#HSLIDE
DevAudit is an open-source auditing tool targeted at developers and DevOps practitioners that detects security vulnerabilities at multiple levels of the solution stack. DevAudit provides a wide array of auditing capabilities that automate security practices and implementation of security auditing in the software development life-cycle.
From "Improving Code Quality: A Survey of Tools, Trends, and Habits Across Sofware Organizations." SIG/O'Reilly. 2017.
Only a quarter to a half of organizations do what their own programmers say is needed for the security of their code: automated code scans, peer security code reviews, and further code reviews by security experts. +++
Most developers do not use tools for improving software quality. In large part, this is because they lack the budget to acquire them. One part of the problem here was addressed in the previous point: lack‐ ing adequate tools, programmers simply will not be able to maintain code quality at the level they would like to. +++
more than 70 percent of survey respondents reported that they have no budget reserved for code quality tools—not even a few dollars per month...use of the right tools and methodologies for code quality has a marked impact on the performance, stability, security, and maintainability of enterprise software.
+++
-
Audit operating system package and library dependency versions for vulnerabilities.
-
Audit application and application server configurations for vulnerabilities.
-
Audit application code using static analysis.
-
Modular, extendable architecture: use from command line interface, Docker, web application, Visual Studio extension etc.
+++
-
CLI interface that can be easily integrated into CI build pipelines. DevAudit Docker image available.
-
Uses the OSS Index API which provides continuously updated vulnerabilities data.
-
Agentless remote-auditing: audit remote hosts via SSH or WinRM without DevAudit installed on remote hosts.
-
Audit Docker containers without DevAudit installed on containers.
+++
-
Audit GitHub projects directly from GitHub repository.
-
Use GitHub,GitLab,BitBucket audit reporters for reporting audit results to issue queue.
- Audit OS package managers and development library package managers.
- Audits package versions recorded in package manager against reported vulnerabilities from OSS Index.
- Uses Versatile library for comparing package versions and reducing false positives.
+++
- Debian Dpkg
- Redhat RPM/YUM
- Windows Chocolatey
- Windows MSI and OneGet
+++
- Bower
- Composer
- NuGet v2
- More planned e.g. Yarn, NuGet v3
- Audits the server version and the server configuration for servers.
- Supports OpenSSH sshd, Apache httpd, MySQL, and Nginx servers with many more coming.
- Configuration auditing is based on the Alpheus library using full syntactic analysis of the server configuration files.
- Server configuration rules are stored in YAML text files and can be customized to the needs of developers.
+++
- Audit application configuration for vulnerabilities.
- Supports ASP.NET applications with several more planned.
DevAudit currently supports static analysis of .NET CIL bytecode. Analyzers reside in external script files and can be fully customized based on the needs of the developer. Support for C# source code analysis via Roslyn, PHP7 source code and many more languages and external static code analysis tools is coming.