Security is always the last phase of measuring your DevOps initiative’s success. Enterprises that have combined development and operations teams under a DevOps model are generally successful in releasing code at a much faster rate. But this has increased the need for integrating security in the DevOps process (this is known as DevSecOps), because the faster you release code, the faster you release any vulnerabilities in it.
Open Source Security Tools
Measuring security vulnerabilities early ensures that builds are stable before they pass to the next stage in the release pipeline. In addition, measuring security can help overcome resistance to DevOps adoption. You need tools that can help your dev and ops teams identify and prioritize vulnerabilities as they are using software, and teams must ensure they don’t introduce vulnerabilities when making changes. These open source tools can help you measure security:
- Gauntlt is a ruggedization framework that enables security testing by devs, ops, and security.
- Vault securely manages secrets and encrypts data in transit, including storing credentials and API keys and encrypting passwords for user signups.
- Clair is a project for static analysis of vulnerabilities in appc and Docker containers.
- SonarQube is a platform for continuous inspection of code quality. It performs automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities.
Many DevOps initiatives start small. DevOps requires a commitment to a new culture and process rather than new technologies. That’s why organizations looking to implement DevOps will likely need to adopt open source tools for collecting data and using it to optimize business success. In that case, highly visible, useful measurements will become an essential part of every DevOps initiative’s success
This article is originated from https://opensource.com/article/18/10/devops-measurement-tools
Daniel Oh is a Tigera guest blogger. He works as a DevOps evangelist with Senior Specialist Solution Architect and he takes the role of CNCF ambassador to encourage developers’ participation of cloud-native app development at scale and speed.