DevAudit: Development Auditing for DevOps
DevAudit is an open-source, cross-platform, multi-purpose security auditing tool targeted at developers and DevOps practitioners that detects security vulnerabilities at multiple levels of the solution stack. DevAudit provides a wide array of auditing capabilities that automate security practices and implementation of security auditing in the software development life-cycle. DevAudit can scan your operating system and application package dependencies, application and application server configurations, and application code, for potential vulnerabilities based on data aggregated by OSS Index from a wide array of sources and data feeds such as the National Vulnerability Database (NVD) CVE data feed, the Debian Security Advisories data feed, Drupal Security Advisories, and several others. Support for other 3rd party vulnerability databases like vulners.com is also planned.
DevAudit helps developers address at least 3 of the OWASP Top 10 risks to web application development:
- A9 Using Components with Known Vulnerabilities
- A5 Security Misconfiguration
- A6 Sensitive Data Disclosure
as well as risks classified by MITRE in the CWE dictionary such as CWE-2 Environment and CWE-200 Information Disclosure
As development progresses and its capabilities mature, DevAudit will be able to address the other risks on the OWASP Top 10 and CWE lists like Injection and XSS. With the focus on web and cloud and distributed multi-user applications, software development today is increasingly a complex affair with security issues and potential vulnerabilities arising at all levels of the stack developers rely on to deliver applications. The goal of DevAudit is to provide a platform for automating implementation of development security reviews and best practices at all levels of the solution stack from library package dependencies to application and server configuration to source code.As development progresses and its capabilities mature, DevAudit will be able to address the other risks on the OWASP Top 10 and CWE lists like Injection and XSS. With the focus on web and cloud and distributed multi-user applications, software development today is increasingly a complex affair with security issues and potential vulnerabilities arising at all levels of the stack developers rely on to deliver applications. The goal of DevAudit is to provide a platform for automating implementation of development security reviews and best practices at all levels of the solution stack from library package dependencies to application and server configuration to source code.
- Cross-platform with a Docker image also available
- CLI interface.
- Continuously updated vulnerabilties data.
- Audit operating system and development package dependencies.
- Audit application server configurations.
- Audit application configuration.
- Audit application code by static analysis.
- Remote agentless auditing.
- Docker container auditing.
- PowerShell support.
Installation
DevAudit can be installed by the following methods:
- Building from source.
- Using a binary release archive file downloaded from Github for Windows or Linux.
- Using the release MSI installer downloaded from Github for Windows.
- Using the Chocolatey package manager on Windows.
- Pulling the ossindex/devaudit Docker image from Docker Hub on Linux.
Post a Comment