We are pleased to announce the launch of our latest research paper, on Building Security Into DevOps. We expect DevOps to fundamentally change the practice of software development over the next decade, and with it how we handle application security.

From the report:

The following graphic reflects our conversations, with development and security practitioners, on where they are successfully deploying security testing tools in a DevOps framework. The callouts map the types of tests being conducted at specific phases of CI & CD. Keep in mind that it’s early days for DevOps and the orchestration of security tools – basically what works where – is far from settled. More importantly, many security tools were built before these concepts of rapid and automated deployment existed; older products are too slow, some could not focus their tests on new code, and still others did not offer API support. Which is another way of saying not all tools are created equal, so you’ll need to evaluate for both performance and API integration capabilities as well as code coverage capabilities.


A special thanks to Veracode for licensing this content. As usual everything was written completely independently, using our Totally Transparent Research process. It is only thanks to licenses that we are able to give this research away free.

You can download a free copy of the white paper in our research library, or grab a copy directly: Building Security Into DevOps (PDF).