Blog articles

6 key criteria for choosing DevSecOps Tools in 2022

June 15, 2022
devsecops tools

Security needs to be top-of-mind when writing and deploying software. It can’t be sacrificed on the altar of faster delivery or other priorities. But not every DevSecOps tool will be the right fit for your unique circumstances.

Tech leaders in 2022 need to understand the primary criteria for evaluating DevSecOps tools, based on attributes or capabilities that may be offered by some vendors, but not others. These criteria should be the basis on which organizations decide which solutions to adopt for their particular needs. 

The six key criteria to consider are:

  1. Application hardening

  2. Repository-level protection

  3. Environment security

  4. Application profiling for architectural security

  5. SOAR and SIEM integration

  6. Integration with development planning tools

Let’s dive into what each aspect means.

Application hardening

Tools can identify areas of weakness in the code and address them directly, without intervention. This criterion may include features that enable identifying and removing unnecessary code or software packages, removal of sample or default sensitive files, disabling unused software features or identifying possible attack points in the code.

Repository-level protection

The code itself requires IP protection and privacy so that, for example, it can’t be scanned for weaknesses by a third party or accessed by unapproved users or third-party integrations. Sensitive information must be removed automatically from the repository and integrated into secret management solutions. Artifact repositories should be able to verify compliance with a secure software supply chain strategy to prevent unapproved or unknown software components from entering the environment. This task includes code signing, image/artifact signing and regular scanning of artifacts obtained from third-party software.

Environment security

Tools can offer guidance, scanning, best practices and guardrails for target cloud and on-prem environments, such as AWS and ESXi. With this information, engineers will understand what vulnerabilities they may face prior to deploying an application to production, and hopefully several levels prior to production.

Application profiling for architectural security

Beyond development, tools should offer support for safeguards such as microsegmentation and container protection. Identifying the expected behavior of an application helps ensure a secure runtime environment while also identifying unexpected changes across releases.

SOAR and SIEM integration

Tools should integrate with operational monitoring, reporting and feedback. A continuous feed of events and logs that will enable integration into existing SOC workflows must be shipped in real time.

Integration with development planning tools

Development teams require a quick way to prioritize tasks. Security-related issues should be identified automatically and added to development planning tools such as Jira, GitHub Issues and the like.

Finally, key emerging capabilities need to be considered. We expect the following technologies to become widely relevant over the next year or two:

  • Automated and codified cloud development environments

  • Machine learning/AI-driven insights

  • Auto-remediation within GitOps models

Automated and codified cloud development environments

Cloud development environments enable organizations to control the location where their source code lives and to automate the installation of development tools and configurations. These capabilities speed up the developer onboarding process and lower the risks associated with misconfigured development environments or source code leakage.

Machine learning/AI-driven insights

Still in a relatively early stage, machine learning and AI technologies are being applied to make recommended improvements on existing source code, and to provide recommendations for new code. These capabilities free up valuable developer time and will extend naturally into the security space by ensuring that written code aligns with organizational security policies.

Auto-remediation within GitOps models

Remediation recommendations will transition into automatic application patching within the new GitOps operations models. In this manner, remediations can be tested and validated automatically with little or no involvement required from the developer.

Evaluating DevSecOps tools for your organization should take these key criteria into account before investing in vendors that cannot satisfy your foundational needs.

Next Steps

To learn more about Key Criteria for Evaluating DevSecOps Tools, download our GigaOm partnered report.

About GigaOm

GigaOm democratizes access to strategic, engineering-led technology research. We enable businesses to innovate at the speed of the market by helping them to grasp new technologies, upskill teams, and provide strategic sales training and advisory services to navigate opportunities and challenges. The GigaOm e-learning platform changes the game by unlocking deep technical insight and making upskilling teams accessible to all.