Harness STO was built for developers and DevSecOps. This module was designed to make shift-left security more accessible. It is not a security scanner itself, but rather a Security Testing Orchestration solution. Let’s get into exactly what that means, and how STO can help your business build more secure software while reducing internal friction. 

Harness STO integrates with over 40 popular security scanners and orchestrates their execution through automation steps built into CI/CD pipelines or in scanner pipelines that are invoked via API calls.

Engineering and DevSecOps collaborate to build application security testing steps into CI/CD templates. Policies are configured to enforce running these scanner steps and exception overrides are defined. 

When CI/CD pipelines are executed, the data from all scanners are normalized, deduplicated, and correlated resulting in a prioritized list of vulnerabilities that is made available directly to engineering, DevSecOps, AppSec, or anyone else that needs it. Engineering teams can fix these vulnerabilities in real-time as they work on the build and test phases of the software delivery lifecycle.

The capabilities provided by STO enable a proactive application security testing approach, which reduces the risk of vulnerabilities making it into production, and greatly decreases engineering toil associated with remediation rework.

Key Capabilities

Security Testing Automation

Harness STO offers the ability to create and execute application security testing pipelines. Whether you’re using Harness CI/CD or another CI/CD solution, you can invoke Harness STO from within your CI/CD pipelines and benefit from the centralized and analyzed scanner results. See the next section for a detailed explanation of the analysis performed by Harness STO.

Prioritized & Deduped Vulnerability List

Harness STO’s intelligent scanner analysis engine significantly reduces the workload of the engineering team. It collects the disparate output from all supported security scanners, normalizes, deduplicates, correlates, and produces a prioritized list of vulnerabilities to fix. This list is enriched with data to help the engineering team understand what versions of software libraries contain vulnerabilities, making it easier to select the right version for the fix. Harness STO becomes the central source of truth for all application security vulnerability information.

Static Testing in CI

SAST (Static Application Security Testing) and SCA (Software Composition Analysis) are used to analyze an application’s code, typically during the development, build, and test phases. Harness STO makes it easy to integrate SAST and SCA into your existing CI pipelines. You can use a CI step to call a Harness security testing pipeline, which will execute all the desired security scanners, and respond with pass/fail information. Of course, the scanner results will be automatically analyzed and available within the Harness STO UI for the engineering team to begin the remediation process.

STO - Static Testing in CI

Static/Dynamic Testing in CD

When it’s time to deploy that shiny new artifact, you probably want to execute more SAST scanners, and most likely, some DAST (Dynamic Application Security Testing) scanners too. Don’t worry, we’ve got you covered. Just like with CI, you can use a CD stage to call a Harness security testing pipeline and get all that centralized analysis engine goodness.

STO - Static/Dynamic Testing in CD

Configurable Governance

Every organization needs their application security testing processes to scale with the business. If it doesn’t, they run the risk of inconsistent implementation, exposing the business to the risk of security breaches and brand/reputation damage. Harness STO has built-in governance using OPA (Open Policy Agent) to provide flexibility to define policies as needed across the organization. You can easily define what scanners need to be run at what stages, what constitutes a pass or fail from those scanners, and make changes to these policies as required.

STO - Configurable Governance

Enterprise Dashboards and Reports

When it comes to dashboards and reports, different views are required by different roles across the organization. Executives might want a high-level risk assessment on a single dashboard, while an engineering manager might want to see the vulnerability status of all services their team is working on. Regardless of the use case, Harness STO has all the security scanner data and reporting capabilities needed to be the centralized source for security scanner-based information.

Enterprise Dashboards and Reports

Enterprise-Grade Audit Trails & RBAC

Harness has built a reputation in the CI/CD industry for having incredibly detailed audit trails and fine-grained RBAC. These audit trails make it quick and easy for engineering teams to pass audits, often turning what would be days of effort into just a few hours. Our fine-grained RBAC model means that you can implement a permissions system that meets the needs of your organization – no matter how complex.

Ecosystem Integrations

Harness STO integrates with over 40 of the most popular application security scanners available today. We’re going to expand this list significantly over the coming months, but there’s a high likelihood that we already support what you’re using.

STO Demo

We’ve created this 6-minute demo video to provide a glimpse into how Harness STO works.

Click to view the web page for Harness STO, which includes an explainer video and helpful illustrations.