Software development teams are increasingly focused on identifying and mitigating any issues as quickly and completely as possible. This relates not only to the quality of the software but also to the security of the software. Different organizations are at different levels when it comes to having their development teams and security teams work together, but the simple fact is that there are far more developers than there are security engineers.
Those factors are leading organizations to consider security and automation tools to proactively discover and resolve any software security issues throughout the development process. In the recent report, “GigaOm Radar for Developer Security Tools,” Shea Stewart examines a roundup of security tools geared toward software development teams.
Stewart identified three critical criteria to consider when evaluating developer security tools. These include:
- Vendors that provide tools to improve application security can and should also improve an organization’s overall security posture.
- The prevailing “shift left” mentality does not necessarily mean that the responsibility for reducing risk should shift to development, but focusing on security early in the process and continuing to do so throughout the development process will reduce risk and need for an extensive review. .
- Security throughout the software development lifecycle (SDLC) is critical for any organization focused on reducing risk.
Figure 1. How cybersecurity is applied at each stage of the software development lifecycle *Note: This report focuses only on the Developer Security Tools area
Individual vendors have made varying levels of progress and innovation to improve developer security. After multiple acquisitions, Red Hat, Palo Alto Networks, and Rapid7 added developer security tools to their platforms. Stewart believes that some of the smaller providers, such as JFrog and Sonatype, will continue to innovate to stay ahead of the market.
Vendors delving into this category and delving into “DevSecOps” seem to be taking different approaches to their enhanced security tools. While they involve security in all aspects of the development process, some tend to move faster to match the pace of the SDLC. Others are trying to shore up existing platforms by adding functionality through acquisition. Both infrastructure and software developers now share sets of tools and processes, so these development security tools must take into account the requirements of both groups.
While none of the 12 vendors evaluated in this report can provide comprehensive security across the entire SDLC, they all have their particular strengths and areas of focus. Therefore, it is up to the organization to fully and accurately assess its SDLC, engage development and security teams, and match unique requirements with the functionality provided by these tools. Even if it means using more than one at different points throughout the process, focus on striking a balance between tight security and simplifying the development process.
Read More: Key Criteria for Evaluating Developer Security Tools and the Gigaom Radar for Developer Security Tool Companies.