Dynatrace recently announced the availability of "security gates" on its software intelligence platform. Organizations can now use Dynatrace Application Security gates to check security vulnerabilities early in the software development lifecycle and trigger required remediation actions.
Continuous feedback during the automated release processes is critical. Coupled with Dynatrace’s Cloud Automation, Dynatrace Application Security aims to automate software quality analysis. It compares the data from multiple dashboards to determine whether the build satisfies the required quality criteria. Dynatrace claims that the AI and automation capabilities provide the ability to compare service-level indicators with the organization’s service-level objectives (SLOs), thereby promoting secure code from pre-production to production environments.
Source - Dynatrace Blog
Discussing key trends in 2022, Bernd Greifeneder, founder and CTO of Dynatrace, said, "...we’ll see organizations adopting smarter approaches to DevSecOps automation in the next 12 months. They’ll increasingly look for platforms and solutions that enable them to build automation into their delivery pipelines, rather than manually adding it as an afterthought." Furthermore, Dynatrace’s 2021 CISO Report captured that 28% of Chief Information Security Officers (CISOs) indicate that the application teams sometimes bypass vulnerability scans to speed up software delivery.
In early December 2021, a zero-day exploit was discovered in log4j, a popular Java logging library. When dealing with such exploits, when using static security scans, vulnerability might only be identified after build execution and will remain undetected in the release versions that are already deployed. Dynatrace Cloud Automation with security checks automatically evaluates the risk of exposure and accessing data, avoids false positives, and prioritizes vulnerabilities for immediate action.
To strengthen automated releases with security with Dynatrace, users will need to add one of the out-of-the-box Dynatrace security metrics to the release validation dashboard. For example, to restrict any new critical risk vulnerabilities in the release, the metric Open Security Problems (split by Management Zone) filtered with critical risk level dimension and error criteria of ≥1 can be added to a dashboard chart. Dynatrace Cloud Automation quality gates will then validate the number of critical risk vulnerabilities as a part of release validation scoring. Users can add multiple security metrics based on the respective SLOs, as shown below.
Source - Dynatrace Blog
Of late, we are seeing the open source community increasingly shifting left. Open Source Security Foundation (OpenSSF) has recently announced Alpha-Omega project aimed at improving security of Open Source Software (OSS) projects. Google and GitHub also announced version 4 release of OpenSSF Scorecards Project.
Dynatrace Cloud Automation is currently available to all Dynatrace Managed and SaaS customers as a SaaS instance. Interested readers can find further details in Dynatrace Documentation and also can connect with the community.