When Deepfactor was launched in September 2020, the market was [being] upended by technical innovations in containerization (i.e. K8s), software delivery (i.e. CI/CD), and security (i.e. more on that below). These trends challenged enterprises to reevaluate how software was developed, tested, and—most importantly—secured across the entire development pipeline. That said, over the course of many conversations, we discovered customers struggled to modernize, failing to understand the composition and behavior of their applications.
From this ambiguity emerged a disjointed development process, leaving engineers to manage the disconnect between the various teams and tools/platforms (i.e. CI/CD pipeline) responsible for delivering applications. This created a negative feedback loop where developers—overwhelmed with alerts missing contextual and prioritized insights—struggled to deliver secure applications on time. And unfortunately, the explosive increase of software supply chain attacks (up more than 300% in 2021) continues to exacerbate the issue as over 20,000 common vulnerabilities and exposures (CVEs) are discovered per year in open source and third-party code.
This begs the question, what can developers do to address these issues? Well, as the great Albert Einstein once said, “In the middle of difficulty lies opportunity.”
What’s Needed for Successful DevSecOps?
DevSecOps advocates for the unification of development, security, and operations to help identify and remediate security issues before shipping applications to production. Though many organizations claim to have started DevSecOps initiatives, addressing vulnerabilities and risks in cloud native applications during development remains a major challenge. In fact, according to the Secure DevOps and Misconfigurations 2021 Report by the Cloud Security Alliance, only 30% of security professionals admit to “fully implementing DevSecOps.” This means most organizations are struggling to escape the “ideation and planning” stage. And though 42% of respondents hope to address these shortcomings in 2022, the further adoption and maturity of DevSecOps will continue to have immense opportunity for growth.
Though there are several reasons why enterprises struggle to implement DevSecOps, we highlighted two reasons “why” in a previous blog+webinar this past May:
- Understanding and addressing security risks in cloud native applications requires advanced analysis spanning custom code, dependencies, container images, web interfaces, and compliance.
- Many organizations initially focus on the mechanism through which application code and infrastructure is scanned and analyzed for security insights. However, the result is often a complex set of overlapping and loosely integrated tools spanning development and production.
Deepfactor continues to help customers navigate these questions/challenges, encouraging them to evaluate tools that integrate security and compliance testing seamlessly into development; educate developers with contextual and actionable security insights; and help create a security culture within engineering. Our mission is to help organizations replace “shift left” with “start left,” minimizing friction for developers and helping them identify critical data early in development when the stakes are highest.
Top 5 Evaluation Criteria and Scorecard
In pursuit of this mission, we decided to create a guide—the Top 5 Evaluation Criteria for Developer Security Platforms—to share what we’ve learned over the past few years helping customers evolve their security pipelines. Though there are many products focused on application and container security, not every tool is purpose-built to address the security requirements being demanded of developers. Developer Security platforms are designed to identify critical security risks early in the software development lifecycle, minimizing the time, effort, and—most importantly—impact of vulnerable and insecure applications being released into production. Instead of relying on a complex set of overlapping and loosely-integrated tools spanning development and production, organizations should evaluate platforms that provide the following:
- Cloud native instrumentation
- Contextual, application-aware security
- Real-time & actionable developer education
- Native CI/CD integrations
- Compliance mapping
The following table summarizes the top 5 criteria discussed in the guide, giving you an opportunity to see what information will be provided:
|Cloud Native Instrumentation
|Enable developers to automatically observe every application thread, process, container, and pod applications without disrupting developers and operations with complex and intrusive requirements.
|Prioritized and Comprehensive Security Insights
|Highlighting usage information for known vulnerabilities, providing developers with actionable and prioritized steps for remediation.
|Ensure developers are provided with contextual, “just-in-time” education to understand, triage and remediate security risks.
|CI/CD Integration and Developer Experience
|Deliver a comprehensive experience for developers through the seamless integration of security insights into existing CI/CD pipelines and processes.
|Understanding the Impact of Security on Compliance
|Empower engineering leadership to understand the impact of vulnerabilities and risks on the company’s compliance objectives
Take a read-through to understand how our recommendations can help organizations address the many challenges introduced with digital transformation and application modernization. And make sure to reference the scorecard on the last page, which offers recommendations, questions to consider, and a grading system to use as your organization evaluates tools to modernize your application security pipeline.
Important Questions to Consider in Developer Security Tool Evaluation
And though many believe “breadth of coverage” is the most important attribute to consider, the new guide encourages organizations find balance by answering the following question:
Which instrumentation technique…
- is easiest and most secure to deploy and maintain?
- has the best performance?
- is the least likely to affect application behavior/stability?
- is compatible with the most host systems?
- provides the appropriate breadth of visibility and coverage?
And for additional educational content, you can read the whitepaper, Observing Application Behavior via API Interception, which explores several different ways in which application programming interfaces (API) can be observed or “intercepted” in running applications. This is particularly helpful for organizations evaluating developer security platforms, where the objective is to provide developers with contextual, application-aware information in near real-time to understand and secure end-to-end behavior.