Continuous Security Testing: A Case Study on Integrating Dynamic Security Testing Tools in CI/CD Pipelines

Thorsten Rangnau, Remco v. Buijtenen, Frank Fransen, Fatih Turkmen

OnderzoeksoutputAcademicpeer review

1 Citaat (Scopus)
14 Downloads (Pure)


Continuous Integration (CI) and Continuous Delivery (CD) have become a well-known practice in DevOps to ensure fast delivery of new features. This is achieved by automatically testing and releasing new software versions, e.g. multiple times per day. However, classical security management techniques cannot keep up with this quick Software Development Life Cycle (SDLC). Nonetheless, guaranteeing high security quality of software systems has become increasingly important. The new trend of DevSecOps aims to integrate security techniques into existing DevOps practices. Especially, the automation of security testing is an important area of research in this trend. Although plenty of literature discusses security testing and CI/CD practices, only a few deal with both topics together. Additionally, most of the existing works cover only static code analysis and neglect dynamic testing methods. In this paper, we present an approach to integrate three automated dynamic testing techniques into a CI/CD pipeline and provide an empirical analysis of the introduced overhead. We then go on to identify unique research/technology challenges the DevSecOps communities will face and propose preliminary solutions to these challenges. Our findings will enable informed decisions when employing DevSecOps practices in agile enterprise applications engineering processes and enterprise security.

Originele taal-2English
TitelEDOC Conference
UitgeverijInstitute of Electrical and Electronics Engineers (IEEE)
Aantal pagina's10
ISBN van geprinte versie9781728164731
StatusPublished - 23-okt-2020
Evenement2020 IEEE 24th International Enterprise Distributed Object Computing Conference (EDOC) - Eindhoven, Netherlands
Duur: 5-okt-20208-okt-2020


Conference2020 IEEE 24th International Enterprise Distributed Object Computing Conference (EDOC)

Citeer dit