DevSecOps

When deciding how to deploy an AppSec solution for DevSecOps, it is best to consider the needs of both the security organization and the engineering and operations teams. Often, organizations find that on-premises or hybrid deployments are required only for specific business units or teams. SaaS-based security testing, such as Polaris, can be optimized to scale with DevOps and CI/CD pipelines and minimize costs for DevSecOps. There is no hardware to deploy or software to update, and no limits on team size or scan frequency. Onboard users and applications quickly across your entire organization while leveraging elastic capacity and concurrent scanning across projects and scan types.

Black Duck has automated solutions for SAST, SCA, IAST, and DAST. These can be integrated and automated in CI/CD pipelines and configured based on predefined policies and workflow triggers. The Polaris Platform provides the flexibility to run the most appropriate analysis engine at the best possible stage in the pipeline based on application, project, schedule, or pipeline events.

It is important that security teams maintain visibility into, and control of, the security risk posture of all the applications and containers that development teams push downstream. To do this in a way that doesn’t impede DevOps workflows, Black Duck's DevSecOps solutions for AppSec testing integrate across the SDLC and in CI/CD pipelines. Trigger scan events, automate prioritization and triage based on policy, and accelerate remediation for more efficient, effective DevSecOps that eliminates vulnerability backlogs. Connect to SCM and CI tools, like GitHub, GitLab, and Azure DevOps, to perform scheduled or triggered scans of proprietary code, open source, and third-party dependencies, and to configure automated actions in response to security policy violations, such as blocking builds, commenting on pull requests, and initiating issue management workflows.

Code Sight integrates security testing for source code and open source components directly into developers’ preferred IDEs, such as VS Code, Visual Studio, IntelliJ, and Eclipse. With Code Sight functioning as a “security spellchecker,” developers can find and fix security defects without switching tools or disrupting their workflow. Code Sight provides developers with detailed fix recommendations at the package and line-of-code level, removing the guesswork from remediation and elevating the developers' security skillset. Additionally, developers can connect Code Sight with other Black Duck solutions, such as Polaris to review issues detected and prioritized by CI/CD pipeline-based scans.

The security and license issues associated with AI-generated code are essentially the same as those introduced by developers. To prepare for this, define security testing policies up front to automate critical security steps and integrate the appropriate test type at various stages of the SDLC and in CI/CD pipelines. Next, you can automate fix pull requests using DevOps security automation templates like the Black Duck Security Scan GitHub Action, GitLab Template, and Azure DevOps Extension, and deliver clear fix guidance into issue management workflows and the IDE so developers can fix issues faster. These steps help automate and scale necessary AppSec functions at a rate required by AI code-generation.