Without the right tools, even the best DevSecOps approach can’t unlock a team’s full potential.
Below are UNCOMN’s favorite DevSecOps tools on the market today.
Without a doubt, the number one critical piece of your automated toolchain is your Version Control System. UNCOMN prefers and frequently utilizes GitLab. Having this tool to build automation is critical for any DevSecOps approach. If you can’t automate your security tooling, you can’t expect to keep up with the rate of change expected of DevSecOps. Leveraging webhooks and integrations are also important. It gives you the capability to trigger numerous external tools in response to a developer’s latest push of code, providing them feedback earlier in the development process. From replacing Jenkins in your builds with GitLab’s native CI/CD tooling to moving your documentation from an increasingly-costly Atlassian Confluence instance to GitLab’s own Wiki capability, or even moving your leveraging the excellent container orchestration integration with Kubernetes, GitLab’s breadth of functionality is simply astounding. Plus, with so many security capabilities integrated into GitLab, a wealth of vital security-related information can be presented to the developer in a single interface. With GitLab’s Dependency Firewall capability in progress, the already-impressive list of functionality continues to grow.
Code quality is of major importance for anything you produce. You inevitably take shortcuts in the process of development, and that has to be managed and mitigated over time. Tools like SonarQube, where you can readily identify issues such as code smells and potential vulnerabilities, are paramount in maintaining and managing a codebase’s health and technical debt over its lifetime. Resolving these issues offer the following benefits:
- Makes the codebase easier to work with, letting you adapt your product faster, which makes your development, marketing, and management teams happy
- Improves and fixes performance, which makes your users happy
- Mitigates and/or resolves security issues to keep your critical company data safe
- Quashes outstanding bugs in your application and makes your product more reliable.
In the end, it all counts as a value-add.
Multifactor Authentication (MFA)
Admittedly, MFA is not a web application or often the first thing that comes to mind when someone brings up DevSecOps tools. However, MFA is critical to the success of DevSecOpsRelying on typical authentication measures just isn’t enough. Social engineering attacks are constantly hammering organizations and brute force attacks are a threat to even the smallest of businesses. MFA should be a standard feature in any product or service. If MFA isn’t available, demand it – and don’t call it a “want”, call it a “need!”Protecting access to your organization’s assets, intellectual property, servers, laptops, and more is critical to DevSecOps. If an attacker can pierce the authentication for your build server, it doesn’t matter how many security scanning tools you run on your code pipeline; an attacker can and will sidestep those tools, injecting malicious code into deployments headed right for your production systems.
Whether you use a TOTP application (such as Google Authenticator or Authy), Push notification centric MFA (such as Duo and Microsoft Authenticator), TOTP physical tokens, or FIDO2 keys (such as a YubiKey)…wherever you have a login screen, make sure it leverages Multifactor Authentication.
One final word of advice– avoid using SMS text messaging for your MFA. There are major vulnerabilities with SMS that provide significant attack vectors to would-be hackers.