Logo do repositório
 
Miniatura
Publicação

Integrating Security in CI/CD: A DevSecOps Approach to Secure Software Development

2025Dissertação de mestrado Acesso aberto
http://hdl.handle.net/10400.5/116679
Utilize este identificador para referenciar este registo.
Nome:Descrição:Tamanho:Formato: 
TM_Alexandre_Figueiredo.pdf2.19 MBAdobe PDF Ver/Abrir

Autores

Figueiredo, Alexandre Rafael Marques Oliveira

Orientador(es)

Resumo(s)

With the growth of DevOps, security practices become siloed and incompatible with the everincreasing speeds of software development, integration, and delivery. This created an urgent need to integrate security into the DevOps culture by incorporating it into the Continuous Integration and Continuous Deployment (CI/CD) processes. We present a practical approach to integrate security practices throughout the software development lifecycle at MEO’s cybersecurity department (DCY), while minimizing the additional burden placed on developers to implement these practices. The solutions presented focus on automated security scanning during the development and maintenance phases of software development. For this, tools that automatically perform Static Application Security Testing (SAST) were evaluated and selected. We integrated the selected tools into CI/CD components. CI/CD components are reusable configuration units that can be easily integrated into CI/CD pipelines, thereby simplifying the inclusion of security testing within the pipelines. Additionally, we implemented a scheduled pipeline creation mechanism, ensuring that security scans are executed periodically, even when applications are in the maintenance phase. We also implemented storage and visualization mechanisms using Elasticsearch and Kibana, which enable a centralized view in a dashboard containing the security scan results. Introducing these solutions to the 5 team elements from MEO’s DCY demonstrated that they were straightforward to grasp, requiring only 40-minute meetings for integration, verification, and clarification of questions. Additionally, the integration process was quick, requiring around 20 extra configuration lines per project. Furthermore, with security scans easily integrated, the users not only became more aware of the vulnerabilities in their projects but also learned about security practices through hands-on practice.

Descrição

Trabalho de Projeto de Mestrado, Engenharia Informática, 2025, Universidade de Lisboa, Faculdade de Ciências

Palavras-chave

DevSecOps CI/CD Security Vulnerability Scanning GitLab

URI

http://hdl.handle.net/10400.5/116679

Contexto Educativo

Citação

Projetos de investigação

Unidades organizacionais

Fascículo

Editora

Coleções

Pure > Dspace
PURE > Dspace - Faculdade de Ciências

Licença CC