1.Code

Problems

How to find cross reference? How to find issues earlier? How to use debugger?

Scanner build

Scan for mistakes, security issues and Vulnerabilities.

DevSkim

Performs analysis on the applications and reports the vulnerabilities

Automated Code Review

• PMD: Finding Common Vulnerabilities
• DevSkim: Code Security Review
• FindSecBugs: Securing Java Applications

Resources

Benefits of Automated Code Review (ACR) over Manual Code Review (MCR)

Sensitive Information Scan

The Sensitive Information Scan (SAS) phase scans the code for sensitive information (e.g. hardcoded password, tokens, secret keys, etc) before pushing the code into code repositories.

• Trufflehog: Locating Sensitive Information
• GitSecrets: Finding Hardcoded Credentials
• Talisman: Pre-Commit Code Scanning

Using Trufflehog and GitSecrets

Static Application Security Testing

The Static Application Security Testing (SAST) is done to identify the possible vulnerabilities or security issues in non-running source code by using techniques likeTaint Analysis and Data Flow Analysis.

What is Static Code Analysis?

What is Taint Analysis?

What is Data Flow testing?

More Static Code Analysis techniques

Why is it important in DevSecOps?

The Static Application Security Testing phase can be used to identify security issues. For example, taint analysis can identify the variables that can handle the user input and check if vulnerability like buffer overflow can occur.

Tools

• Flawfinder: Statically Scanning C code
• Graudit: Hunting Sensitive Information
• PyCQA Bandit: Scanning Python Code for Issues
• Spotbugs: Finding Bugs in Java Code
• SonarQube: Continuous Code Quality Monitoring