Implementing and Automating Security Scanning to a DevSecOps CI/CD Pipeline

Implementing and Automating Security Scanning to a DevSecOps CI/CD Pipeline

연구 분야: Analysis

학회: 2023 World Conference on Communication & Computing (WCONF)

With the growing adoption of DevOps and the rise of containerization and Continuous Integration/ Continuous Deployment (CI/CD) in software development life cycle (SDLC) has brought significant changes to the industry. While these methods offer many advantages, they also present unique security challenges, as containerized applications are more susceptible to cyber attacks than traditional deployments, security has become a significant concern. Security scanning is an essential aspect of DevSecOps pipelines, involving the analysis of software images deployed to cloud environments to identify vulnerabilities and mitigate security threats. This study will involve a thorough review of existing literature on containerization and CI/CD security and will analyze current security practices and measures used in containerization-based CI/CD systems. Various tools and techniques have been proposed for implementing and automating image security scanning in DevSecOps pipelines by integrating DAST (Dynamic application security testing) and SAST (Static application security testing) vulnerability scanning.. This research proposes a method for implementing and automating image security scanning using the Snyk and StackHawk tool, which provides a dashboard for SAST and DAST separately for monitoring scanning results and automating vulnerability fixes. The proposed method can be integrated with GitHub, enabling automatic vulnerability scanning and fixing during the build process. The research evaluates the effectiveness of the proposed method by demonstrating the ability of the method to improve the security of DevSecOps pipelines. The findings suggest that the proposed method can enhance the overall security of the application by reducing the time to detect and fix vulnerabilities.