automate Security Testing | @DevOpsSummit #DevOps #Security

Software applications are complex and can potentially have lots of different types of security issues

What Is DevSecOps? How to Automate Security Testing
By Matt Watson

Every company wants to see their company getting press and media attention. Unless it is due to a hacker and a security breach. Every few weeks you see in the media stories of companies who were hacked. Getting a new credit card every few months because the data was hacked has been routine for most of us. The more that our world revolves around the internet and technology, the more cyber security becomes a big deal.

Software applications are complex and can potentially have lots of different types of security issues. The issues range from bad code to misconfigured servers and everything in between. Solving this problem requires everyone to always be thinking about security implications of what they are working on. DevSecOps is a new movement to do just that. The goal is to get developers to be thinking more about security principles and standards as they are building their applications.

Integrating DevOps + Security = DevSecOps
The goal of DevOps
is to give development teams more ownership in deploying and monitoring their applications. Automating how we provision servers and deploy our applications is at the heart of DevOps. Automation helps us move faster and ship higher quality products.

Adding security to this same automation is the goal of DevSecOps. Companies want to create strong security policies and standards without slowing down the development process. Security has to be part of the process and automated to not slow us down.

Things like DevOps and DevSecOps continue to change the meaning of the software development life cycle (SDLC). This image does a good job of visualizing it.

Tools for Automating Security Testing
One of the goals of DevSecOps is to build security testing into your development process. There are new tools that can be used to help achieve and automate it across the development lifecycle. Here are some of the types of tools that exist:

  • Cloud infrastructure best practices - Tools built into the cloud like Microsoft Azure Advisor and third party tools like evident.io can help scan your configurations for security best practices.
  • Automate security tests - You can now create and run automated security tests just like you would unit tests or integration tests. Gauntlt is a popular free framework for automated these types of tests.
  • Code Analysis - Tools like Veracode can scan your code to find potential vulnerabilities in your own code and open source libraries.
  • Runtime application security - Tools like Contrast Security run within your application in production and can help identify and prevent security issues in real time.

Hopefully, this gives you some ideas of the types of security testing and automation that can be built into your development process. Check out this list on GitHub which provides a huge list of tools and resources.

Security Unit Tests
Application security is something that needs to be thought of when we start writing code. Just as we write and run unit tests, running some automated security tests can help ensure new vulnerabilities were not introduced.  Gauntlt provides some neat capabilities around this.

For example, as part of your deployment process perhaps you provision new servers or deploy some Docker containers. You could then automatically run some various basic security tests.

  • Scan for open ports on your server
  • Test to see if your server responds to pings or not
  • Do an HTTP request and validate the cookies in the response
  • Test various HTTP verbs. Is it supposed to support DELETE, PATCH, etc?

Conclusion
Software and automation continue to change our world. Automation within the software development lifecycle helps us ship our code faster and at a higher quality. Adding security testing into that automation will also help us create more secure applications.  DevSecOps is still a new thing and is evolving quickly. Hopefully, this article gave you a few ideas you can use in the future to improve the security of your apps.

Recommended Resources:

The post What is DevSecOps? How to Automate Security Testing appeared first on Stackify.

More Stories By Stackify Blog

Stackify offers the only developers-friendly solution that fully integrates error and log management with application performance monitoring and management. Allowing you to easily isolate issues, identify what needs to be fixed quicker and focus your efforts – Support less, Code more. Stackify provides software developers, operations and support managers with an innovative cloud based solution that gives them DevOps insight and allows them to monitor, detect and resolve application issues before they affect the business to ensure a better end user experience. Start your free trial now stackify.com

IoT & Smart Cities Stories
DXWorldEXPO LLC announced today that ICOHOLDER named "Media Sponsor" of Miami Blockchain Event by FinTechEXPO. ICOHOLDER gives detailed information and help the community to invest in the trusty projects. Miami Blockchain Event by FinTechEXPO has opened its Call for Papers. The two-day event will present 20 top Blockchain experts. All speaking inquiries which covers the following information can be submitted by email to [email protected] Miami Blockchain Event by FinTechEXPOalso offers sp...
Headquartered in Plainsboro, NJ, Synametrics Technologies has provided IT professionals and computer systems developers since 1997. Based on the success of their initial product offerings (WinSQL and DeltaCopy), the company continues to create and hone innovative products that help its customers get more from their computer applications, databases and infrastructure. To date, over one million users around the world have chosen Synametrics solutions to help power their accelerated business or per...
DXWordEXPO New York 2018, colocated with CloudEXPO New York 2018 will be held November 11-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI, Machine Learning and WebRTC to one location.
@DevOpsSummit at Cloud Expo, taking place November 12-13 in New York City, NY, is co-located with 22nd international CloudEXPO | first international DXWorldEXPO and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time t...
When talking IoT we often focus on the devices, the sensors, the hardware itself. The new smart appliances, the new smart or self-driving cars (which are amalgamations of many ‘things'). When we are looking at the world of IoT, we should take a step back, look at the big picture. What value are these devices providing. IoT is not about the devices, its about the data consumed and generated. The devices are tools, mechanisms, conduits. This paper discusses the considerations when dealing with the...
Charles Araujo is an industry analyst, internationally recognized authority on the Digital Enterprise and author of The Quantum Age of IT: Why Everything You Know About IT is About to Change. As Principal Analyst with Intellyx, he writes, speaks and advises organizations on how to navigate through this time of disruption. He is also the founder of The Institute for Digital Transformation and a sought after keynote speaker. He has been a regular contributor to both InformationWeek and CIO Insight...
Digital Transformation is much more than a buzzword. The radical shift to digital mechanisms for almost every process is evident across all industries and verticals. This is often especially true in financial services, where the legacy environment is many times unable to keep up with the rapidly shifting demands of the consumer. The constant pressure to provide complete, omnichannel delivery of customer-facing solutions to meet both regulatory and customer demands is putting enormous pressure on...
Machine learning has taken residence at our cities' cores and now we can finally have "smart cities." Cities are a collection of buildings made to provide the structure and safety necessary for people to function, create and survive. Buildings are a pool of ever-changing performance data from large automated systems such as heating and cooling to the people that live and work within them. Through machine learning, buildings can optimize performance, reduce costs, and improve occupant comfort by ...
SYS-CON Events announced today that IoT Global Network has been named “Media Sponsor” of SYS-CON's @ThingsExpo, which will take place on June 6–8, 2017, at the Javits Center in New York City, NY. The IoT Global Network is a platform where you can connect with industry experts and network across the IoT community to build the successful IoT business of the future.
CloudEXPO New York 2018, colocated with DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI, Machine Learning and WebRTC to one location.