A Unified Framework for Automating Software Security Analysis in DevSecOps

Abstract: The Development and Operations (DevOps) methodology is a set of practices and cultural values. Its main objectives are to shorten the software development lifecycle, produce quality software, and eliminate software evolution barriers. The increased demand for secure software applications has led to a new field version of DevOps called Development, Security, and Operations (DevSecOps), which attempts to integrate security practices into the DevOps process. In this paper, we outline the current challenges in securing DevOps applications, such as the lack of automated software security testing tools, insufficient integration of security tools, a lack of security knowledge between developers, and false-positive results produced by many vulnerability scanner tools. Therefore, we introduce a unified framework for automating software security analysis in the DevSecOps paradigm that serves as a middle development process between software applications’ Continuous Integration (CI) and Continuous Delivery (CD) pipelines and application security services. We have shown the framework’s high-level architecture, and one case study is presented to illustrate the applicability of our proposed approach.