With the shift to DevSecOps, developers are now primarily responsible for security testing in the early phases of the SDLC. If developers are conducting security testing, the old rules for selecting an application security solution no longer apply. What do application security selection criteria look like in a DevSecOps world? Veracode users are talking about this shift and their new selection criteria at IT Central Station, and we’ve condensed all that valuable insight into one paper. Read Real Users Speak: Selecting the Right Software Security Testing Tool to find out how your peers are fitting application security testing into DevOps processes, and what their selection criteria were when searching for an AppSec solution. Hear Veracode users talk about their priorities, including:
The importance of integrating into developer workflows: “Figure out a way to integrate it into your software development lifecycle in a way that it’s not intrusive to your developers. That was really something that I set out to do. I didn’t want my developers to have to go into their code, and kick off scans, and upload their code.” – Systems architect at a tech company
The need to scale AppSec:“We went from 50 applications in 2015, we’re now up to over 400. There seems to be no limit on how quickly it can scale and operate. By using a cloud-based scanner, we really had no issues with where the developers are geographically located. So we didn’t really have setup problems at all. It just kind of happened, and scales fairly naturally, organically.” – Technical director at a financial services firm
Why it’s necessary to have multiple scanning types:“We do not pass our release without performing a static and a dynamic scan, and mitigating the flaws identified.” – Director of software engineering at a tech services company
Why automation matters: “We have 35 applications, and instead of having 35 different people preparing their packages for upload and scan, it’s automated. We don’t have to spend money doing that as well.” -- Director, security and risk, cloud operations at a tech company
What to look for in training and support:“I feel like any vendor can identify the flaws but fixing the flaws is what is most important. Being able to have those consultation calls, schedule them in the platform, and have that discussion with an applications expert, that process scales well and that is what has allowed a lot more reduction of risk to happen.” – SVP, application security at a financial services firm
Get all the details and insights from Veracode users in Real Users Speak: Selecting the Right Software Security Testing Tool.