Continuous Security Testing: A Case Study on Integrating Dynamic Security Testing Tools in CI/CD Pipelines

Thorsten Rangnau, Remco v. Buijtenen, F. Fransen, F. Turkmen
{"title":"Continuous Security Testing: A Case Study on Integrating Dynamic Security Testing Tools in CI/CD Pipelines","authors":"Thorsten Rangnau, Remco v. Buijtenen, F. Fransen, F. Turkmen","doi":"10.1109/EDOC49727.2020.00026","DOIUrl":null,"url":null,"abstract":"Continuous Integration (CI) and Continuous Delivery (CD) have become a well-known practice in DevOps to ensure fast delivery of new features. This is achieved by automatically testing and releasing new software versions, e.g. multiple times per day. However, classical security management techniques cannot keep up with this quick Software Development Life Cycle (SDLC). Nonetheless, guaranteeing high security quality of software systems has become increasingly important. The new trend of DevSecOps aims to integrate security techniques into existing DevOps practices. Especially, the automation of security testing is an important area of research in this trend. Although plenty of literature discusses security testing and CI/CD practices, only a few deal with both topics together. Additionally, most of the existing works cover only static code analysis and neglect dynamic testing methods. In this paper, we present an approach to integrate three automated dynamic testing techniques into a CI/CD pipeline and provide an empirical analysis of the introduced overhead. We then go on to identify unique research/technology challenges the DevSecOps communities will face and propose preliminary solutions to these challenges. Our findings will enable informed decisions when employing DevSecOps practices in agile enterprise applications engineering processes and enterprise security.","PeriodicalId":409420,"journal":{"name":"2020 IEEE 24th International Enterprise Distributed Object Computing Conference (EDOC)","volume":"156 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2020-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"21","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2020 IEEE 24th International Enterprise Distributed Object Computing Conference (EDOC)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/EDOC49727.2020.00026","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 21

Abstract

Continuous Integration (CI) and Continuous Delivery (CD) have become a well-known practice in DevOps to ensure fast delivery of new features. This is achieved by automatically testing and releasing new software versions, e.g. multiple times per day. However, classical security management techniques cannot keep up with this quick Software Development Life Cycle (SDLC). Nonetheless, guaranteeing high security quality of software systems has become increasingly important. The new trend of DevSecOps aims to integrate security techniques into existing DevOps practices. Especially, the automation of security testing is an important area of research in this trend. Although plenty of literature discusses security testing and CI/CD practices, only a few deal with both topics together. Additionally, most of the existing works cover only static code analysis and neglect dynamic testing methods. In this paper, we present an approach to integrate three automated dynamic testing techniques into a CI/CD pipeline and provide an empirical analysis of the introduced overhead. We then go on to identify unique research/technology challenges the DevSecOps communities will face and propose preliminary solutions to these challenges. Our findings will enable informed decisions when employing DevSecOps practices in agile enterprise applications engineering processes and enterprise security.
持续安全测试:在CI/CD管道中集成动态安全测试工具的案例研究
持续集成(CI)和持续交付(CD)已经成为DevOps中众所周知的实践,以确保新特性的快速交付。这是通过自动测试和发布新软件版本来实现的,例如每天多次。然而,传统的安全管理技术无法跟上这种快速的软件开发生命周期(SDLC)。然而,保证软件系统的高安全质量变得越来越重要。DevSecOps的新趋势旨在将安全技术集成到现有的DevOps实践中。特别是安全测试自动化是这一趋势下的一个重要研究领域。尽管有大量的文献讨论了安全测试和CI/CD实践,但是只有少数文献同时讨论了这两个主题。此外,大多数现有的工作只涵盖了静态代码分析,而忽略了动态测试方法。在本文中,我们提出了一种将三种自动化动态测试技术集成到CI/CD管道中的方法,并提供了对引入的开销的实证分析。然后,我们继续确定DevSecOps社区将面临的独特研究/技术挑战,并提出针对这些挑战的初步解决方案。我们的发现将有助于在敏捷企业应用程序工程流程和企业安全中采用DevSecOps实践时做出明智的决策。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信