WhiteSource has extended its platform that enables developers to more easily address application security issues to provide integrations with GitLab Core and integrated development environments (IDEs) based on the open source Eclipse project.
David Habusha, vice president of product for WhiteSource, said these latest extensions extend the reach of the company’s platform for addressing DevSecOps beyond existing support for GitHub and BitBucket continuous integration/continuous deployment (CI/CD) platforms and the proprietary IntelliJ IDEA development platform. All of these integrations are being made available via WhiteSource for Developers, a commercial instance of the WhiteSource platform that includes a WhiteSource Remediate tool to address vulnerabilities and integrations with repositories, IDEs, CI/CD platforms and multiple browsers.
As the responsibility for cybersecurity continues to shift left, Habusha said WhiteSource is making it possible for developers to identify, track and remediate cybersecurity issues from within, for example, an Eclipse-based IDE. That approach eliminates the need developers to exit the tool in which they spend most of their time to address cybersecurity issues.
In general, Habusha said organizations that have adopted DevOps are now in the best position to leverage best continuous integration practices to make the transition to a new DevSecOps era. It’s still early days in terms of making that transition, but he said it is clear higher levels of collaboration between DevOps teams and cybersecurity professionals are now occurring.
In fact, a recent survey published by WhiteSource finds 71% of respondents agree that operational responsibility for application security now lies with software development teams. That same survey finds over a third of respondents (36%) are starting to integrate security testing tools at earlier points in the software development life cycle (SDLC).
Regardless of where organizations may be on the DevOps maturity curve, it’s never too early to address cybersecurity issues. The challenge is providing the means for DevOps teams and cybersecurity professionals to collaborate. There are not enough cybersecurity professionals available to participate in every stage of the application development process. Developers need to be able to act on issues identified by cybersecurity teams within the context of a larger, ongoing quality assurance process that revolves around their CI/CD platform. In effect, Habusha said, responsibility for cybersecurity needs to shift both left and right across the entire DevSecOps team.
Nor is there any single right approach to DevSecOps; rather, Habusha said each organization will need to define the right set of processes for addressing application vulnerabilities earlier in the development cycle that best fits their culture.
It may take some time to heal the rift that has existed between developers and cybersecurity teams for decades now. Even though everyone agrees developers need to take on more responsibility for cybersecurity, the individuals within organizations that have cybersecurity expertise don’t always trust developers, who are under constant deadline pressure to do the right thing. However, given the fact that cybersecurity professionals can’t address every vulnerability on their own, many of them are now coming to terms with the fact they need to find a way to work much closer with application developers regardless of their level of trust.