Continuous Security Testing - A Case Study On Integrating Dynamic Security Testing Tools in CI:CD Pipelines

Download as pdf or txt
Download as pdf or txt
You are on page 1of 10

2020 IEEE 24th International Enterprise Distributed Object Computing Conference (EDOC)

Continuous Security Testing: A Case Study on


Integrating Dynamic Security Testing Tools in
CI/CD Pipelines
Thorsten Rangnau Remco v. Buijtenen Frank Fransen Fatih Turkmen
University of Groningen University of Groningen TNO University of Groningen
[email protected] [email protected] [email protected] 0000-0002-6262-4869

Abstract—Continuous Integration (CI) and Continuous Deliv- pace and hence respond to customers’ demands rapidly. A
ery (CD) have become a well-known practice in DevOps to ensure prime example of this is Amazon, where a new version was
fast delivery of new features. This is achieved by automatically released more than once per second [6].
testing and releasing new software versions, e.g. multiple times
per day. However, classical security management techniques While fast releases are considered to be beneficial to the
cannot keep up with this quick Software Development Life quality of a product, they may also increase pressure on
Cycle (SDLC). Nonetheless, guaranteeing high security quality developers to finish their tasks more quickly. Studies such
of software systems has become increasingly important. The new as Kraemer [7] revealed that tight schedules or high work
trend of DevSecOps aims to integrate security techniques into load can lead to the accidental introduction of security vul-
existing DevOps practices. Especially, the automation of security
testing is an important area of research in this trend. Although nerabilities into software systems. Kraemer also states that
plenty of literature discusses security testing and CI/CD practices, the reason for the presence of vulnerabilities is a lack of
only a few deal with both topics together. Additionally, most of the security knowledge in DevOps teams. This affects the quality
existing works cover only static code analysis and neglect dynamic of security tests and hence diminishes the security of a system.
testing methods. In this paper, we present an approach to inte- In addition to this, cybercrime is increasing in recent years.
grate three automated dynamic testing techniques into a CI/CD
pipeline and provide an empirical analysis of the introduced For instance, the number of stolen or compromised records
overhead. We then go on to identify unique research/technology has been estimated to be increased by 133% from 2017 to
challenges the DevSecOps communities will face and propose 2018 [8]. Furthermore, security and privacy regulations such
preliminary solutions to these challenges. Our findings will enable as the General Data Protection Regulation (GDPR) have been
informed decisions when employing DevSecOps practices in implemented in the EU in order to enforce security standards
agile enterprise applications engineering processes and enterprise
security. and punish companies harshly if these regulations are violated
Index Terms—DevSecOps, Dynamic Security Web Testing, (e.g. [9]). All of these aspects show that the security concerns
Continuous Security, Continuous Integration have become increasingly important.
This increased focus on security introduced a new field
I. I NTRODUCTION called DevSecOps, which attempts to integrate security (Sec)
In the past decade, a great shift occurred in software practices into DevOps [2]. Traditionally, security experts were
development from creating Software as a Product (SaaP), organized into separate silos and security concerns were ad-
that is executed as a single instance on customers’ machines, dressed after the actual design and development stages [8].
towards providing Software as a Service (SaaS) where many Similar to the inception of DevOps, DevSecOps attempts to
users share instances that run on cloud infrastructure [1]. promote collaboration between development, operations and
Such cloud services provide software practitioners with security teams. DevSecOps establishes a proactive approach
the ability to continuously improve their product quality by to limit the attack surface of the application [6] and entails
releasing frequent updates [2]. In order to manage these considering security from the very beginning of the project [2].
improvements efficiently, classical development (Dev) and However, the integration of security practices into modern soft-
operation (Ops) tasks were combined which resulted in a ware engineering creates several problems. Firstly, traditional
development concept termed DevOps [3], [2]. This concept security methods are not applicable because they cannot keep
is based on collaboration between the two former fields in up with the agility and speed of DevOps. Secondly, very little
all development stages and achieved by solving problems is known about DevSecOps so far, as only a few studies were
together, automating processes, and agree on mutual metrics conducted on this topic [2]. Especially the lack of knowledge
to use when evaluating a system. DevOps defines four pillars of when and where to use (existing) tools in automation is
that guide teamwork in modern software development: culture, a considerable problem that prevents software practitioners
automation, measurement and sharing (CAMS) [4], [5]. This from integrating security into their DevOps activities such
agile development method enables software practitioners to as continuous integration and continuous deployment (CI/CD)
test and deploy software versions in a much more frequent [8].

2325-6362/20/$31.00 ©2020 IEEE 145


DOI 10.1109/EDOC49727.2020.00026

Authorized licensed use limited to: Auckland University of Technology. Downloaded on December 19,2020 at 15:36:40 UTC from IEEE Xplore. Restrictions apply.
Until now, most research papers describe the principles, the system [13]. The challenge here is to send the correct
priorities and practices in DevSecOps. It appears that the (attack) requests and to identify the information within the
automation principle is equally significant in DevSecOps as response that indicates the presence of a vulnerability. DAST
it is in DevOps. One key practice is continuously testing can be performed in a white-box setting where the application
security. This enables security teams to keep up with DevOps code is accessible or a black-box setting where the application
and establishes fast, scalable and effective security tests [2]. code is unavailable. We assume the CI/CD pipeline is owned
However, most literature focuses on automatic security testing by the application owner and thus consider mostly the white-
through static scans of source code (e.g. [10]). Although box case. In what follows, we summarize the dynamic testing
important, static tests cannot detect all security vulnerabilities methods considered in our study.
in a system. In fact, static analysis is only able to find Inspired from [13], we consider three DAST techniques that
those vulnerabilities that can be derived directly from source can be automated: Web Application Security Testing (WAST),
code. These vulnerabilities are only a small subset of the Security API Scanning (SAS), and Behaviour Driven Security
ten most common vulnerabilities in web applications [11], Testing (BDST).
such as Components with Known Vulnerabilities. Dynamic Web Application Security Testing (WAST): This testing
security testing on the other hand, where a system is attacked technique is an automated web security test that attacks a
in a similar way as actual hackers would, is able to cover web application through its user interface. It includes three
a much broader range of vulnerabilities. Literature such as steps performed by the WAST component: spider scan, active
[12], [13] describes how to execute these dynamic tests in a scan, and result reporting. The spider scan explores the whole
consistent, reproducible way. However, little is known about application in order to determine all URLs/resources available.
how to integrate this into the CI/CD pipelines commonly used The active scan then performs malicious requests against
in DevOps. every identified resource and evaluates every response of the
In this paper we conduct a case study where we apply three application in order to determine possible security issues on
different testing techniques in CI/CD. This will enable us to the targeted URL. Once the active scan is completed, the
identify pitfalls, challenges and shortcomings DevOps teams results are aggregated into a report. Figure 1 illustrates the
may encounter while automating security tests. The three WAST technique. Usually, the scope of the scans and the
dynamic application security testing techniques we integrated attack scenarios can be configured. In addition, the security
into a CI/CD pipeline are: Web Application Security Scan- vulnerabilities can be categorized into different risk levels.
ning (WAST) using Zed Attack Proxy (ZAP)1 , Security API
Scanning (SAS) with JMeter 2 and Behaviour Driven Security
Testing (BDST) using SeleniumBase automation framework.
The remainder of this paper is structured as follows: Section
II provides an overview on automated security testing tech-
niques and testing in CI/CD. The setup of the case studies
is described in Section III, whereas Section IV depicts our
results. In Section V we discuss our findings including a Fig. 1. Overview of WAST security testing technique: The spider scan
list of requirements for security testing in CI/CD and a determines all available components and the active scan attacks them.
description of challenges one encounters while addressing
these requirements. We conclude in Section VII and provide Security API Scanning (SAS): The WAST technique scans
an overview of future work. the entire web application but may not detect flaws of the
underlying back-end (web) services. Therefore it is highly
II. BACKGROUND
recommended to test the web service through its APIs with
This section provides an overview on the background of SAS. This technique allows testing of every endpoint in great
continuous dynamic security testing. To this end, we will first detail and can cover multiple security relevant cases such as
address security testing techniques. Subsequently, we provide authentication, input validation, or error handling. Figure 2
information on testing in CI/CD pipelines. provides an overview of the SAS testing technique. In SAS, a
A. Security Testing Techniques parameterized request is generated and sent to the API of the
web service that is under test through a request component.
Most modern Web/Cloud applications can be tested for
The input data can vary from credentials for authentication
security flaws at the service, infrastructure, and platform levels
to malicious payloads such as SQL injection (SQLi). All the
[14]. We focus on the testing performed at the service layer.
requests go through a proxy component that intercepts traffic
Dynamic application security testing (DAST) focuses on tests
between the request component and the target application.
to determine how a running application responds to malicious
The proxy component evaluates all the intercepted traffic for
requests. More specifically, attack scenarios are defined as
any security issues. After the test is performed, the proxy
test cases that consist of (crafted) requests and are sent to
component reports the result of the evaluation. SAS testing
1 https://www.zaproxy.org/ is especially useful when generated fuzz data is used as input.
2 https://jmeter.apache.org Fuzz data can be a list of the most common passwords, a bulk

146

Authorized licensed use limited to: Auckland University of Technology. Downloaded on December 19,2020 at 15:36:40 UTC from IEEE Xplore. Restrictions apply.
of random data in order trigger unexpected behavior of the (Continuous Deployment). Figure 4 shows a CI/CD pipeline
system, or malicious input for SQLi. that has been extended with dynamic security testing. A more
typical CI/CD pipeline only consists of stages 0 through 7 that
are shown in the upper 2 rows of the figure. Later on in section
IV-B a more detailed explanation is given on the addition of
security testing.
The Continuous Integration stage starts with a commit,
followed by a build of the modified application which is then
verified using unit tests. When all test cases pass, the tested
application is deployed to a testing environment. If Continuous
Fig. 2. Overview of SAS testing technique: Request component sends request Delivery is implemented, a set of automated acceptance tests is
through proxy component to target application. Proxy component evaluates executed to verify that there are no regressions in the system’s
traffic and generates report.
features. This step also helps to identify any errors that may
occur due to a difference in run-time environment because the
Behaviour Driven Security Testing (BDST): Behaviour
testing environment is usually a server with similar configu-
Driven Development(BDD) is an extension of Test Driven
ration to the production environment. Depending on the level
Development (TDD) and follows the idea of integrating busi-
of automation, this step can also involve manual testing and
ness insights into testing [15]. BDD uses a natural language
approval before the pipeline advances to the next stage. When
approach in order to define behaviour and expected outcome of
all previous stages have passed, the system is automatically
test cases. Behaviour Driven Security Testing (BDST) applies
deployed to the production environment in the Continuous
the idea of BDD to the domain of security testing for the added
Deployment stage, where the users will have access to the
benefit that non-security experts can understand the security
new version. If a test fails, or when an error occurs during
tests, further improving the collaboration between security
build or deployment, the pipeline is automatically stopped
experts and DevOps teams [12]. Additionally, BDST provides
and developers are notified of the error. When a fix has been
a dynamic security documentation of the whole software
committed the pipeline will start all over again in order to test
system due to the GWT (Given, When, Then) format of the
the entire application.
test specifications. In UI testing, BDD frameworks are used
to automate standard UI tests that mimic the user behavior III. C ASE S TUDY M ETHODOLOGY
[15]. This approach can be used to automate the execution This section aims to provide an overview of our goals and
of attack scenarios from the hacker’s perspective. Because research question that we want to answer with the case study
this technique is executed against the system as a whole, it conducted in this paper. Next an outline of our approach is
enables the identification of vulnerabilities that target multiple provided.
entrypoints to the system. BDST combines several security
testing techniques such as SAS or WAST in order to mimic A. Goal and Research Question
attack scenarios by a hacker, as well as to find security issues The primary goal of this study is to identify the challenges
during normal system usage [13]. An example of a BDST and pitfalls of applying security testing of web applications
setup is shown in Figure 3. and services in CI/CD pipelines. Moreover, the focus lies on
dynamic testing techniques since this topic is only addressed
in theoretical research. With this we provide guidance for
development teams that are trying to shift more towards De-
vSecOps. In addition to this, we aim to shift research towards
the practical challenges involved with continuous security.
RQ How can we integrate DAST into CI/CD and ensure that
Fig. 3. Overview of BDST testing technique: The BDST framework sends DevOps requirements are met?
behavior driven requests to the target application through the proxy component
which then scans for security flaws. With answering this research question we can shed light onto
the hidden complexities of the practical workload required
to achieve this integration. Through practical examples we
B. CI/CD Pipelines
illustrate the scale of these complexities, as well as preliminary
Continuous Integration (CI) and Continuous Delivery (CD) solutions that aim to overcome them.
are software engineering processes used in DevOps in order to
improve the efficiency of projects [16]. The CI/CD processes B. Approach
can be implemented at one of three overarching degrees This section provides an overview of the approach used
of automation. The first covering development and testing in our case study. In order to conduct this case study we
(Continuous Integration), the second extending this with auto- (1) identify the requirements for successful integration of
mated integration testing (Continuous Delivery) and the third security testing tools, (2) describe the tools that were chosen
adding continuous deployment to a production environment for the integration and discuss their integration into CI/CD, (3)

147

Authorized licensed use limited to: Auckland University of Technology. Downloaded on December 19,2020 at 15:36:40 UTC from IEEE Xplore. Restrictions apply.
investigate the performance of our implementation in a CI/CD rather limited because customized HTTP POST requests are
pipeline and (4) provide an overview of the challenges that not supported by ZAP in this configuration.
were encountered during implementation. Automation of SAS: Besides the execution of predefined
1) The requirements are determined using an iterative pro- attack scenarios, ZAP can also be configured to act as a
cess. As a starting-point we use common requirements proxy between a testing tool and the target application. In
for DevOps. After creating an initial version of the CI/CD this proxy configuration ZAP will not make its own requests
pipelines, the requirements were extended to reflect the so an additional tool is needed to perform the actual attacks.
changes needed to meet the DevSecOps goals. The final We employ JMeter, a command-line tool that can perform
list of requirements is presented in section IV-A. Later on parameterized requests against an API, as the testing tool.
in section V, these requirements will be used to evaluate Using JMeter’s GUI, one can easily generate the XML files
the implementation. that define a test case. JMeter cannot detect vulnerabilities and
2) Three different methods for DAST were listed in section therefore ZAP is inserted as a proxy between JMeter and the
II. A number of tools are chosen in order to implement the target application. If required, JMeter can be configured to
three testing techniques in such a way that they satisfy our include malicious payloads or to perform fuzz testing.
requirements. Later on in this section we provide a short Automation of BDST: ZAP can be used in combination
description of each of the chosen tools. Furthermore, in with a BDD framework in order to perform high level use
Section IV more details are provided on how each tool is cases such as signing up, uploading files or filling in multi-
adapted in such a way that they can be executed inside a stage forms. An example of such a framework is SeleniumBase
CI/CD pipeline. [18], a wrapper for Selenium, which mimics user behavior to
3) With the implementation of our CI/CD pipelines in place, automate security testing for the aforementioned use cases.
we evaluate the different cases on their performance. A convenient way for developers to define the test cases for
Because the focus of this case study lies on the integration BDST is the Selenium IDE Katalon. It allows the recording of
process of DAST techniques and not on the accuracy or user activities on the web application (e.g clicking a button)
detection rates of the individual tools, we only provide and converts them into an executable Python file. Seleni-
an overview of the execution times of each pipeline. umBase executes these tests through the Pytest framework
4) Finally, challenges that we encountered during the in- [19]. Similar to SAS, ZAP is inserted as a proxy between
tegration process are listed in the results (Section IV). SeleniumBase and the target application.
The goal of listing these challenges is to provide insights
to DevOps teams to prepare them for what they can IV. R ESULTS
expect when they want to automate DAST using CI/CD. In this section we present the results that are derived
In Section V we provide solutions to the aforementioned from our research process as described in Section III. The
challenges. results are divided into the requirements for security testing
in CI/CD (Section IV-A), a description of the concept of
C. Tool Selection implementing dynamic security testing into CI/CD (Section
IV-B), the performance of our approach (Section IV-C, and
This section describes the tools that we used in our case the challenges that we encountered (Section IV-D).
study. The main functional requirement for the selection of
the tools is a command line interface (CLI), as a minimum, A. Requirements for DAST in CI/CD
that can be used to control testing activities such as triggering
attacks or to configure testing components. More beneficial Before discussing the integration of the dynamic testing
are tools that can be directly addressed through code via an techniques into automated CI/CD pipelines, we define the
API using HTTP requests or client libraries. User Interfaces following requirements. The requirements are based on the
(UIs) are not required, but may be beneficial for creating test commonly known DevOps requirements such as the ones
cases during development. described in [20], [8], [21] with certain extensions to meet
DevSecOps goals.
Automation of WAST: For WAST, we employ OWASP ZAP
web security scanner, a versatile open source tool that can R.1 Quick build times - Ensures that dynamic security
be configured for multiple types of security tests. It is also testing is practical and every commit build takes no longer
recommended by the Open Web Application Security Project than 10 minutes to allow quick build fixes.
(OWASP) foundation[17]. ZAP is a standalone application that R.2 Parallel pipeline jobs - The pipeline should be able
is accessible via GUI, CLI, REST API and various client to run unit, functional, integration, security, etc. tests in
libraries. It comes with pre-installed known attack scenarios separate jobs such that they can be run in parallel. This
that are executed during its active scan. This is complemented will speed up pipeline execution. This should include
by a spider scan that attempts to automatically discover security tests at multiple abstraction levels.
entrypoints in a web application that these attacks can be R.3 Testing of multiple versions - The pipeline should be
performed against. The result is a highly automated test that able to test multiple versions simultaneously (i.e. different
requires little configuration. However, these basic scans are branches or commits) without these pipelines interfering.

148

Authorized licensed use limited to: Auckland University of Technology. Downloaded on December 19,2020 at 15:36:40 UTC from IEEE Xplore. Restrictions apply.
R.4 Test every Commit - Every commit to the remote sized web application in order to make statements about the
repository should trigger a pipeline process. This ensures different security tests. Since it is out of scope of this study
together with R.1 that vulnerabilities are detected early to develop such an application with specific vulnerabilities,
such that broken builds can be fixed quickly. OWASP WebGoat was chosen as a target application. Web-
R.5 Only build what is necessary - Ensure that pre-built Goat is a deliberately insecure application that was designed
images for pipeline and testing components can be used for educational reasons on the one hand and for testing security
for components that do not require frequent updates. This tools on the other hand. We decided to use this open source
reduces overall run-time of the pipeline because slow project because its 89.100 lines of code represent a reasonably
builds do not have to be repeated every time the pipeline sized web application. In addition, the WebGoat community
is started. already provides a WebGoat docker image which can be
R.6 Flexible deployment strategies - The pipeline should pulled directly from the public repository. Furthermore, the
provide a method to configure the deployment strategy documentation of WebGoat includes information about its
being used. For some systems it may be desirable to vulnerabilities, such as SQL injection (SQLi) vulnerabilities,
deploy even with some minor vulnerabilities, whereas and how to exploit them.
other systems should definitely not be deployed if any In order to integrate DAST into CI/CD, a requirements
vulnerabilities are found. This allows DevOps teams to first approach is used to identify where in the pipeline it
customize the pipeline to their project’s needs. Other would be beneficial to perform automated security testing. As
deployment strategies include selecting which tests are was discussed in section II-B, the first stage is Continuous
being executed at specific stages of the CI/CD process Integration. Unit tests are executed following the build of a
through the use of test scopes. It may for example be new version in order to verify its implementation. From R.4
desirable to run a larger but slower set of tests before a it follows that security tests should be run in addition to this.
system is deployed to production. Therefore, the build stage is extended to also build the tools
R.7 Report vulnerabilities - The system should not only required for security testing. Because this step is executed after
report whether a pipeline job passes, but also provide every commit that is made by developers, it is important that
clear test results in case of a pipeline failure. Specifically, this stage is fast. Both SAS and BDST tests can be distributed
security tests should report about detected vulnerabilities among multiple jobs, while WAST testing is sequential due to
during testing. Clear reporting helps developers to quickly limitations in ZAP and therefore WAST is excluded from this
locate and fix the issues. stage. Only running these faster tests contribute to satisfying
R.8 Flexibility of testing technology - The system should R.1 and R.6.
allow flexible integration of DAST tools or frameworks When the pipeline advances to the continuous delivery
that are best suited for security testing of the specific stage, the system is deployed to a testing server. New vul-
application. Having the ability to select different tools nerabilities can be present due to a change of the environment
for different projects allows DevOps teams to reuse the and infrastructure, and therefore it is desired to run all prior
knowledge that has already been acquired by the team. tests again. Because the continuous delivery stage is only
reached after the development team considers a version as
B. Concept & Implementation of DAST in CI/CD complete, we can run the slower WAST tests here for better
In this section, we provide the details of our implementation test coverage. This coverage is improved because each tool
of the dynamic security testing approach presented in the has its own strengths and weaknesses, thus running multiple
previous section. In addition to the tools that help to automate of them has a better chance of catching vulnerabilities that
security testing, several other technologies were used in order were missed by earlier tests.
to provide a test environment that can be executed on any As a final step, the system is deployed to a production
CI platform. In order to build, execute and share the required environment. Because DAST is able to test a live system, it is
applications involved in the particular test cases, we used the possible to do one final sanity check by running all security
virtualization software Docker3 . Docker enables us to con- tests against the live system. If any vulnerabilities are detected,
tainerize every application and run it e.g. locally or remotely in this is reported back to the development team which can then
the CI environment. Further, the Docker Compose tool allows revert the changes quickly through gitlab its interface.
to create and combine multiple containers which is important In order to satisfy R.2 and R.3 it is necessary to split each
to connect the different testing tools with the test application. set of tests into separate jobs. This allows the testing jobs
For the CI environment we decided to use GitLab CI. The to be distributed among multiple runners. This then leads to
usage of this cloud platform is not only free but also provides more flexibility because more testing methods can be added
CI/CD pipelines as a service4 . in parallel jobs without affecting pipeline performance, also
Finding a way to test the integration of automated DAST contributing to R.8. Gitlab-ci only provides a single docker-
in CI/CD is challenging because it requires an adequately registry to use when transferring images between jobs. This
limitation requires the use of tags in order to safely store
3 https://www.docker.com multiple docker images. In order to ensure a unique tag for
4 https://docs.gitlab.com/ee/ci each image, a mnemonic name for a job is concatenated with

149

Authorized licensed use limited to: Auckland University of Technology. Downloaded on December 19,2020 at 15:36:40 UTC from IEEE Xplore. Restrictions apply.
Fig. 4. The different stages of a CI/CD pipeline with the emphasis on parallel test execution of the various security testing techniques.

the unique commit hash that is made available to each instance of the pipeline. Each testing approach requires two docker
of the pipeline, thus creating a unique identifier for each testing images to be built, resulting in a total of 6 images being built.
method. In order to speed up this process, each build is executed as a
Because ZAP acts as a proxy between the testing tool and separate parallel job. A build job consists of three steps: First,
the service under attack, it cannot simply return a test result a login to a remote docker repository is required. Secondly, the
to the testing tool. Instead, ZAP aggregates these results while docker images are built and and tagged using the commit hash
analyzing traffic, and exposes these through its API. Therefore, of the current branch. This allows us to push images multiple
after testing is done an evaluation stage is added to the pipeline branches to the same repository without them interfering with
that retrieves these results and uses them to decide whether each other. Finally, the images are pushed to the remote
the pipeline should pass or fail. Vulnerability thresholds can repository so they can be used in the next stage.
be configured in a strategy.json file. If any vulnerabilities were The second stage is testing, where the images from the
found, the evaluation component will print the test results previous stage are pulled from the remote docker repository
to the standard output of the pipeline, thus contributing to and security tests are then executed. This stage uses a docker-
satisfying R.7. compose in docker image5 , allowing us to run the test setup
Because the primary focus of this paper lies on dynamic exactly as one would do on a local machine. Because the
testing, no implementation for Static Application Security images must be pulled from a remote repository, a custom
Testing (SAST) has been added, but it is still added for python script is used to update the build section of the compose
completeness to the pipeline in Figure 4 indicated in light- file with an image entry pointing to the remote repository.
blue. The benefit of SAST is that the testing process is fast Results are written into a volume that is shared with the CI
and easily integrated and can therefore be added in parallel to pipeline. The contents of this directory are exported as GitLab
DAST and unit tests. CI artifacts.
Finally, a novel idea is introduced to speed up the overall Tools such as PyTest and JMeter require a running appli-
execution time of the pipeline. Because ZAP is an external cation to test. Since docker-compose’s container dependency
component that does not get updated frequently, we can sep- feature does not wait for a web server to be ready, this had to
arate it from the rest of the pipeline and host it as an external be implemented manually. For this the wait-for-it.sh6 was used
service. This requires two-way communication between ZAP to delay starting the testing process until all dependencies are
and the the pipeline, which is not natively supported by gitlab- ready to respond to requests.
ci. It is however possible to add a container to gitlabs runner ZAP and WebGoat are web services that keep running until
that acts as a router to facilitate this communication. With the they are explicitly stopped. This means that without sending
ability to run ZAP as an external service, it does not have to a shutdown signal, the CI/CD pipeline will never terminate.
be rebuilt for every instance of the pipeline and thus we only Therefore, at the end of the testing step a shutdown command
build what is necessary, contributing to R.5. 5 https://hub.docker.com/r/docker/compose/
6 https://github.com/vishnubob/wait-for-it
Building of docker images is executed in the build stage

150

Authorized licensed use limited to: Auckland University of Technology. Downloaded on December 19,2020 at 15:36:40 UTC from IEEE Xplore. Restrictions apply.
is sent to ZAP through its API. This results in a graceful host name), we had to add a customized docker network
termination of ZAP. However, WebGoat does not provide such to assign static IP addresses to each container to configure
an endpoint and therefore a different approach is needed. In scanning for vulnerabilities. Through these static IP addresses,
order to ensure that WebGoat terminates after testing, the SeleniumBase is able to communicate with WebGoat using
testing tool’s image has been constructed using the same ZAP as a proxy.
docker-compose in docker image as the CI pipeline itself. In
order to make this work, a volume must be mounted into this C. Performance
image to make the pipeline’s docker daemon socket available We made a preliminary analysis of the extended CI/CD
to docker inside the testing tool’s image. After test execution pipeline. The results for every test for each CI job can be
the testing tool is then able to call the docker kill command. downloaded from the GitLab CI interface. All three security
This will cause WebGoat to terminate once testing is complete. tests have detected vulnerabilities 7 . The detection of these
The aforementioned artifacts that were exported in the vulnerabilities causes the evaluation step of the pipeline to fail
previous stage are imported into an evaluation step. This last as intended. A single CI job, covering all three test scenarios,
step then executes a python script that reads the JSON output takes 14 minutes and 6 seconds. This run-time includes build-
from ZAP, and uses this to decide whether the pipeline should ing of all components, starting the applications, performing
pass or fail. If a pipeline should fail, it is sufficient to exit the the tests, evaluating the results of all tests, and exporting the
script with a non-zero status code. For an actual production artifacts containing the detected vulnerabilities. Subsequently,
setup, this step would then be followed by a deploy step. This the three test techniques will be discussed individually. All
deploy step will only be executed if the evaluation script exits setups used the WebGoat application as a service under attack,
with a zero as status code. which is deployed using an already existing docker image.
Integration of WAST in CI/CD: For the WAST integration Therefore, it has no building time.
we used the containerized ZAP and WebGoat containers. WAST included three docker containers. The building
In order to control the tests, we added another container time for ZAP container is 6 minutes and 52 seconds and
containing a simple script written in Python. The script makes the container used to control ZAP requires 1 minute and
use of the Python ZAP client library. With this library, one can 32 seconds. The execution of WAST takes 6 minutes and 4
easily control pro-active scans of ZAP. It receives the URL seconds in total. The spider scan identified 13 resources along
address of the WebGoat application as an argument to trigger the path http://webgoat:8080/WebGoat/ and the
spider and active scans in ZAP. This setup allows a complete active scan detected 15 vulnerabilities. ZAP categorized those
scan of the WebGoat application. After the scans are finished, vulnerabilities by risk which results into 7 “Informational”,
the aforementioned methods are used in order to terminate the 6 “Low”, 1 “Medium”, and 1 “High” risk. The
docker-compose setup and evaluate the test results. vulnerability with the high risk was detected on the address
Integration of SAS in CI/CD: For the SAS test scenario http://webgoat:8080/WebGoat/register.mvc
we used again the containerized ZAP application for detect- and denotes this resource to be vulnerable against a SQLi
ing malicious HTTP traffic. However, ZAP is now used in attack. Finally, the evaluation of this test technique took 1
proxy mode and hence only forwards all traffic to the target minute and 8 seconds.
application and analyses the responses. As was explained The SAS test setup also requires three components.
in Section II-A, we used JMeter to perform specific API The build time for its two build components are: ZAP
scans. Therefore, we installed JMeter and the .jmx files in a in 6 minutes and 9 seconds and JMeter in 2 minute
docker container. In order to execute the tests one has to add and 2 seconds. The run-time of the test takes 2 min-
entrypoints to the container that takes arguments and forwards utes and 31 seconds. The test was performed against
them to the JMeter CLI inside the container. Thus, we can http://webgoat:8080/WebGoat/login and ZAP de-
dynamically specify test files and setups ZAP as the proxy. tected two addresses that are vulnerable. The first address
This is important to detect security issues within the HTTP is exposed to a two “Low” risk vulnerability and one “In-
communication initiated by JMeter. formational” risk. The second address is liable against 1
Integration of BDST in CI/CD: For the BDST technique vulnerability which is a “Low”risk.
we applied the SeleniumBase framework, which is installed The BDST setup needs to build two containers, namely ZAP
in its own docker container together with two test cases. The and SeleniumBase. The first component takes 6 minutes and 8
first test case registers in the WebGoat application and the seconds to build and the second 4 minutes and 31 seconds. The
second uses the credentials created to log in and perform duration of the test stage is 3 minutes and 45 seconds. During
an SQLi attack. Similar to the JMeter docker container we the two performed behaviour driven tests, ZAP detected 32
needed to add an extra docker entrypoint in order to start vulnerabilities, composed by 28 “Informational” and 4 “Low”
SeleniumBase via the docker-compose command section. Be- risk security issues. Interesting is that one of the test cases
cause the SeleniumBase configuration refuses to accept the included an SQLi attack where user passwords were exposed
default docker-compose generated host names to configure
ZAP as proxy (docker-compose gives random IP addresses to 7 All results are derived analysing this CI job are available at:

each container which can then be accessed using a mnemonic https://gitlab.com/rvbuijtenen/continuous-security/pipelines/128935397

151

Authorized licensed use limited to: Auckland University of Technology. Downloaded on December 19,2020 at 15:36:40 UTC from IEEE Xplore. Restrictions apply.
TABLE I c) Configuration Issues: Another problem occurred with
V ULNERABILITIES DETECTED FOR EACH AUTOMATED DAST TECHNIQUE
using SeleniumBase as a BDD framework. SeleniumBase can
be configured to redirect requests through a proxy which
Test Type # Tests Inform. Low Medium High Total
WAST 13 URLs 7 6 1 1 15 works fine in native installations. However, SeleniumBase only
SAS 1 URL 1 3 0 0 4 accepts an IP address as a proxy target. Because docker-
BDST 2 UCs 32 28 0 0 50
compose assigns a dynamic IP to a container when it is
started, it is not possible to refer to this IP using the default
configuration, hence further customization is required.
inserting SQL commands into the username field. This attack Using SeleniumBase we defined a test case that performed
was not detected by ZAP. The evaluation of the test results an SQLi against the WebGoat application. However, it turns
took 1 minute and 5 seconds. An overview of these results out that the testing configuration is setup between the testing
can be found in Figure 5 and Table I. application and WebGoat’s UI, rather than between WebGoat
and its (backend) API. This resulted in ZAP not detecting the
presence of leaked information because the leak is outside of
the scope of what SeleniumBase is able to test.

V. D ISCUSSION
As the results in Section IV show, all three testing methods
can be performed in our setup and vulnerabilities are detected
by employing the existing tools for test automation in a
feasible way. The evaluation of the results stops the pipeline
and thereby prevent the undesired deployment of security flaws
to a production system.
One can easily see that the tests detected several security
issues that were categorized on a low or even informal risk
level (Table I). Depending on the scope of the system, the
evaluation of the ZAP results can be configured in such a way
Fig. 5. Build-, test-, and evaluation-time for all pipeline stages
that those alerts are ignored or only reported but do not lead to
a pipeline failure. Finally, we could show that our approach is
D. Challenges capable of satisfying the requirements which were defined in
In contrast to the quantified results of the case studies, we Section IV-A. In what follows, we will discuss the challenges
also present qualitative results because they are important to that we encountered in our case study.
identify challenges in the integration of automated DAST into One demanding challenge is to keep the run-time of a
CI/CD. Solutions to the problems that are discussed here are pipeline to a minimum. In our case study we were initially not
presented in Section V. able to achieve the maximum execution time of 10 minutes.
a) Synchronization: In the docker-compose setup of all However, in our approach we suggest means to resolve this
three testing techniques, we encountered the problem that all problem to a certain extent. Building the security testing
containers were marked as ready but the application inside component is the slowest part of our CI/CD pipeline. As
the container was still starting. This resulted in tests being already mentioned, we excluded this component from our
triggered while e.g. WebGoat or ZAP were not yet ready. For pipeline and deployed it separately. This results in the desired
SAS this caused the program to exit without any test results, reduction of the overall run-time and derives to a result that we
while for BDST this caused the SeleniumBase container to consider to be adequate as it meets our requirement for quick
crash with an error. build times. Another solution is to execute different testing
b) Pipeline Termination: Another recurring problem was types but also individual test cases in parallel. Note however
pipeline termination. Despite the tests finishing as intended, that this applies only to SAS and BDST. Our WAST setup
the remaining docker containers were still running. This is provides no built-in functionality that allows for distributed
not a surprise because ZAP and WebGoat are standalone testing. Furthermore, the run-time depends heavily on the scale
software systems that are designed to run until they are stopped and complexity of the system that is being tested. If a WAST
explicitly. If this is not done the CI job will never finish and scan takes longer than what is considered as an acceptable
one could never determine if the dynamic security test has waiting time for regular development, we recommend to only
passed or failed. execute this type of testing for the continuous delivery and
A similar problem related to containerization was to get continuous deployment stages of the project.
the results form ZAP. Since zap provides its results through The second and most challenging part that we encountered
a web UI, there was no clear way to extract these from the was the advanced expertise in containerizing all components
container. However, it is possible to make an HTTP request involved in the test environment. Generally speaking, we found
that downloads the test results in JSON or HTML format. that many pitfalls in this area come from the isolated nature

152

Authorized licensed use limited to: Auckland University of Technology. Downloaded on December 19,2020 at 15:36:40 UTC from IEEE Xplore. Restrictions apply.
of containerized applications and therefore a fair amount of TABLE II
OVERVIEW ON INTEGRATION CHALLENGES
knowledge of tools like Docker and GitLab CI are required.
This included long starting times of components, termination 4 Challenges and proposed solutions of integrating DAST into CICD
of endless running containers, extracting test results, and 1. Challenge - keeping the run-time at a minimum
mismatches of dynamic IP addresses. Development Teams • parallelize different testing types and if possible also individual tests
should therefore consider to invest into advanced training for • deploy testing tools such as ZAP outside the CI/CD pipeline
• exclude testing techniques with longer run-time from CI stage
developers regarding containerization. The four problems of
2. Challenge - lack of containerization expertise testing tools
the containerization challenge are listed as follows:
• provide team training in containerization techniques
1) Several services are executed before other required ser- 3. Challenge - test complexity
vices or even the system under test are started. One can • apply TDD techniques for API design
address this issue with adding synchronization means to • integrate security experts in all development stages
(follows sharing pillar of CAMS)
the affected containers (mostly waiting for all services
4. Challenge - vulnerability coverage
to be properly started). The result is that the testing
• combine testing techniques to achieve a higher coverage of vulnerabilities
container is paused until all services are available which
solves this issue.
2) The CI/CD pipeline does not terminate due to web
services that wait for an explicit shutdown. This can hacker. The setup that is suggested is capable of performing
be solved by adding several shut down mechanisms. these scenarios as our two test cases show. However, we
Solutions for this depend on whether a certain service were not able to detect the SQLi attack scenario. This is
already provides such a mechanism that merely has to not a surprise because ZAP is only a proxy between the
be triggered or whether terminating an entire container BDD framework and the web application. The malicious
needs to be forced. request however is sent between the web application and
3) Storing test results of stand alone tools in a CI/CD its underlying web service. In order to detect those security
pipeline before a certain container is terminated is an- flaws we suggest to use SAS in addition to BDST to analyse
other problem related to containerization. We solved the requests sent to the web service’s API. The SAS testing
this problem by storing the test reports temporarily to technique is the most flexible because it allows to test every
disc. Subsequently, one needs to export those to the single endpoint individually. This is important as was shown
corresponding CI tool (artifacts in GitLab CI) in order by the previous example of BDST. However, creating and
to make them available to the development team. managing tests for every single endpoint of an API can become
4) The last problem is the default absence of IP addresses in increasingly complex for large applications. Furthermore, the
container orchestration (e.g. docker-compose). Nonethe- flexibility of the tests can easily lead to forgetting certain
less, several tools require these addresses in order to prop- aspects in the tests. Unfortunately, the solution to cover as
erly perform their tasks. Therefore, one needs to introduce much vulnerabilities as possible exacerbates the challenges
fixed IP addresses in their container orchestration. of the test complexity. Furthermore, increased test complexity
and maintenance for larger systems is already a known issue in
The third challenge is to deal with increasing complexity DevOps, and therefore not a challenge unique to DevSecOps.
of security tests. Especially for those techniques where the
developer has to create a test case manually as it is in SAS VI. R ELATED W ORK
and BDST, the number of tests will grow rapidly over time. With the increased adoption of CI/CD pipelines in software
Therefore, we suggest to consider SAS already in the API development, the concept of DevSecOps has gained popularity
design. The team should fall back to the experience of a in the research community. Many of the recent works have
security expert in order to determine possible attack scenarios been in the form of surveys that try to define the core
against this API. The experts should then be included in the concepts in DevSecOps and provide perspectives of different
test design as well. Subsequently, the API development should stakeholders.
follow test driven development (TDD) and start with creating Myrbakken and Colomo-Palacios aim to provide a definition
the SAS test case. This ensures that no API is forgotten and for DevSecOps, what its main benefits are and how the
no vulnerabilities remain undetected. need for DevSecOps emerged from DevOps [2]. The authors
Finally, no single testing technique is a silver bullet for found that DevSecOps is defined as the integration of security
detecting all security flaws. Hence, development teams have processes and practices that are meant to shift the mindset of
to tackle the challenge of using different testing techniques all participants in the SDLC to get everyone to do what they
to cover as much vulnerabilities as possible. For example, can to ensure security of a system. Our work investigates the
the WAST technique requires the least amount of integration pitfalls of integrating security processes into the SDLC.
effort. The default setup of ZAP is however not capable of [8] presents a study in which six software developers were
finding all resources since the spider scan is a.o. not capable interviewed in order to get a better understanding of their
of detecting resources that require authorization [13]. On the view on the four pillars of DevOps: culture, automation,
other hand, BDST allows testing from the perspective of a measurement and sharing. We concentrate mainly on the

153

Authorized licensed use limited to: Auckland University of Technology. Downloaded on December 19,2020 at 15:36:40 UTC from IEEE Xplore. Restrictions apply.
automation pillar. In addition, our work provides preliminary First promising approach for the latter challenge is described
solutions on how to increase the automation level in security by Shoshitaishvili et al. in [23]. We are planning to apply their
testing. methodology into our framework.
Yasar and Kontostathis provide the 8 best practices on how
R EFERENCES
to ensure sufficient security in DevOps [6]. These practices
aim to deal with the negative feelings that developers have [1] P. M. Mell and T. Grance, “Sp 800-145. the nist definition of cloud
computing,” Gaithersburg, MD, USA, Tech. Rep., 2011.
towards information security while being easily integratable [2] H. Myrbakken and R. Colomo-Palacios, “Devsecops: A multivocal
into the rapid release cycles that are enabled by modern literature review,” 09 2017, pp. 17–29.
DevOps. This is achieved by shifting security from following [3] B. Fitzgerald and K.-J. Stol, “Continuous software engineering: A
roadmap and agenda,” Journal of Systems and Software, vol. 25, 07
a set of rules and guidelines to a proactive approach where 2015.
security can be tackled by using creative solutions to solve [4] J. Willis, “What devops means to me,” https://blog.chef.io/
though security problems at an early stage in the SDLC. what-devops-means-to-me/, 07 2010, accessed: 26-02-2020.
[5] J. Humble and J. Molesky, “Why enterprises must adopt devops to enable
However, none of these works present an implementation level continuous delivery,” vol. 24, pp. 6–12, 08 2011.
case study and discuss technical challenges as described in this [6] H. Yasar and K. Kontostathis, “Where to integrate security practices on
paper. devops platform,” International Journal of Secure Software Engineering,
vol. 7, pp. 39–50, 10 2016.
[22] presents an industrial case study to identify the chal- [7] S. Kraemer, P. Carayon, and J. Clem, “Human and organizational factors
lenges and best practices in adopting DevSecOps. Their work in computer and information security: Pathways to vulnerabilities,”
considers the challenges at the business process level (as Computers & Security, vol. 28, pp. 509–520, 10 2009.
[8] N. Tomas, J. Li, and H. Huang, “An empirical study on culture,
opposed to implementation level) and is mostly tailored to automation, measurement, and sharing of devsecops,” 06 2019, pp. 1–8.
separation of duties in performing tasks. Although we also [9] O. J. of the European Union, “Regulation (eu) 2016/679 - general data
identify challenges in adopting DevSecOps, our work focuses protection regulation,” https://eur-lex.europa.eu/legal-content/EN/TXT/
HTML/?uri=CELEX:32016R0679#d1e1374-1-1, accessed: 05-09-2020.
on integrating technical solutions into the SDLC. [10] M. Kreitz, “Security by design in software engineering,” SIGSOFT
Perhaps one of the most relevant work in terms of automated Softw. Eng. Notes, vol. 44, no. 3, p. 23, Nov. 2019. [Online]. Available:
security testing in CI/CD is [13]. The author lists the scope https://doi.org/10.1145/3356773.3356798
[11] “Owasp top ten,” https://owasp.org/www-project-top-ten/, accessed: 27-
and challenges found in the automation of security testing. Dy- 02-2020.
namic penetration testing and fuzz testing are discussed using [12] T. Hsu, Hands-On Security in DevOps: Ensure Continuous Security,
practical examples with a number o tools such as OWASP Deployment, and Delivery with DevSecOps. Packt Publishing, 2018.
[13] T. H.-C. Hsu, “Practical security automation and testing: tools and
ZAP, JMeter and Selenium. These tools are evaluated in three techniques for automated security scanning and testing in devsecops,”
case studies on the security of web applications. Although 2019.
interesting, the information provided are often incomplete and [14] P. Zech, “Risk-based security testing in cloud computing environments,”
in 2011 Fourth IEEE International Conference on Software Testing,
failure prone. In addition, the author discusses various security Verification and Validation, March 2011, pp. 411–414.
testing techniques in the context of CI/CD. However, he misses [15] R. K. Lenka, S. Kumar, and S. Mamgain, “Behavior driven development:
to identify relevant challenges one need to tackle to properly Tools and challenges,” in 2018 International Conference on Advances in
Computing, Communication Control and Networking (ICACCCN), Oct
integrate DAST techniques in CI/CD pipelines. 2018, pp. 1032–1037.
In this paper, we define general requirements for dynamic [16] S. A. I. B. S. Arachchi and I. Perera, “Continuous integration and
security testing in CI/CD, identify challenges and provide continuous delivery pipeline automation for agile software project
management,” in 2018 Moratuwa Engineering Research Conference
solutions for addressing these requirements and challenges. (MERCon), May 2018, pp. 156–161.
[17] “Free for open source application security tools,” https://owasp.org/
VII. C ONCLUSION & F UTURE W ORK www-community/Free for Open Source Application Security Tools,
accessed: 10-06-2020.
In this paper, we studied the integration of continuous [18] “Seleniumbase (https://seleniumbase.com/),” accessed: 16-03-2020.
(dynamic) security testing into CI/CD pipelines. To our knowl- [19] “Pytest ( https://docs.pytest.org/en/latest/contents.html),” accessed: 22-
edge, our work provides the first academic view on the topic. 03-2020.
[20] M. Fowler. (2017) Continuousintegrationcertification. [Online]. Avail-
We defined eight requirements for a proper adaptation of able: https://martinfowler.com/bliki/ContinuousIntegrationCertification.
automated dynamic application security testing for DevSecOps html
teams. These requirements ensure practical and agile develop- [21] ——. (2006) Continuous integration. [Online]. Available: https:
//martinfowler.com/articles/continuousIntegration.html
ment of web applications, web services and alike. In order to [22] V. Mohan, L. B. Othmane, and A. Kres, “BP: security concerns and best
identify the practical challenges in meeting these requirements, practices for automation of software deployment processes: An industrial
we performed a case study by integrating three commonly case study,” in 2018 IEEE Cybersecurity Development, SecDev 2018,
Cambridge, MA, USA, September 30 - October 2, 2018. IEEE Computer
known security testing tools into a CI/CD pipeline. We believe Society, 2018, pp. 21–28.
that the interested DevSecOps teams can benefit from our [23] Y. Shoshitaishvili, M. Weissbacher, L. Dresel, C. Salls, R. Wang,
work as they can use our approach as a reference architecture C. Kruegel, and G. Vigna, “Rise of the hacrs: Augmenting
autonomous cyber reasoning systems with human assistance,” in
for dynamic testing in CI/CD pipelines and learn from the Proceedings of the 2017 ACM SIGSAC Conference on Computer
challenges/solutions we outlined. and Communications Security, ser. CCS ’17. New York, NY, USA:
As future work, we want to focus our research on auto- Association for Computing Machinery, 2017, p. 347–362. [Online].
Available: https://doi.org/10.1145/3133956.3134105
matically patching detected vulnerabilities and automated test
generation in case of behavioral changes in the application.

154

Authorized licensed use limited to: Auckland University of Technology. Downloaded on December 19,2020 at 15:36:40 UTC from IEEE Xplore. Restrictions apply.

You might also like