{"id":23976,"date":"2016-10-11T11:27:46","date_gmt":"2016-10-11T15:27:46","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/visualstudioalm\/?p=23976"},"modified":"2019-02-14T15:56:12","modified_gmt":"2019-02-14T23:56:12","slug":"team-services-october-extensions-roundup-rugged-devops","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/devops\/team-services-october-extensions-roundup-rugged-devops\/","title":{"rendered":"Team Services October Extensions Roundup &#8211; Rugged DevOps"},"content":{"rendered":"<p>This month the focus is on making your DevOps environment rugged. <a href=\"https:\/\/puppet.com\/sites\/default\/files\/inline-images\/2016%20State%20of%20DevOps%20infographic.jpg\">According to Puppet<\/a>, teams leveraging DevOps are deploying 200x more frequently and leveraging 90% more OSS components. Many of these teams, however, have not integrated security into their processes. The teams who\u00a0have, spend 50% less time fixing security issues later. With this roundup we&#8217;ll look at three extensions that add support for OSS security and license validation, as well as code scanning, to &#8216;shift left&#8217; your security and assist you in spending less time to build more secure software.<\/p>\n<h3>WhiteSource<\/h3>\n<p>See it in the Marketplace: <a href=\"https:\/\/marketplace.visualstudio.com\/items?itemName=whitesource.whitesource\">https:\/\/marketplace.visualstudio.com\/items?itemName=whitesource.whitesource<\/a><\/p>\n<p>If your project leverages OSS, then you need to consider using WhiteSource. This extension adds a build task that enables critical OSS management scenarios once connected with your WhiteSource account.<\/p>\n<ul>\n<li><a href=\"https:\/\/marketplace.visualstudio.com\/items?itemName=whitesource.whitesource#whitesource-secures-your-open-source-usage\">Secure Your Open Source Usage<\/a>\u00a0&#8211; automatically detect OSS components and dependencies\u00a0being used in your project without the need to scan your code using the WhiteSource build task and your repositories<\/li>\n<\/ul>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/6\/2019\/05\/images_risk_report.png\"><img decoding=\"async\" width=\"759\" height=\"365\" class=\"size-full wp-image-23985 aligncenter\" alt=\"images_risk_report\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2016\/10\/images_risk_report.png\" \/><\/a><\/p>\n<ul>\n<li><a href=\"https:\/\/marketplace.visualstudio.com\/items?itemName=whitesource.whitesource#get-real-time-alerts-on-security-vulnerabilities\">Get Real-Time Alerts on Security Vulnerabilities<\/a> &#8211; get alerted whenever a component with a known security vulnerability is added to your project, or when new vulnerabilities are found in components you&#8217;re already using. You can also set up alerts for component licenses based on your pre-defined policies, security fixes,\u00a0and component versioning<\/li>\n<\/ul>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/6\/2019\/05\/images_TFS_vulnerbility.png\"><img decoding=\"async\" width=\"1212\" height=\"367\" class=\"size-full wp-image-23995 aligncenter\" alt=\"images_TFS_vulnerbility\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2016\/10\/images_TFS_vulnerbility.png\" \/><\/a><\/p>\n<ul>\n<li><a href=\"https:\/\/marketplace.visualstudio.com\/items?itemName=whitesource.whitesource#whitesource-secures-your-open-source-usage\">Automat Your Open Source Approval Process<\/a>\u00a0&#8211; Using pre-defined policies with your WhiteSource account, you can automate the approval or rejection of newly added OSS components based on licenses, vulnerabilities, severe software bugs,\u00a0quantity of newer versions and more<\/li>\n<\/ul>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/6\/2019\/05\/images_policies.png\"><img decoding=\"async\" width=\"1273\" height=\"327\" class=\"size-full wp-image-23997 aligncenter\" alt=\"images_policies\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2016\/10\/images_policies.png\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<h3>HPE Security Fortify VSTS extension<\/h3>\n<p>See it in the Marketplace: <a href=\"https:\/\/marketplace.visualstudio.com\/items?itemName=fortifyvsts.hpe-security-fortify-vsts\">https:\/\/marketplace.visualstudio.com\/items?itemName=fortifyvsts.hpe-security-fortify-vsts<\/a><\/p>\n<p>This extension adds 4 build tasks and enables you to leverage HPE Fortify\u00a0for their two major offerings: Fortify SCA and Fortify on Demand.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/6\/2019\/05\/img_add-task.jpg\"><img decoding=\"async\" width=\"508\" height=\"223\" class=\"aligncenter wp-image-24015 size-full\" alt=\"img_add-task\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2016\/10\/img_add-task-e1476122838612.jpg\" \/><\/a><\/p>\n<p><strong>HPE Fortify&#8217;s SCA<\/strong> provides a security source code analysis using a multitude of security coding rules and guidelines for a broad set of programming languages. There are two build tasks added by this extension that enable Fortify SCA<\/p>\n<ul>\n<li><a href=\"https:\/\/marketplace.visualstudio.com\/items?itemName=fortifyvsts.hpe-security-fortify-vsts#fortify-static-code-analyzer-installation\">Fortify Static Code Analyzer Installation<\/a>\u00a0&#8211;\u00a0You&#8217;ll run this task to\u00a0automatically install the Fortify SCA software to\u00a0your build agent. You just provide the Fortify license file and this will install unless SCA is already present.\u00a0It will also configure it with the Fortify rule packs the license entitles you to.<\/li>\n<li><a href=\"https:\/\/marketplace.visualstudio.com\/items?itemName=fortifyvsts.hpe-security-fortify-vsts#fortify-static-code-analyzer-assessment\">Fortify Static Code Analyzer Assessment<\/a>\u00a0&#8211; This task actually runs the SCA as a build step, leverages all the proper parameters, and can output the results of your scan as build artifacts.<\/li>\n<\/ul>\n<p><strong>Fortify on Demand<\/strong>\u00a0delivers security as a service and consists of a static scan that is audited by their team of experts, or a dynamic scan that mimics real-world hacking techniques and attacks using both automated and manual techniques to provide comprehensive analysis of complex Web applications and services. Two build tasks are included in this extension<\/p>\n<ul>\n<li><a href=\"http:\/\/fortify-on-demand-static-assessment\">Fortify on Demand Static Assessment<\/a>\u00a0&#8211; this requests a static assessment as a build step and performs the necessary upload to the Fortify on Demand service. You can be notified based on your own preferences and your results will be in your Fortify Portal<\/li>\n<li><a href=\"https:\/\/marketplace.visualstudio.com\/items?itemName=fortifyvsts.hpe-security-fortify-vsts#fortify-on-demand-dynamic-assessment\">Fortify on Demand Dynamic Assessment<\/a>\u00a0&#8211; this requests a dynamic scan as a build step. Before using this task you&#8217;ll need to configure your dynamic scan settings in your Fortify on Demand portal. At the portal, you&#8217;ll configure the URL where your application is being deployed and hosted.<\/li>\n<\/ul>\n<h3>Checkmarx<\/h3>\n<p>See it in the Marketplace: <a href=\"https:\/\/marketplace.visualstudio.com\/items?itemName=checkmarx.cxsast\">https:\/\/marketplace.visualstudio.com\/items?itemName=checkmarx.cxsast<\/a><\/p>\n<p>If security at speed is what you&#8217;re looking for, give Checkmarx a look. This extension offers Static Source Code Analysis and what separates them from the competition are their features like <strong>incremental scanning<\/strong> and\u00a0<strong>best fix location<\/strong>. The ability to only scan new or modified code keeps your build process fast, but still gives peace of mind that you will find your specific security flaws before they become problems. Best fix location even goes as far to highlight where you should fix your code.<\/p>\n<p>To use the build task, you&#8217;ll just need to configure a <a href=\"https:\/\/marketplace.visualstudio.com\/items?itemName=checkmarx.cxsast#setup-new-checkmarx-end-point\">service endpoint <\/a>with your Checkmarx account\u00a0to use with the build task.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/6\/2019\/05\/CxScan_Images_sample1.png\"><img decoding=\"async\" width=\"1042\" height=\"716\" class=\"size-full wp-image-24025 aligncenter\" alt=\"CxScan_Images_sample1\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2016\/10\/CxScan_Images_sample1.png\" \/><\/a><\/p>\n<ul><\/ul>\n<h3>Are you using an extension you think should be featured here?<\/h3>\n<p>I&#8217;ll be on the lookout for extensions to feature in the future, so if you&#8217;d like to see yours (or someone else&#8217;s)\u00a0here, then let me know on Twitter!<\/p>\n<p><a href=\"https:\/\/twitter.com\/JoeB_in_NC\">@JoeB_in_NC<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This month the focus is on making your DevOps environment rugged. According to Puppet, teams leveraging DevOps are deploying 200x more frequently and leveraging 90% more OSS components. Many of these teams, however, have not integrated security into their processes. The teams who\u00a0have, spend 50% less time fixing security issues later. With this roundup we&#8217;ll [&hellip;]<\/p>\n","protected":false},"author":212,"featured_media":45953,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-23976","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-devops"],"acf":[],"blog_post_summary":"<p>This month the focus is on making your DevOps environment rugged. According to Puppet, teams leveraging DevOps are deploying 200x more frequently and leveraging 90% more OSS components. Many of these teams, however, have not integrated security into their processes. The teams who\u00a0have, spend 50% less time fixing security issues later. With this roundup we&#8217;ll [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/23976","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/users\/212"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/comments?post=23976"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/23976\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media\/45953"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media?parent=23976"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/categories?post=23976"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/tags?post=23976"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}