An Approach to Enhance CI/CD Pipeline with Open-Source Security Tools

Authors

  • Hung Ho-Dac
  • Van-Len Vo

DOI:

https://doi.org/10.59573/emsj.8(3).2024.30

Keywords:

CI/CD pipeline, DevSecOps, OWASP

Abstract

Continuous Integration (CI) and Continuous Deployment (CD) are important aspects in software engineering today. In modern software production organizational models, CI/CD pipeline has become a mandatory element to improve speed and reduce team effort in developing, integrating, and deploying. In the context of increasing information security risks, deploying security tools for the CI/CD pipeline has become an inevitable trend. Deploying information security tools throughout the pipeline according to the "Shift Left" philosophy will help detect information security issues early for timely handling and reduce correction costs. In this research, we present an approach to improve the CI/CD pipeline by integrating information security tools introduced by the Open Source Foundation for Application Security Project (OWASP). In addition, we also present trade-offs when implementing information security into the CI/CD pipeline.

References

Amazon. (n.d.). CI/CD Pipeline - AWS CodePipeline - AWS. Amazon AWS. Retrieved May 5, 2024, from http://aws.amazon.com/codepipeline/

An, Seong Yeol, et al. (2021). A pre-study on the open source prometheus monitoring system. Smart Media Journal, 10(2), 110-118.

Atlassian. (n.d.). Bamboo: Continuous Integration & Deployment. Atlassian. Retrieved May 5, 2024, from http://www.atlassian.com/software/bamboo

Atlassian. (n.d.). Bitbucket Pipelines - Continuous Delivery. Bitbucket. Retrieved May 5, 2024, from http://bitbucket.org/product/features/pipelines

Campbell, G. A., & Papapetrou, P. P. (2013). SonarQube in action. Manning Publications Co.

CircleCI. (n.d.). CircleCI: Continuous Integration and Delivery. Retrieved May 5, 2024, from http://circleci.com/

GitLab. (n.d.). The most-comprehensive AI-powered DevSecOps platform. Retrieved May 5, 2024, from http://about.gitlab.com/

Jakobsson, A., & Häggström, I. (2022). Study of the techniques used by OWASP ZAP for analysis of vulnerabilities in web applications.

Jenkins. (n.d.). Jenkins. Retrieved May 5, 2024, from http://www.jenkins.io/

Microsoft. (n.d.). Microsoft Azure: Cloud Computing Services. Retrieved May 5, 2024, from http://azure.microsoft.com/en-us

Myrbakken, H., & Colomo-Palacios, R. (2017). DevSecOps: a multivocal literature review. Software Process Improvement and Capability Determination: 17th International Conference, SPICE 2017, Palma de Mallorca, Spain, Proceedings. Springer International Publishing.

OWASP. (n.d.). OWASP Dependency-Check. OWASP Foundation. Retrieved May 5, 2024, from http://owasp.org/www-project-dependency-check/

Raghu Vamsi, P., Ahmad, A., & Dwivedi, V. (2023). Application for Simulating OWASP Vulnerabilities. International Conference on Data Science and Communication. Singapore: Springer Nature Singapore.

Security Code Scan. (n.d.). Security Code Scan. Retrieved May 5, 2024, from http://security-code-scan.github.io/

Zampetti, F., et al. (2021). Ci/cd pipelines evolution and restructuring: A qualitative and quantitative study. 2021 IEEE International Conference on Software Maintenance and Evolution (ICSME). IEEE.

Downloads

Published

2024-07-30

Issue

Vol. 8 No. 3 (2024)

Section

Articles

License

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

Terms and conditions of Creative Commons Attribution 4.0 International License apply to all published manuscripts. This Journal is licensed under a Creative Commons Attribution 4.0 International License. This licence allows authors to use all articles, data sets, graphics and appendices in data mining applications, search engines, web sites, blogs and other platforms by providing appropriate reference. The journal allows the author(s) to hold the copyright without restrictions and will retain publishing rights without restrictions.

A competing interest exists when professional judgment concerning the validity of research is influenced by a secondary interest, such as financial gain. We require that our authors reveal all possible conflicts of interest in their submitted manuscripts.


The Editor reserves the right to shorten and adjust texts. Significant changes in the text will be agreed with the Authors.