Denys Rudyi - Fotolia

DevOps security tools 'shift left' into CI/CD pipelines

DevOps security remains a work in progress, but many enterprise IT shops already plug collaboration points for IT security and operations pros directly into the app development pipeline.

DevOps security tools that shift IT security away from the primary domain of IT ops and into the application development pipeline made strong inroads among enterprises in 2018.

"Shift left" refers to the move from infrastructure security that mitigates vulnerabilities among apps in production toward an application delivery process that builds in security predeployment. The term comes from DevOps pipeline diagrams, which typically depict app development activities on the left side and production infrastructure on the right side.

Application code scanning tools, such as WhiteSource, Black Duck and SonarQube, assess vulnerabilities as apps move through the CI/CD pipeline through integrations with Jenkins, TeamCity and other CI/CD frameworks. They automatically flag security vulnerabilities or policy violations to developers in their code before it's deployed.

Before code makes it to the build stage of the CI/CD pipeline, enterprises such as LivePerson, a conversational AI software maker headquartered in New York, use tools by Checkmarx and SonarQube to perform static code analysis to detect security and code quality issues. Then, at the build stage, LivePerson has a tool from WhiteSource integrated with its Jenkins and TeamCity CI/CD tools that further tests whether application code is secure and complies with company policy.

"Legal policies are enforced during application builds [through WhiteSource] without requiring developers to be familiar with all the policy details," said Nir Koren, senior DevOps and continuous integration engineer at LivePerson.

Thus, DevOps security tools provide a collaboration point between developers who aren't necessarily well-versed in IT security and corporate compliance rules, business users for legal and risk management who lack background in application development, and IT ops release engineers responsible for application security in production, Koren said. WhiteSource also helps the legal department ensure they only build applications that use authorized versions of open source software licenses.

Next, LivePerson plans to automate continuous application deployments to production and will look to WhiteSource for easier integration with CI/CD pipeline components and other internal processes.

"I wish we had some easier integration to external scripts and automation," Koren said. "[WhiteSource] provided generic JAR [Java Archive] files that you can run with different parameters, but you sometimes have to find a workaround that might be ugly to make it work with other technologies."

451 Research DevOps security survey
IT pros use DevOps security tools earlier in the application development process than they did three years ago, according to 451 Research.

Security responsibility slides toward developers

DevOps security tools have grown in popularity since 2015, according to a multiyear 451 Research survey of 450 enterprise IT decision-makers with security expertise. IT security teams were the primary users of security testing tools among 57% of respondents in 2015. But, by 2018, only 42% of respondents said IT security teams were the primary users of security testing tools.

In the same time period, application development teams grew from 23% to 31% of security testing tool users. Just 34% of respondents in 2015 ran security testing tools as soon as new software code was written. But, in 2018, that number jumped to 49%, while the percentage of respondents who only ran security tests against production code fell from 32% to 23%.

The industry has seen organic standardization of DevOps toolchains lately, some agreement on things like Jenkins for builds, JIRA for ticketing and Slack for messaging. Application security vendors have a place to plug into widely used tools.
Daniel Kennedyanalyst, 451 Research

"The industry has seen organic standardization of DevOps toolchains lately, some agreement on things like Jenkins for builds, JIRA for ticketing and Slack for messaging," said Daniel Kennedy, analyst at 451 Research and co-author of the 451 surveys on security tools. "Application security vendors have a place to plug in to widely used tools."

DevOps security tools help, but some IT pros have discovered there's no technical substitute for at least some developer training to improve the overall security of code out of the gate and to avoid repeated mistakes.

"The OWASP Top 10 doesn't really change, because developers continue to write the same security vulnerabilities into their code," said Travis Jeppson, director of engineering at Nav Inc., a fintech company in Draper, Utah.

Nav uses static analysis tools such as SonarQube and container security scanning by Twistlock in its GitLab CI/CD pipeline, but it also required developers to conduct a risk assessment last year on each of the application services under their responsibility. This helped the developers better understand the broader context of those services and security issues, and it helped the business understand why it's important to identify security vulnerabilities before they deploy apps to production.

This will build the business case for additional DevOps security tools, such as dynamic code scanning software that tests for vulnerabilities against a live environment. It will give developers a more accurate picture of how code will perform in production, Jeppson said.

Learn more about the challenges that still stand between IT pros and DevSecOps nirvana in part two of this story.

Dig Deeper on Systems automation and orchestration

Software Quality
App Architecture
Cloud Computing
Data Center