DevOps Security Tools Worth Using
Share this

DevOps Security Tools Worth Using

I often come across security tools that look pretty great but I may not have a specific need for at the moment. I keep them here so I always have a list I can refer to when something comes up.

I haven't tried every tool on this list in a production setting, though I only include tools that I think are worth using in that way. Further, only tools that are open source or affordable for individuals are considered here. I have included some comments where I have potentially helpful experience.

In compiling this list, I tried to steer clear of language/framework specific tooling because I have yet to encounter an organization that has standardized well enough to make these broadly applicable (though they are highly useful if DevSecOps is run per team instead of centrally)

Static Code Analysis (SAST)

Tools that work great for automating code scanning for security vulnerabilities and integrating with existing CI/CD pipelines.

  • ZAP baseline scan (Open source): Fast (1 minute) passive ZAP scan that can be used quickly in CI/CD environments or even against production systems with little risk.
  • SpotBugs - Java (Open source): Great bug finder for Java code with low false positive rate, the successor to FindBugs. Not specifically a security tool, but does catch some security issues. If you have a primarily Java code base, this is an excellent all around tool. This breaks my "no specific technology tools" rule, but since I see Java everywhere, I made an exception.
  • SonarQube (Open source): Good static analyzer, easy to put into a CI/Cd pipeline.

Docker container security

Docker presents an interesting challenge that my team has not yet fully figured out to our satisfaction: How to secure & maintain images, repositories, and running containers at scale. Here are some of the tools we are trying or are working with to achieve (some of) these goals.

  • Clair (Open Source): Docker container scanning. Probably the best solution for scanning container registries and newly produced containers around. Integrates well with CI/CD.
  • Watchtower (Open Source): Automatically update running Docker containers. I have heard good things about this, but have not tried it myself. It seems to me that it would be hard to scale beyond a few container hosts and it's unclear to me how to update things like intermediate image patching this way at scale. I include it here because I am still searching for the right container update automation solution and this is a candidate.
  • Falco (Open Source): Monitor containers for security intrusions and insecure actions during runtime.

Dependency Security Scanners

My current workplace uses WhiteSource, which is great but very expensive. I have been looking for solid open source alternatives for dependency management, tracking, and scanning.

  • OWASP dependency check (Open Source): A good command line tool that works with multiple dependency management solutions in many languages, which is great. Has plugins for Jenkins, though I haven't used it myself.

Other Great Security Tools

Tools that don't quite fit in one of the above categories but fill an important niche in trying to secure across an enterprise.

  • Trufflehog (Open Source): Scan github repositories (and full history!) for secrets (passwords, API keys, ssh keys, etc). This is a great tool for making sure the repo doesn't ever contain secrets, and to catch even mistakes like a developer committing a password then removing it next commit, so you know it needs to be changed.
  • Lynis (Open Source): Great script for a quick OS security audit and hardening recommendations. For scaling to the enterprise there is a paid version. I use it on every machine that I personally deploy.
  • Gauntlt (Open Source): Interesting automated testing and attack framework. I looked at implementing this, but have not yet been able to prioritize it. I like that attacks / tests are simple to write and maintain and should be scaleable across an enterprise.

What's missing?

Missing from this list is a solid recommendation for DAST / black box scanning. I have yet to find an open source black box scanner that has a low false positive rate and a high ability to find vulnerabilities, so I want to hear from you if you have ideas! I have used many of the commercial tools with success but chose not to include them here.

I would love to hear about other tools that you have found helpful - please drop me a line and let me know what I should look into.

Charlie Belmer's Image
Charlie Belmer
USA

I live for privacy, security, and online freedom because these are the building blocks of a better society, one I want to help create.