Security needs to be top-of-mind when writing and deploying software. It can’t be sacrificed on the altar of faster delivery or other priorities. But not every DevSecOps tool will be the right fit for your unique circumstances.
Tech leaders in 2022 need to understand the primary criteria for evaluating DevSecOps tools, based on attributes or capabilities that may be offered by some vendors, but not others. These criteria should be the basis on which organizations decide which solutions to adopt for their particular needs.
The six key criteria to consider are:
Application hardening
Repository-level protection
Environment security
Application profiling for architectural security
SOAR and SIEM integration
Integration with development planning tools
Let’s dive into what each aspect means.
Application hardening
Tools can identify areas of weakness in the code and address them directly, without intervention. This criterion may include features that enable identifying and removing unnecessary code or software packages, removal of sample or default sensitive files, disabling unused software features or identifying possible attack points in the code.
Repository-level protection
The code itself requires IP protection and privacy so that, for example, it can’t be scanned for weaknesses by a third party or accessed by unapproved users or third-party integrations. Sensitive information must be removed automatically from the repository and integrated into secret management solutions. Artifact repositories should be able to verify compliance with a secure software supply chain strategy to prevent unapproved or unknown software components from entering the environment. This task includes code signing, image/artifact signing and regular scanning of artifacts obtained from third-party software.
Environment security
Tools can offer guidance, scanning, best practices and guardrails for target cloud and on-prem environments, such as AWS and ESXi. With this information, engineers will understand what vulnerabilities they may face prior to deploying an application to production, and hopefully several levels prior to production.
Application profiling for architectural security
Beyond development, tools should offer support for safeguards such as microsegmentation and container protection. Identifying the expected behavior of an application helps ensure a secure runtime environment while also identifying unexpected changes across releases.
SOAR and SIEM integration
Tools should integrate with operational monitoring, reporting and feedback. A continuous feed of events and logs that will enable integration into existing SOC workflows must be shipped in real time.
Integration with development planning tools
Development teams require a quick way to prioritize tasks. Security-related issues should be identified automatically and added to development planning tools such as Jira, GitHub Issues and the like.
Finally, key emerging capabilities need to be considered. We expect the following technologies to become widely relevant over the next year or two:
Automated and codified cloud development environments
Machine learning/AI-driven insights
Auto-remediation within GitOps models
Automated and codified cloud development environments
Cloud development environments enable organizations to control the location where their source code lives and to automate the installation of development tools and configurations. These capabilities speed up the developer onboarding process and lower the risks associated with misconfigured development environments or source code leakage.
Machine learning/AI-driven insights
Still in a relatively early stage, machine learning and AI technologies are being applied to make recommended improvements on existing source code, and to provide recommendations for new code. These capabilities free up valuable developer time and will extend naturally into the security space by ensuring that written code aligns with organizational security policies.
Auto-remediation within GitOps models
Remediation recommendations will transition into automatic application patching within the new GitOps operations models. In this manner, remediations can be tested and validated automatically with little or no involvement required from the developer.
Evaluating DevSecOps tools for your organization should take these key criteria into account before investing in vendors that cannot satisfy your foundational needs.
Next Steps
To learn more about Key Criteria for Evaluating DevSecOps Tools, download our GigaOm partnered report.
About GigaOm
GigaOm democratizes access to strategic, engineering-led technology research. We enable businesses to innovate at the speed of the market by helping them to grasp new technologies, upskill teams, and provide strategic sales training and advisory services to navigate opportunities and challenges. The GigaOm e-learning platform changes the game by unlocking deep technical insight and making upskilling teams accessible to all.
5 keys to successful organizational design
How do you create an organization that is nimble, flexible and takes a fresh view of team structure? These are the keys to creating and maintaining a successful business that will last the test of time.
Read more8 ways to stand out in your stand-up meetings
Whether you call them stand-ups, scrums, or morning circles, here's some secrets to standing out and helping everyone get the most out of them.
Read moreTechnology in 2025: Prepare your workforce
The key to surviving this new industrial revolution is leading it. That requires two key elements of agile businesses: awareness of disruptive technology and a plan to develop talent that can make the most of it.
Read more