Saafan

“here are some steps to identify and track code that should be reviewed carefully: Tagging user stories for security features or business workflows which handle money or sensitive data. Grepping source code for calls to dangerous function calls like crypto functions. Scanning code review comments (if you are using a collaborative code review tool like Gerrit). Tracking code check-in to identify code that is changed often: code with a high rate of churn tends to have more defects. Reviewing bug reports and static analysis to identify problem areas in code: code with a history of bugs, or code that has high complexity and low automated test coverage. Looking out for code that has recently undergone large-scale “root canal” refactoring. While day-to-day, in-phase refactoring can do a lot to simplify code and make it easier to understand and safer to change, major refactoring or redesign work can accidentally change the trust model of an application and introduce regressions.”
― Laura Bell, Agile Application Security: Enabling Security in a Continuous Delivery Pipeline

“Automated systems can allow mistakes, errors, and attacks to be propagated and multiplied in far more damaging ways than manual systems. As the DevOps comedy account @DevOpsBorat says, “To make error is human. To propagate error to all server in automatic way is #devops.” 2 Furthermore, automated tooling is fallible; and as we know so well in the security world, it can be easy for humans to begin to trust in the computer and stop applying sense or judgment to the results. This can lead to teams trusting that if the tests pass, the system is working as expected, even if other evidence might indicate otherwise.”
― Laura Bell, Agile Application Security: Enabling Security in a Continuous Delivery Pipeline