With the GrammaTech CodeSonar static application security testing (SAST) platform, ArmorCode users gain improved safety and security vulnerability intelligence for integrating application security capabilities into CI/CD pipelines.

“Unifying application security tools and intelligence to orchestrate operations across developer pipelines is central to preventing safety and security vulnerabilities from reaching market ready products,” said Katie Norton, senior research analyst of DevOps and DevSecOps at IDC. “Together, GrammaTech CodeSonar and ArmorCode can enable customers to automate end-to-end DevSecOps workflows instead of stitching together often siloed processes.”

According to the companies, this integration provides users with a centralized, 360 degree view of vulnerabilities in the CI/CD pipeline and orders them by priority level for remediation. 

This is intended to help companies apply DevSecOps practices to span physically distributed development environments and comply with standards based coding practices such as MISRA for automotive products.  

Furthermore, ArmorCode’s AppSecOps platform works to unify vulnerability management to cut back on response time for the detection and remediation and the disruption of the software release cycle.

“As organizations across industries adopt DevSecOps to accelerate the delivery of software, the number of security vulnerabilities have increased exponentially. Furthermore, the security teams responsible for protecting the business are struggling to manage the risk and to keep pace with the speed of delivery,” said Mark Lambert, chief product officer at ArmorCode. “This integration between GrammaTech CodeSonar and ArmorCode delivers the visibility and workflow automation these teams need to ship secure software and ship it fast.” 

The post GrammaTech and ArmorCode partner to deliver vulnerability management orchestration appeared first on SD Times.

“Integrating Harness and Jira Software through Harness CI and Feature Flags provide users what they need most today: a consolidated view of issues across different environments in the development lifecycle,” said Richard O’Connell, head of partner growth at Atlassian. “From the creation of a Jira ticket to the deployment in different environments, all users – from project managers to non-technical users – are able to understand and digest the latest deployment information, without the need to navigate to another tool.”

Harness CI dramatically reduces pipeline execution time by automatically caching well-known directories for Java & Node.js. It is also available in hybrid and fully self-managed offerings for organizations with highly specific regulatory and implementation requirements.

The solution is built off of Drone, an open-source continuous integration solution and it uses containers to drop pre-configured steps into pipelines to add popular plugins or custom ones.

Harness Feature Flags simplified release management and workflows while creating visibility into how changes are being rolled out to customers all within Jira. Users can see which feature flag controls a change, whether the change has been released to users, and what percentage of users getting access to it. 

The new integrations are now available in the Atlassian Marketplace. 

The post Harness announces new Jira integrations appeared first on SD Times.

According to the company, the new self-hosted container runner is designed to provide greater flexibility and security in order to help developers simplify infrastructure management with greater traceability.

With these self-hosted runners, enterprise teams or those in more regulated industries have the ability to choose their own infrastructure for running jobs.

Additionally, this release offers teams greater control over their environments, allows them to build and test on a wider variety of architectures, and more.

“The goal at CircleCI has always been to help developers build great things and deliver to market faster,” said Jim Rose, CEO of CircleCI. “Our new self-hosted container runner leverages automation as a silver bullet so that customers can deploy with confidence without sacrificing power or cost efficiency.”

Key benefits of this release include: 

• The ability to self-host the infrastructure for their CI/CD pipelines while leveraging the other features of CircleCI Cloud.
• The ability to specify Docker images for CI/CD jobs with one line in configuration.
• The ability to integrate with Kubernetes APIs in order to spin up and down ephemeral pods that each execute CI/CD jobs. 

“The ephemeral nature of containers can enable DevOps teams to scale work up and down as needed to meet demand, reduce cost, and optimize their use of self-hosted runners. Solutions, such as the CircleCI self-hosted container runner, can also reduce toil by providing teams with more control without the hassle of administrative overhead,” Jim Mercer, research vice president of IDC DevOps and DevSecOps Solutions.

CircleCI has also added an integration with New Relic CodeStream, a platform that makes  observability accessible in a developers IDE. 

With this, teams can increase their ability to collaborate, visualize, and observe CI/CD data with increased context.

To sign up and get started with CircleCI, click here. 

The post CircleCI introduces new security and automation features appeared first on SD Times.

The SaaS offering enables DevOps organizations to compose and analyze workflows, and also orchestrate a combination of CI/CD technologies including Jenkins without the need to migrate or replace. 

“The decision to acquire ReleaseIQ was rooted in three core beliefs: choice, visibility and continuous value,” said Anuj Kapur, president and CEO at CloudBees. “First, businesses need to empower developers by providing a choice of tools versus forcing a toolset. Second, as DevSecOps matures, it is no longer acceptable to have a limited view of your software delivery ecosystem. And lastly, the future of business is rooted in the ability to continuously deliver innovation to the customers you serve.”

The new capability enables teams to coordinate coherent, effective deployments and releases across teams, applications and environments. 

The pipeline coordinator is compatible with most CI technologies including CloudBees CI, Jenkins, CircleCI, GitLab, and Bamboo, as well as CD technologies such as ArgoCD or homegrown deployment tools.

The post CloudBees acquires ReleaseIQ to expand DevSecOps offerings appeared first on SD Times.

Checkov has a developer-first approach to supply chain security, so it embeds these CI/CD policies directly into existing DevOps workflows to make it easier for developers to adopt them. 

Industry benchmarks, such as SLSA and CIS, were used to create these policies. According to the Checkov team, this helps developers align their pipelines with industry standards. 

The new policies include controls like requiring two reviewers for a pull request, requiring signatures for individual commits, preventing deprecated commands or beta features from being used, preventing secrets exfiltration, and blocking privileged workflow pods. 

According to the Checkov team, CI/CD security policies are particularly needed to prevent supply chain attacks. They explained that CI/CD pipelines that aren’t properly secured provider attackers with an easy entry point into the software supply chain. 

As an example, a repository configured to run any command in a pull request can be manipulated by injecting code that will send API tokens and other secrets to the attacker, the team explained. 

The post New CI/CD configuration policies added to Checkov appeared first on SD Times.

Proprietary software, also known as closed-source or non-free software, includes applications for which the publisher or another person reserves licensing rights to modify, use, or share modifications. Examples include Adobe Flash Player, Adobe Photoshop, macOS, Microsoft Windows, and iTunes. 

In contrast, OSS grants users the ability to use, change, study, and distribute the software and its source code to anyone on the internet. Accordingly, anyone can participate in the development of the software. Examples include MongoDB, LibreOffice, Apache HTTP Server, and the GNU/Linux operating system. 

This means that many organizations are using third-party code and modules for their OSS. While these additions are incredibly useful for many applications, they can also expose organizations to risks. According to Revenera’s 2022 State of the Software Supply Chain Report, 64% of organizations were impacted by software supply chain attacks caused by vulnerabilities in OSS dependencies. 

Although OSS can expose organizations to risks, avoiding OSS software and dependencies is not practical. OSS software and dependencies now play an integral role in development. This is particularly the case for JavaScript, Ruby, and PHP application frameworks, which tend to use multiple OSS components. 

Since software companies cannot realistically avoid using OSS, cybersecurity teams must avoid vulnerabilities associated with OSS by employing software composition analysis (SCA) tools. Additionally, they need to combine SCA with static application security testing (SAST), since proprietary software such as Microsoft Windows and Adobe Acrobat is also used.

Read to learn more about SAST and SCA. This article will also explain how cybersecurity teams can combine SAST and SCA into a comprehensive cybersecurity strategy.

What Is SAST?

SAST is a code scanning program that reviews proprietary code and application sources for cybersecurity weaknesses and bugs. Also known as white box testing, SAST is considered a static approach because it analyzes code without running the app itself. Since it only reads code line by line and doesn’t execute the program, SAST platforms are extremely effective at removing security vulnerabilities at every page of the software product development lifecycle (SDLC), particularly during the first few stages of development. 

Specifically, SAST programs can help teams:

• Find common vulnerabilities, such as buffer overflow, cross-site scripting, and SQL injection
• Verify that development teams have conformed to development standards
• Root out intentional breaches and acts, such as supply chain attacks
• Spot weaknesses before the code goes into production and creates vulnerabilities
• Scan all possible states and paths for proprietary software bugs of which development teams were not aware
• Implement a proactive security approach by reducing issues early in the SDLC

SAST plays an integral role in software development. By giving development teams real-time feedback as they code, SAST can help teams address issues and eliminate problems before they go to the next phase of the SDLC. This prevents bugs and vulnerabilities from accumulating. 

What Is SCA?

SCA is a code analysis tool that inspects source code, package managers, container images, binary files, and lists them in an inventory of known vulnerabilities called a Bill of Materials (BOM). The software then compares the BOM with databases that hold information about common and known vulnerabilities, such as the U.S. National Vulnerability Database (NVD). The comparison enables cybersecurity teams to spot critical legal and security vulnerabilities and fix them.

Some SCA tools can also compare their inventory of known vulnerabilities to discover licenses connected with the open-source code. Cutting edge SCAs may also be able to:

• Analyze overall code quality (i.e., history of contributions and version control)
• Automate the entire process of working with OSS modules, including selection and blocking them from the IT environment as needed
• Provide ongoing alerts and monitoring for vulnerabilities reported after an organization deploys an application
• Detect and map known OSS vulnerabilities that can’t be found through other tools
• Map legal compliance risks associated with OSS dependencies by identifying the licenses in open-source packages
• Monitor new vulnerabilities 

Every software development organization should consider getting SCA for legal and security compliance. Secure, reliable, and efficient, SCA allows teams to track open-source code with just a few clicks of the mouse. Without SCA, teams need to manually track open-source code, a near-impossible feat due to the staggering number of OSS dependencies. 

How To Use SAST and SCA To Mitigate Vulnerabilities

Using SAST and SCA to mitigate vulnerabilities is not as easy as it seems. This is because using SAST and SCA involves much more than just pressing buttons on a screen. Successfully implementing SAST and SCA requires IT and cybersecurity teams to establish and follow a security program across the organization, an endeavor that can be challenging.

Luckily, there are a few ways to do this:

1. Use The DevSecOps Model

Short for development, security, and operations, DevSecOps is an approach to platform design, culture, and automation that makes security a shared responsibility at every phase of the software development cycle. It contrasts with traditional cybersecurity approaches that employ a separate security team and quality assurance (QA) team to add security to software at the end of the development cycle. 

Cybersecurity teams can follow the DevSecOps model when using SAST and SCA to mitigate vulnerabilities by implementing both tools and approaches at every phase of the software development cycle. To start, they should introduce SAST and SCA tools to the DevSecOps pipeline as early in the creation cycle as possible. Specifically, they should introduce the tools during the coding stage, during which time the code for the program is written. This will ensure that:

• Security is not just an afterthought
• The team has an unbiased way to root out bugs and vulnerabilities before they reach critical mass

Although it can be difficult to convince teams to adopt two security tools at once, it is possible to do with a lot of planning and discussion. However, if teams prefer to only use one tool for their DevSecOps model, they could consider the alternatives below.

2. Integrate SAST and SCA Into the CI/CD Pipeline

Another way to use SAST and SCA together is to integrate them into CI/CD pipeline.

Short for continuous integration, CI refers to a software development approach where developers combine code changes in a centralized hub multiple times per day. CD, which stands for continuous delivery, then automates the software release process.

Essentially, a CI/CD pipeline is one that creates code, runs tests (CI), and securely deploys a new version of the application (CD). It is a series of steps that developers need to perform to create a new version of an application. Without a CI/CD pipeline, computer engineers would have to do everything manually, resulting in less productivity.

The CI/CD pipeline consists of the following stages:

1. Source. Developers start running the pipeline, by changing the code in the source code repository, using other pipelines, and automatically-scheduled workflows.
2. Build. The development team builds a runnable instance of the application for end-users.  
3. Test. Cybersecurity and development teams run automated tests to validate the code’s accuracy and catch bugs. This is where organizations should integrate SAST and SCA scanning.
4. Deploy. Once the code has been checked for accuracy, the team is ready to deploy it. They can deploy the app in multiple environments, including a staging environment for the product team and a production environment for end-users.

3. Create a Consolidated Workflow with SAST and SCA.

Finally, teams can use SAST and SCA together by creating a consolidated workflow.

They can do this by purchasing cutting-edge cybersecurity tools that allow teams to conduct SAST and SCA scanning at the same time and with the same tool. This will help developers and the IT and cybersecurity teams save a lot of time and energy.

Experience the Kiuwan Difference

With so many SAST and SCA tools on the market, it can be challenging for organizations to pick the right tools for their IT environments. This is particularly true if they have limited experience with SAST and SCA tools.

This is where Kiuwan comes in. A global organization that designs tools to help teams spot vulnerabilities, Kiuwan offers Code Security (SAST) as well as Insights Open Source (SCA).

Kiuwan Code Security (SAST) can empower teams to:

• Scan IT environments and share results in the cloud
• Spot and remediate vulnerabilities in a collaborative environment
• Produce tailored reports using industry-standard security ratings so teams can understand risks better
• Create automatic action plans to manage tech debt and weaknesses
• Give teams the ability to choose from a set of coding rules to customize the importance of various vulnerabilities for their IT environment

Kiuwan Insights Open Source (SCA) can help companies:

• Manage and scan open source components 
• Automate code management so teams can feel confident about using OSS
• Integrate seamlessly into their current SDLC and toolkit

Interested in learning more about how Kiuwan’s products? Get demos of Kiuwan’s security solutions today. Developers will see how easy it is to initiate a scan, navigate our seamless user interface, create a remediation action plan, and manage internal and third-party code risks.

Content provided by Kiuwan. 

The post Combining Static Application Security Testing (SAST) and Software Composition Analysis (SCA) Tools appeared first on SD Times.

CloudBees provides the leading software delivery platform for enterprises, enabling them to continuously innovate in a world powered by the digital experience. CloudBees enables organizations with highly-complex environments to deliver scalable, compliant, governed, and secure software from the code a developer writes to the people who use it. The platform connects with other best-of-breed tools, improves the developer experience, and enables organizations to bring digital innovation to life continuously to unlock business outcomes that create market leaders and disruptors.

Atlassian offers tools like Jira and Trello, which can be used to make project management easier and enable cross -unctional collaboration. Its solutions help companies stay on track as they work to deliver products. In addition to its offerings, it also believes that “great teamwork requires more than just great tools.” To that end, it promotes practices like retrospectives, DACI decision-making framework, defining clear roles and responsibilities, and developing objectives and key results (OKRs).

CircleCI is a continuous integration and delivery platform that enables teams to automate their delivery processes. It provides change validation at every step of the process so that developers can have confidence in their code. It also offers flexibility through the abilities to code in any language and utilize thousands of pre-built integrations.

RELATED CONTENT:
CI/CD pipelines getting wider
How this company facilitates the tasks that need to be done inside the CI/CD pipeline

Codefresh is a GitOps-based continuous delivery platform that is built with Argo. It offers benefits like progressive delivery, traceability, integrations with CI tools like Jenkins and GitHub Actions, and a universal dashboard for viewing software deliveries.

Digital.ai The company’s Deploy and Release products help organizations automate and standardize complex, enterprise-scale application deployments to any environment — from mainframes and middleware to containers and the cloud. Speed up deployments with increased reliability. Enable self service deployment while maintaining governance and control.

GitLab allows Product, Development, QA, Security, and Operations teams to work concurrently on the same project. GitLab’s built-in continuous integration and continuous deployment offerings enable developers to easily monitor the progress of tests and build pipelines, then deploy with confidence across multiple environments —with minimal human interaction.

HCL Software is a division of HCL Technologies (HCL) that operates its primary software business. We develop, market, sell, and support over 30 product families in the areas of Customer Experience, Digital Solutions, Secure DevOps, Security and Automation. Our mission is to drive ultimate customer success of their IT investments through relentless innovation of our software products.

IBM UrbanCode Deploy accelerates delivery of software change to any platform — from containers on cloud to mainframe in data center. Manage build configurations and build infrastructures at scale. Release interdependent applications with pipelines of pipelines, plan release events, orchestrate simultaneous deployments of multiple applications. Improve DevOps performance with value stream analytics. Use as a stand-alone solution or integrate with other CI/CD tools such as Jenkins.

JFrog’s DevOps platform offers end-to-end management of software development. DevOps teams can control the flow of their binaries from build to production. Its DevOps portfolio includes tools like JFrog Artifactory for artifact management, JFrog XRay for security and compliance scanning, JFrog Distribution for releasing software, and more.

Micro Focus ALM Octane is an enterprise DevOps Agile management solution designed to ensure high-quality app delivery. It includes Agile tools for team collaboration, the ability to scale to enterprise Agile tools, and DevOps management.

Microsoft’s Azure DevOps Services solution is a suite of DevOps tools designed to help teams collaborate to deliver high-quality solutions faster. The solution features Azure Pipelines for CI/CD initiatives; Azure Boards for planning and tracking; Azure Artifacts for creating, hosting and sharing packages; Azure Repos for collaboration; and Azure Test Plans for testing and shipping.

Octopus Deploy is an automated release management tool for modern developers and DevOps teams. Features include the ability to promote releases between environments, repeatable and reliable deployments, ability to simplify the most complicated application deployments, an intuitive and easy-to-use dashboard, and first-class platform support.

Opsera provides continuous orchestration of development pipelines in order to enable companies to deliver software faster, safer, and smarter. Its offerings include automated toolchains, no-code pipelines, and end to end visibility.

Planview’s Enterprise Agile Planning solution enables organizations to adopt and embrace LeanAgile practices, scale Agile beyond teams, practice Agile Program Management, and better connect strategy to Agile team delivery while continuously improving the flow of work and helping them work smarter and deliver faster. With Planview, choose how you want to scale and when. We’ll help you transform and scale Agile on your terms and timeline.

ServiceNow enables companies to do DevOps at scale. Developers are able to keep using the tools they love while still connecting with ServiceNow’s platform. The company enables automation of administrative tasks, while bringing together both ops and dev teams. 

The post A guide to CI/CD tools appeared first on SD Times.

However, with the emergence of shift left security and newer automation practices, the pipeline has become a much more critical piece of the software delivery lifecycle.

According to Tim Johnson, senior product marketing manager at the DevOps solution provider CloudBees, there are two different aspects to the changes being seen within the pipeline. “One is the extent or breadth of what it does… and the other is the importance of what it does,” he said.

RELATED CONTENT:
A guide to CI/CD tools
How this company facilitates the tasks that need to be done inside the CI/CD pipeline

He explained that when the end user’s experience with an organization is primarily determined by the quality of software, delivering that is of the utmost importance.

“So the CI/CD pipeline has become that much more important… it has to work, you have to get the software out the door and so the importance of that has grown and the breadth and complexity of what the pipeline is being called upon to do has also grown significantly,” Johnson said.

He went on to say that while ensuring that features are delivering the expected value continues to be crucial, keeping security and regulatory standards in mind has only grown in importance as the pipeline has evolved.

“The delivery of the software through the pipeline also has to be secure and compliant,” said Johnson. “As well as what it is doing beyond just the simple CI aspect of it. So now you get into things like security and testing automation, software composition analysis, static analysis, dynamic analysis, and all these other things that have to be done to get that software through.”

An end-to-end process

According to Gartner research, security in the CI/CD pipeline needs to be an end-to-end process with certain team members responsible for monitoring potential problem areas in order to ensure code compliance.

This leads to the question of whether or not the software has passed these tests. Johnson explained that in order to deliver secure software through the pipeline, an organization now also has to worry about tracking and evidencing standards and exceptions in order to be sure that drift does not happen.

This results in increased complexity within the pipeline as keeping track of who accepts risks and makes changes as well as the reasons behind these choices has become paramount to the delivery of secure software.

“And then you can’t just go out and throw a party like ‘we deployed, yay it’s all over’ right? You have to keep track of what is going on in production. So, that requires an integration of not only tools, but teams and responsibilities,” said Johnson.

He also explained that as an organization works towards progressive delivery and looks at more features, micro components, and micro services, having that view into production is no longer a want, but a need.

Complexity in pipeline grows

According to Johnson, the need to make sure that the final product is performing the way it was intended to grows as the level of complexity within the pipeline does.

“The whole thing has gotten so much more complex, and there’s so many more stakeholders involved, and there’s so many more things that have to happen for this to come to market,” he said. “At the same time, the pressure on the market is constantly going up.”

Johnson also mentioned that there is a rising pressure to deliver to market quickly that has come with this consistent strain that the market is under.

All this to say that the need to innovate quickly in order to keep up combined with the complexities being added into the CI/CD pipeline has caused the software delivery process to change significantly in recent years.

The need for automation

Another change that has been made to the CI/CD pipeline is the need for automation. According to Johnson, automation is the essence of repeatability, predictability, and auditability and in order for automation to work properly, the whole organization has to be on the same page about those principles.

He explained that if there is a disconnect or a lack of proper communication on different organizational processes, automation cannot happen.

“You can automate bits of it and make incremental microcosm improvements and it’ll work a little better, but it’s still not going to be as fast and as responsive as it needs to be,” Johnson said.

He expanded on this saying that any time that there are gaps or missing pieces, more of a burden ends up being placed on the organization’s developers and shared services people to deal with these issues, leading to increased friction and a slowing of velocity.

Additionally, Johnson emphasized that when all of these new elements are done correctly, having them in the pipeline can be an overall positive change.

However, due to the inevitable increase in complexity, the need for every part of the organization to be on the same page has increased tenfold.

As far as the negative components of these additions, Johnson warned that organizations should be prepared for a rise in technical debt.

“Even though you may have your little bit of the world working well, there’s stuff that you haven’t done…and that is compounded by all of the other departments and all of the other stakeholders in the chain and the technical debt that they have yet to deal with,” he said.

On top of that, Johnson said that organizations run the risk of trying to implement these additions too quickly without thinking through how they will function within the context of the rest of the pipeline.

With this, he also mentioned that running a modern CI/CD pipeline requires a fair amount of courage from an organization.

“As problems arise, they need to have the courage to figure out how to deal with those, and not in the classic ‘shoot the messenger’ way. You have to have that culture that we are here to improve things… and it is everybody’s responsibility to pull the chain,” Johnson said.

This courage and bravery comes from different members of different teams not being afraid to mention when they notice an issue. According to Johnson, not making problems known is a much bigger time waster than the alternative.

“Even after you’ve detected the problem, there’s this gap until you fix it… do you have mechanisms in place to turn [the broken feature] off or roll it back, and do you have the bravery to do that?” he said.

“You have to have that bravery, because the consequences are so serious for something like that.”

The post CI/CD pipelines getting wider appeared first on SD Times.

“Our goal is to give companies a solution that’s simple to use but will grow with them as complexity increases,” said Jim Douglas, president and CEO of Armory. “The new product enables development teams to confidently deploy their software every time without worrying about reliability and security.”

Armory Continuous Deployment-as-a-Service can act as either a standalone product for cloud-first companies or as an extension of the continuous delivery solution Spinnaker. 

The tool also offers environment-specific controls and advanced deployment strategies such as blue/green and canary to specify how much traffic is exposed to new changes. This enables development teams to automatically and continuously verify a service is healthy before routing all traffic to the new version. 

The marketing analytics company Upwave said that CD solutions were too costly for the small company, but the new Continuous Deployment-as-a-Service greatly improved the company’s scalability. “The main benefit is that we have converged on a simpler model of continuous integration/continuous deployment, enabling us to do more. It’s easier, it’s simpler, and we have more functionality,” said Christopher Baldwin, the chief architect at Upwave. “Simply put, it raises the bar for quality across our engineering organization as a whole. Isn’t that part of the software development dream?”

The post Armory launches Continuous-Deployment-as-a-Service appeared first on SD Times.

The Mattermost developer collaboration platform now features enhanced capabilities to enable real-time collaboration for critical developer use cases such as operating incident response war rooms, providing documented processes and communication lines to technical teams during outages, and supporting agile, CI/CD, and DevOps release methodologies. 

“As organizations look to accelerate efficiency within their R&D teams, we believe open-source platforms like Mattermost will increasingly be preferred by developers and C-level executives alike as they enable the security, customization, and flexibility that the modern enterprise requires,” said Ian Tien, CEO and co-founder of Mattermost.

Mattermost 7.0 includes Calls, which offers a secure option for team communication to group conversations. Calls is a solution developed for public sector organizations, SecOps teams, and security professionals that require real-time “war rooms,” according to the company. 

Another feature is the Apps Framework which abstracts away the complexity of writing directly to the Mattermost API and enables engineers to quickly develop integrations or apps in any language that supports HTTP and then they can quickly deploy their creations with serverless hosting. 

Team workflow templates are designed to help orchestrate R&D team operations and processes and they can be customized and tailored to specific team operations.

Mattermost 7.0 also includes features designed to support team productivity, including Collapsed Reply Threads and Advanced Message Formatting. 

The post Mattermost 7.0 launched with custom apps and integrations appeared first on SD Times.