Modernize the Security Development Lifecycle!

Rich Seiersen

Affordable GitOps Security Automation Using Open Source Software

TL;DR You need automated security assessments running now – with 100% coverage throughout the software development lifecycle (SDLC). You want to use a growing list of innovative open source assessment solutions – but don’t have the resources to bring it all together. How do you do it?

Is it any wonder security can’t keep up with cloud native developers?

Developers are moving fast. With continuous integration and continuous deployment (CI/CD), they are rapidly and continuously deploying and updating software. For the business, modern software development pipelines bring rapid innovation and maximize productivity, impacting the bottom line.

What makes security go fast? What makes us continuous? We need help because we have not had a way to scale security to meet the needs of modern software development.

Yet, security is accountable. We are expected to find 100% of the knowable vulnerabilities before they are exposed and exploited.

These are the vulnerabilities that could’ve and should’ve been caught in development. Now they’ve escaped. Now they’ve been exploited!

All is laid bare when exploit leads to breach. Soon, everybody knows the truth – we didn’t operationalize scanning across development.

boulder pushingI’VE BEEN THERE. IT FELT HOPELESS. There was nothing I could pull from the vendor spice rack that was palatable to cloud native development.

My teams resorted to building Rube Goldberg-esq assessment machines – only to have them crater under their own weight due to complexity and neglect.

Legacy enterprise solutions were no help. They were simply too expensive, hard to deploy, and couldn’t match the pace of cloud native innovation.

The answer to this dilemma came as an epiphany of the obvious…at least to us.

Modernize the Security Development Lifecycle!

The goal? Parity with cloud native (pipeline based) development – without breaking the bank. Without getting in the way.

security development lifecycle

This is what we’ve been building at Soluble. A platform that automates security assessments throughout the SDLC for the needs of modern software development – at an affordable price point.

So, what are the high level requirements for a secure development lifecycle platform? Here is what you should look for, and what we are aiming to build at Soluble:

  • GitOps Automation: Inserting or trying to run security solutions directly inside of CI (Jenkins, CircleCI, BuildKite etc) creates risk and slows things down. For most development teams, it’s a non-starter. It also creates extra work for pipeline owners. But, running a lightweight parallel SDLC process – that listens and reacts to repo based events (GitHub, GitLab, BuildKite etc) – avoids these problems. This way, security can do its job without getting in anyone’s way.
  • Immediate Usability: Development teams spin up new repos, build new pipelines, and adopt new languages at will. Security needs real time assessment coverage across all of this – without interrupting development with “yet another deployment project…for yet another security vendor!Providing a platform that you can connect to in minutes to get access to numerous open source solutions removes this complexity. Security gets the tools they need (and assessments done) without delay.
  • Uses Developer Workflow If you present security issues as unit tests to developers – they will engage. Results must be fast, immediately relevant, and presented in their tool chains – nor yours. Security gets less risk and development gets less rework.
  • Easy Extensibility and Affordability We’re at a dozen open source solutions and counting. We cut across infrastructure as code (IaC), container image scanning, dependency analysis, secrets detection, static analysis and more. New open source solutions are added in days. Soon, you can bring in open source solutions yourself (no-code). Why use open source assessment tools? They’re great! Even large public cloud providers (AWS, GCP etc) use them. We can pass the savings (of not creating yet another scanner) on to you.

The Open Source Solutions

Below is a list of software languages, SDLC categories and related open source tools. Most of these solutions are live now, some are soon to be, and many more will be added. If something is missing let us know. We can usually get it live in days. Soon enough, you will be able to pull in a variety of tools we haven’t even considered – all by yourself (no-code).

Did I forget to mention…you can try it now – for free? Then you can automate security assessments for your SDLC using these open source tools. We hope you’ll check it out, and let us know what other tools you’d like to see.


JavaScript

  • SDLC Types: SAST, SCA, DAST, IAST, Fuzzing
  • OSS Tools: NodeJsScan, SemGrep, CodeQL, Trivy, retirejs, Nikto, Fuzzitdev

TerraForm, CloudFormation, Kubernetes, Docker, and Ansible

  • SDLC Types: IAC, Secrets
  • OSS Tools: Checkov, tfsec, Terrascan, tf-score, Trivy, detect-secrets, Trufflehog, Hadolint

Python

  • SDLC Types: SAST, SCA
  • OSS Tools: Bandit, SemGrep, CodeQL*, Trivy, Dependabot

Java

  • SDLC Types: SCA
  • OSS Tools: OWASP Dependency-check, Dependabot

Go

  • SDLC Types: SAST, SCA
  • OSS Tools: Gosec, Dependabot

Ruby

  • SDLC Types: SAST, SCA

OSS Tools: Brakeman, BundleAudit, Dependabot


You can connect to Soluble to be able to use open source tools like this in your SDLC.
*not open source, but free to use