Title
Continuous Security Testing: a case study on integrating dynamic security testing tools in CI/CD pipelines
Author
Rangnau, T.
van Buijtenen, R.
Fransen, F.
Turkmen, F.
Publication year
2020
Abstract
Continuous Integration (CI) and Continuous Delivery (CD) have become a well-known practice in DevOps to ensure fast delivery of new features. This is achieved by automatically testing and releasing new software versions, e.g. multiple times per day. However, classical security management techniques cannot keep up with this quick Software Development Life Cycle (SDLC). Nonetheless, guaranteeing high security quality of software systems has become increasingly important. The new trend of DevSecOps aims to integrate security techniques into existing DevOps practices. Especially, the automation of security testing is an important area of research in this trend. Although plenty of literature discusses security testing and CI/CD practices, only a few deal with both topics together. Additionally, most of the existing works cover only static code analysis and neglect dynamic testing methods. In this paper, we present an approach to integrate three automated dynamic testing techniques into a CI/CD pipeline and provide an empirical analysis of the introduced overhead. We then go on to identify unique research/technology challenges the DevSecOps communities will face and propose preliminary solutions to these challenges. Our findings will enable informed decisions when employing DevSecOps practices in agile enterprise applications engineering processes and enterprise security.
Subject
Continuous integration
Continuous security
DevSecOps
Dynamic security web testing
DevOps
Dynamic analysis
Industrial management
Life cycle
Pipelines
Software design
Testing
Empirical analysis
Engineering process
Enterprise security
Quality of softwares
Security management
Software development life cycle
Static code analysis
Integration testing
To reference this document use:
http://resolver.tudelft.nl/uuid:9c61968b-cb3d-4426-84b3-d52ab52ef9a8
DOI
https://doi.org/10.1109/edoc49727.2020.00026
TNO identifier
884283
Publisher
Institute of Electrical and Electronics Engineers IEEE
ISBN
9781728164731
Source
Proceedings 24th International Enterprise Distributed Object Computing Conference, EDOC 2020, 5-8 October 2020, 145-154
Document type
conference paper