Next Article in Journal
IP Spoofing In and Out of the Public Cloud: From Policy to Practice
Previous Article in Journal
Prevention of Crypto-Ransomware Using a Pre-Encryption Detection Algorithm
Previous Article in Special Issue
A Complexity Metrics Suite for Cascading Style Sheets
Open AccessArticle

Design and Implementation of SFCI: A Tool for Security Focused Continuous Integration

1
Department of Electrical, Computer and Software Engineering; Ontario Tech University; Oshawa, ON L1G 0C5, Canada
2
GE Grid Solutions, Markham, ON L6C 0M1, Canada
*
Authors to whom correspondence should be addressed.
Computers 2019, 8(4), 80; https://doi.org/10.3390/computers8040080
Received: 23 September 2019 / Revised: 25 October 2019 / Accepted: 30 October 2019 / Published: 1 November 2019
(This article belongs to the Special Issue Code Generation, Analysis and Quality Testing)
Software security is a component of software development that should be integrated throughout its entire development lifecycle, and not simply as an afterthought. If security vulnerabilities are caught early in development, they can be fixed before the software is released in production environments. Furthermore, finding a software vulnerability early in development will warn the programmer and lessen the likelihood of this type of programming error being repeated in other parts of the software project. Using Continuous Integration (CI) for checking for security vulnerabilities every time new code is committed to a repository can alert developers of security flaws almost immediately after they are introduced. Finally, continuous integration tests for security give software developers the option of making the test results public so that users or potential users are given assurance that the software is well tested for security flaws. While there already exists general-purpose continuous integration tools such as Jenkins-CI and GitLab-CI, our tool is primarily focused on integrating third party security testing programs and generating reports on classes of vulnerabilities found in a software project. Our tool performs all tests in a snapshot (stateless) virtual machine to be able to have reproducible tests in an environment similar to the deployment environment. This paper introduces the design and implementation of a tool for security-focused continuous integration. The test cases used demonstrate the ability of the tool to effectively uncover security vulnerabilities even in open source software products such as ImageMagick and a smart grid application, Emoncms.
Keywords: analysis tools; continuous integration; software security; testing analysis tools; continuous integration; software security; testing
MDPI and ACS Style

Lescisin, M.; Mahmoud, Q.H.; Cioraca, A. Design and Implementation of SFCI: A Tool for Security Focused Continuous Integration. Computers 2019, 8, 80.

Show more citation formats Show less citations formats
Note that from the first issue of 2016, MDPI journals use article numbers instead of page numbers. See further details here.

Article Access Map by Country/Region

1
Back to TopTop