Posted by Charlie Klein on June 25, 2018
Traditional software security can be too slow for DevOps. The answer: DevSecOps. To create secure software quickly, you need automated static analysis.
The timeless demand to reduce time to market has put DevOps in a position to solidify itself as a defining characteristic of modern SDLCs. While the need to accelerate software development is as old as software development is, the need to produce secure software is currently gaining traction in light of recent software security blunders. The only problem: Software security practices have garnered a reputation for being painfully slow and incompatible with DevOps initiatives.
DevSecOps has emerged as a response to the demand to produce secure software quickly. DevSecOps encourages the integration of security processes into continuous integration and continuous delivery (CI/CD) pipelines so that developers can scan their software early in the SDLC, as it’s being written. Identifying vulnerabilities early in the SDLC is faster, and therefore cheaper, than waiting until an application has been developed—when it may have to be reworked to apply fixes.
With its integrations with popular IDEs and CI tools, Coverity empowers developers to build secure code into their applications. Development and security teams can scan all their code for security weaknesses and vulnerabilities in their CI/CD pipelines without affecting velocity. From analysis to remediation, Coverity is designed to help organizations enable DevSecOps.
Coverity users can control the speed and depth of their analysis depending on their changing needs. Developers can run Fast Desktop or Incremental Analysis to maintain an agile workflow, or do a deep scan during build. This level of control gives DevOps teams the flexibility they need to ensure their security processes don’t interfere with their software delivery deadlines.
In addition to enabling agile analysis, Coverity supports accelerated remediation efforts to avoid backlogs of untouched vulnerabilities and weaknesses. Coverity Connect auto-assigns these issues to the developers responsible so they can be addressed quickly. But having developers examine every issue to identify real problems and eliminate false positives is not compatible with agile DevSecOps practices, so Synopsys has invested heavily in improving Coverity’s accuracy to ensure development and security teams receive actionable, relevant results.
As DevSecOps becomes best practice for application security, organizations need technologies that support a more continuous, iterative SDLC. From enabling agile analyses to automating remediation, Coverity helps developers and security teams integrate SAST seamlessly into their CI/CD pipelines.
Read the white paper:
Get the latest AppSec news and trends sent directly to you.