Abstract

Software security is a component of software development that should be integrated throughout its entire development lifecycle, and not simply as an afterthought. If security vulnerabilities are caught early in development, they can be fixed before the software is released in production environments. Furthermore, finding a software vulnerability early in development will warn the programmer and lessen the likelihood of this type of programming error being repeated in other parts of the software project. Using Continuous Integration (CI) for checking for security vulnerabilities every time new code is committed to a repository can alert developers of security flaws almost immediately after they are introduced. Finally, continuous integration tests for security give software developers the option of making the test results public so that users or potential users are given assurance that the software is well tested for security flaws. While there already exists general-purpose continuous integration tools such as Jenkins-CI and GitLab-CI, our tool is primarily focused on integrating third party security testing programs and generating reports on classes of vulnerabilities found in a software project. Our tool performs all tests in a snapshot (stateless) virtual machine to be able to have reproducible tests in an environment similar to the deployment environment. This paper introduces the design and implementation of a tool for security-focused continuous integration. The test cases used demonstrate the ability of the tool to effectively uncover security vulnerabilities even in open source software products such as ImageMagick and a smart grid application, Emoncms.

Highlights

  • As an increasing amount of critical systems becomes more and more software orientated, the problem of software security vulnerabilities becomes more and more of a concern

  • While the goal of SFCI is to move the responsibility of software security closer to the main project developers, this does not imply that software penetration testers and security teams have been made obsolete

  • Discovering new classes of vulnerabilities or improving the accuracy of detecting known classes of vulnerabilities lies within the scope of building penetration testing and dynamic analysis tools, but is outside the scope of the SFCI tool itself

Read more

Summary

Introduction

As an increasing amount of critical systems becomes more and more software orientated, the problem of software security vulnerabilities becomes more and more of a concern. This paper is only concerned with the approach of security by code correctness, as our tool is only useful for presenting information about security vulnerabilities in a developer’s code, as opposed to making them more difficult to exploit or limiting the damage they could cause if they were exploited This is not to say that security by code correctness, or at least security by code improvement, is superior to the other approaches, but rather, that in applications such as the Internet of Things (IoT) and the smart grid, ensuring that programs behave as they are defined [2] (i.e., a smart grid electrical power distribution network should have almost 100% uptime) is critical, if not more, than ensuring that users are only confined to their allocated resources. There exists a wide variety of dynamic software analysis tools and penetration testing tools designed for detecting, and sometimes exploiting, security vulnerabilities within a program These tools cover a wide variety of vulnerabilities including memory safety errors (buffer overflow, use-after-free, etc.), as well as input sanitization issues (SQL injection, command injection, path traversal, etc.).

Motivation
Related Work
BDD-Security
Valgrind Plugin
Tinfoil Security
Arachni
GitLab-CI
Architecture
Setup Filesystem
Virtual Machine
Parsers and Automation
Web Report Rendering
Existing Software Packages
Jinja2
QEMU-KVM
AddressSanitizer
Valgrind
Sqlmap
Commix
XSS Me
DotDotPwn
Recommended Use
SFCI as a Vulnerability Description Medium
SFCI for Local Security Testing
Testing an Example Project
Developing the Test Cases
Evaluating the Test Cases
Testing ImageMagick
Detecting a Known Vulnerability
Detecting an Unknown Vulnerability
Testing A Smart Grid Application
10. SFCI Limitations
11. Conclusions and Future Work

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Similar Papers

Paper Title
Journal
Date
Author
An Empirical Study of the Relationship between Continuous Integration and Test Code Evolution
Gustavo Sizilio Nery ... Daniel Alencar Da Costa
-
Gustavo Sizilio Nery, et. al.Gustavo Sizilio Nery ... Daniel Alencar Da Costa
01 Sep 2019
Characterizing the influence of continuous integration: empirical results from 250+ open source and proprietary projects
Akond Rahman ... Rahul Krishna
-
Akond Rahman, et. al.Akond Rahman ... Rahul Krishna
05 Nov 2018
LSTM-based deep learning for spatial–temporal software testing
Lei Xiao ... Tingting Shi
Distributed and Parallel Databases | VOL. 38
Lei Xiao, et. al.Lei Xiao ... Tingting Shi
09 May 2020
Developing Cross-Organisational Service-Based Software Systems through Decentralised Interface-Oriented Continuous Integration
Jameel Almalki ... Haifeng Shen
-
Jameel Almalki, et. al.Jameel Almalki ... Haifeng Shen
01 Nov 2018
View more papers

More From: Computers

Paper Title
Journal
Date
Author
A Systematic Review and Comparative Analysis Approach to Boom Gate Access Using Plate Number Recognition
Asaju Christine Bukola ... Etienne Van Wyk
Computers | VOL. 13
Asaju Christine Bukola, et. al.Asaju Christine Bukola ... Etienne Van Wyk
04 Nov 2024
Performance Analysis of Wireless Sensor Networks Using Damped Oscillation Functions for the Packet Transmission Probability
Izlian Y Orea-Flores ... Sumera Saleem
Computers | VOL. 13
Izlian Y Orea-Flores, et. al.Izlian Y Orea-Flores ... Sumera Saleem
04 Nov 2024
Sequentialized Virtual File System: A Virtual File System Enabling Address Sequentialization for Flash-Based Solid State Drives
Inhwi Hwang ... Yongseok Son
Computers | VOL. 13
Inhwi Hwang, et. al.Inhwi Hwang ... Yongseok Son
02 Nov 2024
Building an Accessible and Flexible Multi-User Robotic Simulation Framework with Unity-MATLAB Bridge
Arturo Haces-Garcia ... Weihang Zhu
Computers | VOL. 13
Arturo Haces-Garcia, et. al.Arturo Haces-Garcia ... Weihang Zhu
29 Oct 2024
View more papers

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.