Software development teams are increasingly focusing on identifying and mitigating any problems as quickly and completely as possible. It is not only related to software quality but also software security. Different organizations are at different levels when it comes to their development teams and security teams working together, but the simple fact remains that there are far more developers out there than security engineers.
These factors lead organizations to consider security tools and automation to proactively discover and resolve any software security issues throughout the development process. In the recent report, “GigaAbout Radar for Developer Security Tools” Shea Stewart examines a summary of security tools aimed at software development teams.
Stewart has identified three critical criteria to keep in mind when evaluating developer security tools. These include:
- Vendors who provide tools to improve application security can and should also improve an organization’s overall security position.
- The prevailing “shift-left” attitude does not necessarily mean that the responsibility for reducing risk should shift to development, but rather to focus on security in the process and continue to do so throughout the development process, risk and the need for extensive rework is reduced. .
- Security throughout the software development lifecycle (SDLC) is critical for any risk-focused organization.
Figure 1. How cyber security applies at each stage of the software development lifecycle * Note: This report focuses only on the developer security tool area
Individual vendors have made different levels of progress and innovation to improve developer security. Following several acquisitions, Red Hat, Palo Alto Networks and Rapid7 have all added developer security tools to their platforms. Stewart sees that some of the smaller vendors like JFrog and Sonatype continue to innovate to stay ahead of the market.
Vendors who dig into this category and move deeper into “DevSecOps” all seem to follow different approaches to their enhanced security tools. Although it involves security in every aspect of the development process, some tend to move faster to match the pace of the SDLC. Others try to strengthen existing platforms by adding functionality through acquisition. Both infrastructure and software developers now share toolkits and processes, so these development security tools need to take into account the requirements of both groups.
Although none of the 12 providers evaluated in this report can provide comprehensive security throughout the SDLC, they all have their specific strengths and focus areas. It is therefore the duty of the organization to fully and accurately evaluate its SDLC, to involve the development and security teams and to adapt the unique requirements to the functionality provided by these tools. Even if it involves the use of more than one at different points throughout the process, focus on finding a balance between strict security and the simplification of the development process.