 |
VOOZH | about |
|
VOOZH | about |
We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.
Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.
Follow TNS on your favorite social media networks.
Become a TNS follower on LinkedIn.
Check out the latest featured and trending stories while you wait for your first TNS newsletter.
GitLab sponsored this post.
One of the greatest challenges currently facing security and development teams is striking a balance between speed and security. Application security testing (AST) tools that leverage automation to produce high-quality results must continue to evolve, in order to help organizations bring these two components together. The goal should be to shift to a true DevSecOps model, by automating vulnerability detection and triage to reduce secure software time-to-market.
According to analyst firm Gartner:
“…modern application design and the continued adoption of DevSecOps are expanding the scope of the AST market. Security and risk management leaders will need to meet tighter deadlines and test more complex applications by seamlessly integrating and automating AST in the software delivery life cycle.”
Yet, legacy AST solutions currently on the market tend to operate outside the CI tooling in use, and scans are generally performed after a merge/build has already taken place — further to the right of the software development lifecycle (SDLC).
Newer AST tools, on the other hand, allow organizations to shift that functionality to the left — with the most innovative ones featuring an orchestration layer that simplifies the implementation and automation of security testing in modern development environments. As DevOps and security testing evolves, scans can now be automatically triggered, embedding results directly into the CI/CD pipelines of DevOps tools like GitLab. The result? Streamlined DevOps workflows, earlier detection of software vulnerabilities (AKA shifting as far left as possible), and happier developers because they’re able to stay right within their preferred environments.
By automating the steps required to scan code earlier in the SDLC, it eliminates the need for time-consuming manual configuration of scans. It also allows developers to publish and update scan findings, based on a pre-configured policy within the code management tools. After the initial configuration, AST scan activity is performed hands-off with no human intervention required, beyond a pull request initiated by a developer.
As if it couldn’t get any easier, modern automation tools also allow developers to:
Advanced automation tools eliminate the manual and time-consuming configuration per project within DevOps, thereby removing the friction between developers and DevOps teams when needing to add scanning steps into the jobs of all CI pipelines. Adding jobs or steps to scan code is challenging using the traditional CI-scan model. Advanced automation tools ultimately break down barriers between teams and allow them to play better together and achieve true DevSecOps integration.
At the end of the day, shifting left and automating your CI/CD pipeline will dramatically improve the integration of security within the SDLC. Organizations can instantly onboard their development, security, and operations teams and simplify the governance of their security policies and DevSecOps processes. The traditional AST solution providers are leaving developers behind because without the ability to scan source code directly in your environment, you’re left having to manually process scans — leaving a lot of room for marginal error and adding a lot of time to your end-delivery date.
If I can leave you with one thing, it’s that integration is key to automation and the tools you use should enable the most shift left approach possible, where automation can occur within the SDLC — changing the way AST solutions are embedded within all DevOps environments.
Feature image via Pixabay.
At this time, The New Stack does not allow comments directly on this website. We invite all readers who wish to discuss a story to visit us on Twitter or Facebook. We also welcome your news tips and feedback via email: feedback@thenewstack.io.
