Increasingly, organizations are adopting DevSecOps, which focuses on “shift left” security, the idea of introducing security practices earlier in the software development life cycle. Practically speaking, however, DevSecOps is more of an overall strategy or approach, rather than a concrete set of responsibilities assigned to a specific group or individual.  DevSecOps  is best used to define how an organization addresses product security, or establish a cultural and technical “shift left” within the integrated development environment. It can also provide an organizational framework to address security efforts between compliance, security and development teams.

The reality, however, is that while both security and development teams are committed to fortifying the business, collaboration between the two groups can be challenging.  A company’s security teams are tasked to do whatever it takes to secure the business, while developers prefer to write quality code instead of spending their day fixing vulnerabilities.

It is the DevOps team that in fact owns the specific responsibilities, tasks and budget needed to secure the software supply chain.

Defining DevOps-Centric security

As the name implies, DevOps teams manage the operational side of software development and are responsible for each step of the software development life cycle (SDLC).  While security teams set policies and development teams write code, DevOps teams manage the SDLC workflow. They are the actual owners of the software supply chain.

DevOps teams are also the logical owners for software supply chain security.  DevOps teams have the resources, skills and accountability to identify and address security issues across the entire DevOps workflow, from development to runtime to deployment. DevOps teams are involved in every step of the software development process, so they’re ideally suited to serve as a bridge between security teams, responsible for compliance and business requirements, and development teams, which can get overwhelmed with security requests, processes and regulations that are not their core competency.

DevOps-centric security delivers an end-to-end view of an organization’s software supply chain and flags a multitude of vulnerabilities and weaknesses such as CVEs, configuration issues, secrets exposure, and infrastructure-as-code violations. It also suggests remediation strategies at each stage of the software development life cycle, from code to container, to device.

How does DevOps-Centric security work?

A DevOps-centric approach to security builds on the rigorous process and continuous, automated testing that’s the hallmark of all DevOps teams. More importantly, it guides organizations with a clear understanding of each vulnerability and suggests actions to efficiently fix the issues.

Focus on binaries as well as source code

The modern software supply chain has just one core asset that is delivered into production: the software binary, which takes many forms – from package, to container, to archive file.  Attackers are increasingly focusing on attacking binaries, as they contain more information than source code alone. By analyzing the binary as well as the source code, DevOps teams can provide a more complete picture of any impact or point of exploitation. This helps eliminate complexity and streamlines security detection, assessment, and remediation efforts.

Contextual analysis: Determining which vulnerabilities, weaknesses, and exposures need remediation and the most cost-effective way to do it

Serious vulnerabilities are being identified daily through the efforts of researchers and bug bounty programs.  Yet these CVEs may or may not be exploitable, depending on factors such as the application’s configurations, use of authentication mechanisms, and exposure of keys. DevOps-centric security looks at the context in which software is operating to prioritize and recommend how to remediate vulnerabilities quickly and effectively, without wasting developers’ time on non-applicable issues.  It’s particularly important to be able to scan and analyze containers for open-source vulnerabilities, since the use of containers to hide malicious code is now on the rise.

Providing a holistic view of the software supply chain

Through their involvement in each step of the software development process, DevOps teams offer a holistic view of a company’s software supply chain and all its weaknesses.  DevOps-centric security analyzes binaries, infrastructure, integrations, releases, and flows all in one place, eliminating the confusion of disparate security systems with varying or limited  information, and inconsistent reporting.  Thus, when you implement security using DevOps processes, you not only scan to identify problems within the software, but also help developers prioritize and fix them quickly and easily. 

The post Tackling today’s software supply chain issues with DevOps-centric security appeared first on SD Times.

It provides advanced features such as automated backups, high availability, and automation of operations. It also offers a managed environment for hosting and managing Kubernetes clusters.

GitLab Dedicated can serve as an enterprise DevSecOps platform with the added focus on data residency, isolation, and private networking to meet compliance needs, according to the company in a blog post. This need is prevalent with large enterprises and companies in regulated industries. Organizations can choose cloud regions that work for them and regional requirements.

“GitLab Dedicated is not only single-tenant, region-based, and privately connected, but it’s also managed and hosted by GitLab and deployed in the customer’s cloud region of choice. Organizations can quickly realize the value of a DevSecOps platform without requiring staff to build out and manage infrastructure,” David DeSanto, VP of product at Gitlab wrote in the blog. “Organizations get all of the benefits of GitLab — shorter cycle times, lower costs, stronger security and more productive developers — with lower total cost of ownership and quicker time to value than hosting themselves.”

As GitLab scales this new offering, it is making GitLab Dedicated available by inviting customers to join the waitlist. 

The post GitLab Dedicated serves as single-tenant SaaS solution appeared first on SD Times.

This includes the general availability of Snyk Cloud, which offers tools to help fix software vulnerabilities such as a vulnerability scanner and a patch management system that was launched in July 2022 with limited availability. 

The innovations also include capabilities that can secure the software supply chain (SSC) such as the ability to simplify emerging requirements around SBOMs and improved reporting features that allow for greater visibility and governance for developer security programs. 

The new SBOM features include an API and CLI that generates SBOMs, scans standard SBOMs to identify security vulnerabilities for free, and also scans SBOMs with the open-source application Bomber and then tests the using the Snyk Vulnerability Database. 

“Snyk was founded on the belief that the developers building our collective future should also be empowered and equipped to secure it,” said Adi Sharabani, the chief technology officer at Snyk. “We’re proud to share today’s latest significant developments to help our global customers continue their pace of innovation securely.”

Snyk also announced that it is committed to driving DevSecOps success and introduced two new offerings as part of the asset collection Snyk Learn: Snyk Accelerate as a 90-day installation and best practice review and Snyk Premium, a high-touch service bundle. 

The post Snyk announces updates to its Developer Security Platform appeared first on SD Times.

The rise in software supply chain attacks, like the SolarWinds hack, prompted last year’s executive order requiring vendors to provide a software bill of materials (SBOM). This software “ingredients list” can help security teams understand if a newly disclosed vulnerability impacts them. However, industry experts caution that it isn’t comprehensive enough to prevent attacks or address the challenges of securing today’s dynamic software supply chains.

“The introduction of SBOM is an important step, however, it isn’t sufficient to ensure the security and integrity of software supply chains,” said Admiral Mike Rogers, former director of the NSA. “Recent high-profile breaches — like those that affected SolarWinds, Codecov and  Log4j — could not have been detected or prevented with the static list of software components contained in an SBOM. There’s a real risk of providing a false sense of protection by having a standard for compliance that does not equate to security.”

To address these issues, OX is developing a new open standard, PBOM, in collaboration with leading cybersecurity-conscious companies. The Pipeline Bill of Materials (PBOM) includes within it the SBOM but goes further, covering not only the code in the final product but also the procedures and processes that impacted the software throughout its development. OX and its partners undertook extensive research on the root causes of more than 70 attacks from the past year. They specifically designed the PBOM to contain the information that would have been needed to prevent each of the recent attacks.

OX’s platform is the first product using the PBOM standard to provide end-to-end software supply chain security, allowing it to cover every step of the development pipeline, from the earliest planning stages until deployment to production. OX seamlessly integrates with existing tools and infrastructure to monitor and record every action affecting software throughout the entire development lifecycle. It gives security and DevOps teams complete visibility and control over the attack surface, including source code, pipeline, artifacts, container images, runtime assets, and applications.

“Developers and DevOps make constant changes to the software supply chain, adding new tools, open source components and SaaS services,” said Neatsun Ziv, OX’s CEO and co-founder. “The OX platform gives DevSecOps teams real-time, end-to-end visibility into all aspects that impact software through the entire pipeline, so they have the necessary context and control to ensure security.”

OX connects to an organization’s code repository and performs a scan of the environment from code to cloud, to automatically produce a full mapping of assets, apps and pipelines. OX identifies which security tools are in use, verifies they’re all connected and operational, and determines if additional tools are necessary. Following the scan, OX presents any security issues that were found, prioritized by their business impact, alongside context, automated fixes and recommendations, empowering DevSecOps teams to tackle their cybersecurity backlog. A PBOM, which includes an SBOM, version lineage, SaaSBOM, build hashes and more, can be automatically generated and shared with internal stakeholders or customers, so they in turn can verify that the software they use is derived from trusted, secure builds.

“Ox Security is tackling a critical challenge facing companies today, and are uniquely positioned to become leaders in their space,” said Nadav Zafrir, Managing Partner at Team8 Group and former head of Israel’s elite intelligence Unit 8200. “We are thrilled to join forces with Neatsun and Lior. The ground-breaking PBOM standard enables OX’s platform to provide unparalleled security coverage and I have no doubt that PBOM will be widely adopted across the industry.”

Additional quotes:

“Supply chain attacks are on the rise, and the attack surface is growing,” said Mony Hassid, Managing Partner at M12, Microsoft’s venture fund. “When it comes to software security and integrity, you have to look beyond which components were used and consider the overall security posture throughout the development process. Ox Security is pioneering a standard that will be transformative for supply chain security. We’re proud to work with OX to improve software security.”

“The cybersecurity industry has been playing catch-up so far by pursuing a never-ending process of patching production environments and chasing alerts, issues and fixes,” said Karthik Subramanian, General Partner at Evolution Equity Partners. “OX’s groundbreaking approach brings control back to DevSecOps teams by providing visibility and complete control over an organization’s code. The level of innovation in OX’s platform is truly remarkable and provides value to everyone in an organization — from developers to DevSecOps teams to executives.”

“I believe the PBOM standard will reverse the tide,” said Mario Duarte, Vice-President of Security at Snowflake. “I am proud to take part in a project that can have such a major impact on the future security landscape, and to share our knowledge and expertise.”

“OX is truly changing how software supply chains are protected, ensuring that all code comes from secure and trusted builds,” said Naor Penso, Senior Director of Product Security at leading applied analytics company FICO. “The OX platform prevents software supply chain attacks while accelerating and streamlining development. The PBOM framework created by OX, expands the traditional SBOM with contextual knowledge and true end-to-end lineage that drives assurance in software security across its entire life-cycle.

The post Ox Security emerges from stealth with $34M to provide end-to-end software supply chain security appeared first on SD Times.

The SaaS offering enables DevOps organizations to compose and analyze workflows, and also orchestrate a combination of CI/CD technologies including Jenkins without the need to migrate or replace. 

“The decision to acquire ReleaseIQ was rooted in three core beliefs: choice, visibility and continuous value,” said Anuj Kapur, president and CEO at CloudBees. “First, businesses need to empower developers by providing a choice of tools versus forcing a toolset. Second, as DevSecOps matures, it is no longer acceptable to have a limited view of your software delivery ecosystem. And lastly, the future of business is rooted in the ability to continuously deliver innovation to the customers you serve.”

The new capability enables teams to coordinate coherent, effective deployments and releases across teams, applications and environments. 

The pipeline coordinator is compatible with most CI technologies including CloudBees CI, Jenkins, CircleCI, GitLab, and Bamboo, as well as CD technologies such as ArgoCD or homegrown deployment tools.

The post CloudBees acquires ReleaseIQ to expand DevSecOps offerings appeared first on SD Times.

According to the company, this release ensures that all APIs are aligned with the highest security standards and reinforces the commitment to helping businesses reach the optimal level of API security all throughout the software development lifecycle. 

“Because of our comprehensive approach to API security, the testing component was the logical evolution. It is key to enable development teams to identify security weaknesses and vulnerabilities in the build itself, in addition to the capability of providing runtime insights back to development teams, so they can further harden their APIs,” said Sanjay Nagaraj, CTO of Traceable AI. “It’s an important step to enable teams to seamlessly fit API security testing into their development cycles. It is based on a simple logic: prevent breaches by eliminating the flaws at the very beginning.”

The API Security Testing offering also supports shift left initiatives by providing remediation insights from runtime back to development so that developers have the ability to further harden their APIs.

Additionally, it is fully API focused and offers organizations complete vulnerability analysis that leverages both functional testing and API DNA and users attribution for improved detection and coverage.

According to Traceable AI, its DevSecOps focus also allows companies to identify any API security gaps between production and pre-production, quickly perform scans for actionable results in CI/CD pipelines, scan at a granularity from pull requests with API spec changes, and utilize integrations with application security tools.

To learn more, visit the website. 

The post Traceable AI introduces API Security Testing appeared first on SD Times.

“Without DevSecOps best practices, software releases can be plagued with quality and security issues, costing more time and money post-production to correct them,” said Pat McQueen, senior vice president of customer success & global services at Copado. “To address this growing need for DevSecOps skill sets, Copado is offering self-paced online training to upskill DevOps professionals, administrators, developers and architects. Our community can help jumpstart a new career path or level up your current path by unlocking your full potential.”

According to the company, this new module is designed with the intention of shortening release cycles and making them more secure and resilient. 

It works to explain how to integrate compliance, security, and testing in a DevOps pipeline as to avoid cybersecurity architects manually maintaining the security consoles and additional configurations in the application.

Additionally, the module emphasizes the importance of security and compliance for an organization, identifies DevSecOps best practices, and explains how to build a successful DevSecOps strategy and culture. 

“DevOps and DevSecOps are extremely fractured markets when it comes to tools: there are literally thousands of products that are involved in building resilient pipelines,” said Daniel Riedel, senior vice president of strategic services for Copado. “As the industry matures, value stream management will help bring observability to the process. Creating an interoperability standard now will ensure that organizations can rely on cohesiveness in tool integration. Interoperability will provide the transparency to ensure a stronger, more resilient infrastructure for customers and employees.”

For more information, visit the website.

The post Copado introduces new DevSecOps training module appeared first on SD Times.

Because APIs are used to access data and to call application functionality, they are easily exposed but difficult to defend which creates a large and growing attack surface, according to the company. 

“Attacks on applications are shifting to focus on APIs, and the pace of attacks is increasing. API abuses and exploits are a common attack category that can result in data breaches. DevSecOps teams are focusing attention on the need for improved API testing in development. To identify the optimal approach to API testing, they are looking to a mix of traditional tools (such as static AST [SAST] and dynamic AST [DAST]) and emerging solutions focused specifically on the requirements of APIs,” according to Gartner’s Hype Cycle for Application Security 2022 report. 

Checkmarx API Security offers the automatic identification of API endpoints without requiring API definition or registration, the ability to discover newly created or updated APIs as the source code is checked in or compiled by developers, unknown API identification, API-centric remediation, and a single application security testing solution for the entire application. 

The platform provides AppSec teams with an up-to-date view into their entire API attack surface, eliminating the problem of shadow and zombie APIs, according to Checkmarx.

Additional details on the new platform are available here. 

The post Checkmarx API Security released to shift API security left appeared first on SD Times.

According to Snyk, this release allows global developers to take full ownership of their infrastructure while their security counterparts can define and operate a consistent cloud security posture spanning the whole software development lifecycle. 

“Our global customers have witnessed firsthand how previous cybersecurity tenets have evolved profoundly, with cloud infrastructure now changing just as fast as the apps themselves. They’re eager for one comprehensive solution that provides a truly complete cloud picture, driving DevSecOps by enhancing developer productivity securely,” said Adi Sharabani, CTO at Snyk. “We’re incredibly proud to reveal this industry gamechanger, Snyk Cloud, the first developer security product designed for the cloud era in order to address every important stage of a modern app’s life today from development through to production.”

Snyk Cloud offers users the benefit of a unified platform and policy engine that equips them to manufacture secure deployments via a feedback loop running from code to cloud and back to code. 

This works to secure the user’s cloud before deployment as well as to maintain its secure integrity while running. It also assesses and prioritizes the precise locations to provide fixes back in the code.

“Snyk’s developer-first approach disrupted the application security industry and we’re now aiming to apply many of those lessons learned to the fastest growing segment of cybersecurity today: cloud security,” said Peter McKay, CEO of Snyk. “Predicted to be worth $77.5 billion by 20261, this is an area ripe for change. Today’s news represents another important milestone for the developer security movement, and we look forward to the industry’s response to our vision of uniting AppSec and CloudSec teams to secure today’s apps more efficiently.”

To learn more, visit the website. 

The post Snyk introduces new cloud security solution appeared first on SD Times.

“Part of this is due to the speed of innovation that has happened in the past few years. More and more software is being written and organizations are realizing that there’s a bit of exposure there. There’s more customer data being put into those things and the business is being driven by these applications so it’s important to make sure that they’re secure,” said Chris Eng, chief research officer at Veracode.

Additionally, there has been a 31% increase in the use of multiple security scan types between 2018 and 2021, with the majority of developers choosing to utilize a combination of static, dynamic, and SCA scans. The study found that organizations that used both dynamic and static scanning were able to remediate 50% of flaws 24 days faster on average. Add SCA scanning to that and it shaves off another 6 days. 

Veracode’s report also showed that organizations that invest in hands-on security training early on have a strong advantage over those that don’t. According to the study, companies with this kind of training in place fixed flaws 35% faster than those without. 

The report also showed that in 2018, about 20% of apps were operating using multiple languages, but this number dipped to just 5% in 2021. “The composition of applications has changed pretty significantly over the past few years, going from a lot more multi-language applications to that just kind of petering out a little bit, and it coincides with increasing developer interest in microservices so it was kind of cool to see that trend,” Eng said.

Another section of the report focused heavily on the use of open-source libraries and third-party code and the way they are being leveraged by different organizations. It revealed that most of the code in Java applications comes from third parties, and Java continues to push further in that direction. It was also reported that .NET experienced an unexpected upward shift in the percentage of third-party code in its applications; this happened around the release of .NET 5 and resulted in a sharp increase in use of third-part code. 

Additionally, the report reinforced the findings of previous studies that stated that developers tend to stick to the libraries they know and love rather than bouncing around and refactoring their code base in order to switch to the newest or “most popular” libraries. 

The post New study shows 20x increase in security scan cadence appeared first on SD Times.