Design and Implementation of SFCI: A Tool for Security Focused Continuous Integration
1
Department of Electrical, Computer and Software Engineering, Ontario Tech University, Oshawa, ON L1G 0C5, Canada
2
GE Grid Solutions, Markham, ON L6C 0M1, Canada
*
Authors to whom correspondence should be addressed.
Computers 2019, 8(4), 80; https://doi.org/10.3390/computers8040080
Received: 23 September 2019 / Revised: 25 October 2019 / Accepted: 30 October 2019 / Published: 1 November 2019
(This article belongs to the Special Issue Code Generation, Analysis and Quality Testing)
Software security is a component of software development that should be integrated throughout its entire development lifecycle, and not simply as an afterthought. If security vulnerabilities are caught early in development, they can be fixed before the software is released in production environments. Furthermore, finding a software vulnerability early in development will warn the programmer and lessen the likelihood of this type of programming error being repeated in other parts of the software project. Using Continuous Integration (CI) for checking for security vulnerabilities every time new code is committed to a repository can alert developers of security flaws almost immediately after they are introduced. Finally, continuous integration tests for security give software developers the option of making the test results public so that users or potential users are given assurance that the software is well tested for security flaws. While there already exists general-purpose continuous integration tools such as Jenkins-CI and GitLab-CI, our tool is primarily focused on integrating third party security testing programs and generating reports on classes of vulnerabilities found in a software project. Our tool performs all tests in a snapshot (stateless) virtual machine to be able to have reproducible tests in an environment similar to the deployment environment. This paper introduces the design and implementation of a tool for security-focused continuous integration. The test cases used demonstrate the ability of the tool to effectively uncover security vulnerabilities even in open source software products such as ImageMagick and a smart grid application, Emoncms.
View Full-Text
Keywords:
analysis tools; continuous integration; software security; testing
▼
Show Figures
This is an open access article distributed under the Creative Commons Attribution License which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited
MDPI and ACS Style
Lescisin, M.; Mahmoud, Q.H.; Cioraca, A. Design and Implementation of SFCI: A Tool for Security Focused Continuous Integration. Computers 2019, 8, 80. https://doi.org/10.3390/computers8040080
AMA Style
Lescisin M, Mahmoud QH, Cioraca A. Design and Implementation of SFCI: A Tool for Security Focused Continuous Integration. Computers. 2019; 8(4):80. https://doi.org/10.3390/computers8040080
Chicago/Turabian StyleLescisin, Michael; Mahmoud, Qusay H.; Cioraca, Anca. 2019. "Design and Implementation of SFCI: A Tool for Security Focused Continuous Integration" Computers 8, no. 4: 80. https://doi.org/10.3390/computers8040080
Find Other Styles
Note that from the first issue of 2016, MDPI journals use article numbers instead of page numbers. See further details here.
Search more from Scilit