One of the easiest activity to integrate with your devOps practice is to automate the code audit. and the list of benefits are immense. Code audit not only has become a crucial requirement for a lot of compliance, it also gives you actual actionable intelligence in enhancing your code with very less effort.
Why deploying a Code audit practice is easy ?
It is offline and can run straight on your code repository.
it is fast and easy to run
The report is more developer friendly than the report you usually expect from a security audit exercise.
Though it still manages to identify a lot of credential leakage and code level security issues such as SQL Injection, etc.
and integrating it in your devOps practice can be as simple as writing a wrapper for git which would trigger the code audit tool after every git commit. or even simpler, just write a crontab to run the tool every night at certain time and email the report. Now, to the devOps gurus out there, please be gentle on my last statement. here I am just trying showcase very basic automation steps that can be done to incorporate code audit into someone's development process.
for those, who already have proper devOps workflow in place, they can leverage any of the automation tools like Jenkins, Codar, GoCD, etc to integrate code audit into their workflow. most of the code audit tools either have connetcor's for the automation servers or vice-verse. or a simple bash or powershell wrapper can be written to do the trick.
Now, been said that. here comes the challenge with Code audit
Most of the code audit tools are language specific, so choosing the right one becomes an effort. and even more so, when your application/s are written is multiple languages.
As you can run code audit pretty frequently and with less effort, you might end up generating too much reports, which further causes a reviewer's lethargy make the entire activity a waste of effort.
in most of the cases, one tool might not suffice. specifically if you are going the opensource way. for instance, you might need to run a separate tool to find code bugs, a separate one for passwords in codes and high entropy texts and another one for finding specific authentication and sentex issues with specific for your cloud provider (for example, there is a tool that is only designed for finding AWS ID and Secrets in the code) and so on.
But if you compare the positives and negatives, it is pretty much certain that code audit can do more good than harm. so my recommendation is to start auditing your code today. you will be surprised to see what all you will find in the initial reports.
and to get you going. here is a quick url with a list of a bunch of pretty good code audit tools
https://www.owasp.org/index.php/Source_Code_Analysis_Tools
Cheers,
Roy