The presence of vulnerabilities in software is a pressing problem. Vulnerabilities can serve as a basis for breach of confidentiality and information leakage. The purpose of this study is to increase the level of software security at all stages of the life cycle from development and implementation to operation. Achieving this goal is possible through automated analysis of program code and increasing the types of vulnerabilities detected. The work proposes a secure software delivery pipeline that allows for static and dynamic analysis of program code, analysis of the search for vulnerabilities in third-party components and Docker images. The article reviewed popular software tools, their distinctive features, and provided justification for the choice of software solutions that form the basis of the developed secure delivery pipeline. The novelty of the work is the ability of the pipeline to automatically detect vulnerabilities at all stages of the software life cycle, from planning and design to testing, deployment and monitoring in a production environment, which allows you to eliminate vulnerabilities at an early stage, thereby increasing the level of software security. Conducted testing and approbation of a secure software delivery pipeline. Based on the assessment results, the developed secure software delivery pipeline showed that on average 98% of vulnerabilities were identified using the Semgrep tool, 90% of vulnerabilities using the OWASP ZAP tool, 96% of vulnerabilities using the Dependency-Track tool, and 88% using the Trivy tool. The results of the study and experimental data showed that on average, as a result of testing, the accuracy of detecting vulnerabilities is 93%. The practical value of the work lies in the fact that the developed secure software delivery pipeline can be used as a tool for detecting program code vulnerabilities by software development specialists, as well as information security specialists of IT companies. The results obtained can be used in the field of secure software development, formalization and interpretation of vulnerabilities in program code, which will make it possible to create new rules for their identification and development of countermeasures to neutralize them.
Read full abstract