Harness today announced that Traceable will be merged into the company to create a combined company that will further advance the adoption of best DevSecOps practices across the software development lifecycle (SDLC).
Created to focus specifically on application programming interface (AP) security, Traceable and Harness both trace their lineage back to BIG Labs, a startup foundry created by Jyoti Bansal, who also serves as CEO of both companies. Previously, Bansal founded AppDynamics, which was sold to Cisco in 2017. Going forward, the two companies will operate as Harness, with Traceable CTO Sanjay Nagaraj now heading up application security.
Nick Durkin, field CTO for Harness, said that as DevSecOps has evolved it’s become clear that software engineering teams are assuming responsibility for securing APIs alongside all the other artifacts that make up the software supply chain. As such, the need for a separate platform to solely focus on securing APIs becomes less of a requirement, he added.
The overall goal is to make it simpler to share critical security information with application developers that enables them to create more secure applications without adding responsibility for ensuring those tasks are completed, said Durkin. Instead, a DevSecOps platform should surface the right information a developer needs to know at the time when they are writing code, he added. Otherwise, developers are not going to have enough context to address an issue found in code they may have written weeks earlier, noted Durkin.
At the same time, cybersecurity teams should be able to define policies that are enforced by a DevSecOps platform that informs them whenever an issue arises, and then how it was addressed, said Durkin.
With the rise of artificial intelligence (AI), the volume code that might have a security issue that needs to be addressed before being added to a software build is starting to exponentially increase. Application developers are already struggling to keep pace with the volume of requests to create patches for existing applications. The addition of code written by machines is only going to further exacerbate that issue. There needs to be a platform that facilitates workflows in a way that in real time keeps all parties informed of security issues and how they are being addressed, said Durkin.
In fact, the melding of Harness and Traceable is in many ways the latest substantiation of a need to embrace platform engineering as a methodology for meaning DevSecOps workflows at scale, he added.
It’s not clear to what degree the need to better secure software supply chains is driving organizations to replace their existing DevOps platforms, but Harness has been making a case for an integrated platform that makes it simpler to apply artificial intelligence (AI) across the SDLC, including the ability to enforce best application security practices.
The challenge, as always, is empowering all the stakeholders involved in a way that doesn’t make it too hard for application developers and software engineers to do the right thing by, for example, reusing a script that has already been vetted for cybersecurity issues, said Durkin. Otherwise, individual members of a team will conclude it’s simply faster to write yet another script that they perceive as being the fastest way to achieve their end application deployment goal, he added.
Regardless of DevSecOps maturity, the one thing that is certain with more attention than ever being paid to software supply chain security, it’s now more a question of when, rather than if, existing software engineering workflows will be finally revamped to fully address these longstanding concerns.
