Company CEO Rohit Sethi said SD Elements is the first instance of what the company is positioning as a balanced development automation (BDA) platform. By defining a set of best practices for building secure applications, organizations can strike a better balance between building applications fast and ensuring those applications are secure and compliant with any number of regulatory requirements.
Too much of the focus on application development is on pure speed, said Sethi. SD Elements is designed to offer a more structured approach that provides developers with access to threat modeling and risk assessment tools to reduce the number of vulnerabilities finding their way into an application.
SD Elements first gathers details such as the technology stack, deployment environment and compliance requirements. It then classifies risks based on security and compliance policies defined by the organization, which are then employed to surface recommendations to the developer. SD Elements also automatically tracks the status of security activities via integrations with security testing tools such as Veracode, Checkmarx or Fortify to generate reports that identify risks and current mitigation status.
Finally, SD Elements provides access to a library of thousands of security and compliance recommendations and controls, including code samples and test cases, that are mapped to regulatory and compliance standards from all over the world.
To some degree DevSecOps will slow down the rate at which applications are developed. Security Compass, via BDA, is making a case for minimizing the impact security gates will have on the rate at which applications are developed. It’s not clear BDA as a market category will catch on, but as providers of DevOps platforms continue to embed security tools in their platforms the entire category is evolving.
The challenge many organizations face today is they want developers to embrace DevSecOps as part of an effort to shift responsibility for application security to the left. However, organizations are still working to put the tools and processes in place that would enable developers to achieve that goal. Most developers want to build and deploy secure applications; this needs to occur within the context of a structured approach that has a foundation in best DevOps practices.
Each organization will need to determine to what degree they may need to slow down application development to build more secure applications. In theory, the smaller the workloads the easier it is to secure them while continuing to rapidly iterate. However, that level of DevSecOps maturity takes time and effort to achieve.
In the meantime, it’s clear DevSecOps has become a requirement as part of an overall effort to better secure the software supply chain on which so many organizations now depend. The challenge is finding a way to adopt DevSecOps in ways that developers will embrace rather than resist.