izpis_h1_title_alt

Managing DevSecOps pipeline on Azure DevOps portal
ID Bizjak, Alen (Author), ID Lavbič, Dejan (Mentor) More about this mentor... This link opens in a new window

.pdfPDF - Presentation file, Download (1,75 MB)
MD5: 1E2F983B256779894CD7CD2EF4066FD6

Abstract
DevSecOps (Development, Security and Operations) is an extension of DevOps (Development and Operations) that aims at adding security and security testing to the entire development process, which is traditionally neglected in DevOps practices that are more focused on rapid and agile development lifecycle. An important goal of DevSecOps is, therefore, to keep up with the speed of CI/CD pipelines while adding meaningful benefits in the form of increased security. In our work, we implemented a DevSecOps pipeline by starting with a baseline CI/CD pipeline that built our testing application from source code and deployed it to our virtual server. We then transformed this pipeline into the DevSecOps pipeline by including in it Static Application Security Testing (SAST) tools and Dynamic Application Security Testing (DAST) tools. The selection of tools used was inspired by existing studies. We expanded on related works by including other features in our pipeline, such as parsing the results of tools and using those results to develop configurable pipeline build breakers, using Azure caching to speed up the pipeline and more. The resulting pipeline is shown to be able to detect vulnerabilities in the deployed application and it adheres to one of the most important DevOps goals, which is fast execution time.

Language:English
Keywords:Azure DevOps portal, software engineering, DevOps, DevSecOps
Work type:Master's thesis/paper
Typology:2.09 - Master's Thesis
Organization:FRI - Faculty of Computer and Information Science
Year:2023
PID:20.500.12556/RUL-145136 This link opens in a new window
COBISS.SI-ID:149827075 This link opens in a new window
Publication date in RUL:07.04.2023
Views:1128
Downloads:196
Metadata:XML DC-XML DC-RDF
:
Copy citation
Share:Bookmark and Share

Secondary language

Language:Slovenian
Title:Upravljanje cevovoda DevSecOps na portalu Azure DevOps
Abstract:
Prakse DevSecOps (angl. Development, Security and Operations) dodatno razširijo prakse DevOps (angl. Development and Operations) z vpeljavo varnosti in vdelavo varnostnih mehanizmov v avtomatizirani postopek prevajanja kode ter objave aplikacije. Pri praksah DevOps je preverjanje varnosti pogosto zanemarjeno, saj je večji poudarek na čimhitrejšem razvojnem ciklu aplikacije. Pomemben cilj pri implementaciji praks DevSecOps je torej obdržati hitrost razvojnega cikla, ki so jo prinesle prakse DevOps, pri čemer pa dosežemo znatno povišan nivo varnosti. V našem delu smo se ukvarjali z implementacijo cevovoda DevSecOps, pri čemer smo začeli s preprostim cevovodom DevOps, ki nam je predstavljal izhodiščno točko. Namen izhodiščnega cevovoda je bilo prevajanje kode in objava zgrajene testne aplikacije na virtualni strežnik. Cevovod smo nadgradili z orodji za statično in dinamično testiranje aplikacije, po zgledu obstoječih del. Cevovod smo dodatno razširili z vpeljavo skript za razčlenitev rezultatov orodij, uporabo rezultatov za razvoj nastavljivih varovalk cevovoda, ter uporabo predpomnilnika sistema Azure za pohitritev časa obdelave. Dobljeni cevovod DevSecOps se izvede sorazmerno hitro in je sposoben zaznati varnostne pomanjkljivosti v testni aplikaciji.

Keywords:portal Azure DevOps, programsko inženirstvo, DevOps, DevSecOps

Similar documents

Similar works from RUL:
Similar works from other Slovenian collections:

Back