An Analysis System to Test Security of Software on Continuous Integration-Continuous Delivery Pipeline

Abstract

This work presents a modular and scalable analysis system to integrate different Applications Security Testing tools inside a Continuous Integration-Continuous Delivery Pipeline. Docker containerization and tools for stateless execution allow parallelism and replication. As a result of the analysis of an application, the system execution produces as output a unique JSON report that contains all the vulnerabilities found by the tools executed, with a risk score associated to each vulnerability. Two Application Security Testing tools, OWASP ZAP and SonarQube, have been integrated using Gitlab Platform to apply DevOps methodology for java web application analysis. Results on the OWASP Benchmark test suite confirm a consistent improvement of the security analysis and allow comparison of tools accuracy by vulnerability category.