Continuous Security Testing: a case study on integrating dynamic security testing tools in CI/CD pipelines
conference paper
Continuous Integration (CI) and Continuous Delivery (CD) have become a well-known practice in DevOps to ensure fast delivery of new features. This is achieved by automatically testing and releasing new software versions, e.g. multiple times per day. However, classical security management techniques cannot keep up with this quick Software Development Life Cycle (SDLC). Nonetheless, guaranteeing high security quality of software systems has become increasingly important. The new trend of DevSecOps aims to integrate security techniques into existing DevOps practices. Especially, the automation of security testing is an important area of research in this trend. Although plenty of literature discusses security testing and CI/CD practices, only a few deal with both topics together. Additionally, most of the existing works cover only static code analysis and neglect dynamic testing methods. In this paper, we present an approach to integrate three automated dynamic testing techniques into a CI/CD pipeline and provide an empirical analysis of the introduced overhead. We then go on to identify unique research/technology challenges the DevSecOps communities will face and propose preliminary solutions to these challenges. Our findings will enable informed decisions when employing DevSecOps practices in agile enterprise applications engineering processes and enterprise security.
Topics
Continuous integrationContinuous securityDevSecOpsDynamic security web testingDevOpsDynamic analysisIndustrial managementLife cyclePipelinesSoftware designTestingEmpirical analysisEngineering processEnterprise securityQuality of softwaresSecurity managementSoftware development life cycleStatic code analysisIntegration testing
TNO Identifier
884283
ISBN
9781728164731
Publisher
Institute of Electrical and Electronics Engineers IEEE
Article nr.
9233212
Source title
Proceedings 24th International Enterprise Distributed Object Computing Conference, EDOC 2020, 5-8 October 2020
Collation
10 p.
Pages
145-154
Files
To receive the publication files, please send an e-mail request to TNO Repository.