6 key criteria for choosing DevSecOps Tools in 2022

Tools can identify areas of weakness in the code and address them directly, without intervention. This criterion may include features that enable identifying and removing unnecessary code or software packages, removal of sample or default sensitive files, disabling unused software features or identifying possible attack points in the code.

The code itself requires IP protection and privacy so that, for example, it can’t be scanned for weaknesses by a third party or accessed by unapproved users or third-party integrations. Sensitive information must be removed automatically from the repository and integrated into secret management solutions. Artifact repositories should be able to verify compliance with a secure software supply chain strategy to prevent unapproved or unknown software components from entering the environment. This task includes code signing, image/artifact signing and regular scanning of artifacts obtained from third-party software.

Tools can offer guidance, scanning, best practices and guardrails for target cloud and on-prem environments, such as AWS and ESXi. With this information, engineers will understand what vulnerabilities they may face prior to deploying an application to production, and hopefully several levels prior to production.

Beyond development, tools should offer support for safeguards such as microsegmentation and container protection. Identifying the expected behavior of an application helps ensure a secure runtime environment while also identifying unexpected changes across releases.

Tools should integrate with operational monitoring, reporting and feedback. A continuous feed of events and logs that will enable integration into existing SOC workflows must be shipped in real time.

Development teams require a quick way to prioritize tasks. Security-related issues should be identified automatically and added to development planning tools such as Jira, GitHub Issues and the like.

Finally, key emerging capabilities need to be considered. We expect the following technologies to become widely relevant over the next year or two:

• Automated and codified cloud development environments

• Machine learning/AI-driven insights

• Auto-remediation within GitOps models

Cloud development environments enable organizations to control the location where their source code lives and to automate the installation of development tools and configurations. These capabilities speed up the developer onboarding process and lower the risks associated with misconfigured development environments or source code leakage.

Still in a relatively early stage, machine learning and AI technologies are being applied to make recommended improvements on existing source code, and to provide recommendations for new code. These capabilities free up valuable developer time and will extend naturally into the security space by ensuring that written code aligns with organizational security policies.

Remediation recommendations will transition into automatic application patching within the new GitOps operations models. In this manner, remediations can be tested and validated automatically with little or no involvement required from the developer.

Evaluating DevSecOps tools for your organization should take these key criteria into account before investing in vendors that cannot satisfy your foundational needs.

To learn more about Key Criteria for Evaluating DevSecOps Tools, download our GigaOm partnered report.

GigaOm democratizes access to strategic, engineering-led technology research. We enable businesses to innovate at the speed of the market by helping them to grasp new technologies, upskill teams, and provide strategic sales training and advisory services to navigate opportunities and challenges. The GigaOm e-learning platform changes the game by unlocking deep technical insight and making upskilling teams accessible to all.