HuskyCI: a security testing orchestrator for agile software development cycles
Abstract
DevSecOps combines development, security, and operations to create an agile and secure software delivery process. The methodology promotes the integration of security in the development cycle, which reduces remediation costs and efforts. CI/CD pipelines automate the code flow from build to production, while SAST and SCA tools detect security vulnerabilities. In this article, we present HuskyCI, an open source tool that orchestrates security tests in CI pipelines, offering support for multiple languages and integration with existing tools. We conducted an assessment of test execution time and concluded that it does not compromise the agile development cycle of projects.
References
Black, P. E., Okun, V., and Guttman, B. (2021). Guidelines on minimum standards for developer verification of software.
Chandramouli, R. (2022). Implementation of devsecops for a microservices-based application with service mesh. Technical report, Gaithersburg, MD.
Developers, S.-L. (2024). Kmeans. [link]. Acessado em: 04 de Julho, 2024.
GitHub (2024). Security at every step — github. [link]. Acessado em: 04 de Julho, 2024.
GitLab (2024). Gitlab sast. [link]. Acessado em: 04 de Julho, 2024.
Globo (2024a). huskyci - an open source sast for devsecops. [link]. Acessado em 30 de junho de 2024.
Globo (2024b). Tsuru: Uma plataforma de serviço aberta e extensível. [link]. Acessado em: 04 de Julho, 2024.
Gosec (2024). Gosec: Verificador de segurança go. [link]. Acessado em: 04 de Julho, 2024.
Hleap, S. (2024). Unmasking the outliers: Exploring the interquartile range method for reliable data analysis. [link]. Acessado em: 04 de Julho, 2024.
NIST (2024). Source code security analyzers. [link]. Acessado em: 21 de Agosto, 2024.
OWASP Foundation (2024). Source code analysis tools. [link]. Acessado em: 21 de Agosto, 2024.
Semgrep (2024). Semgrep. [link]. Acessado em: 04 de Julho, 2024.
Snyk (2024). Snyk. [link]. Acessado em: 04 de Julho, 2024.
Souppaya, M., Scarfone, K., and Dodson, D. (2022). Secure software development framework (ssdf) version 1.1 : recommendations for mitigating the risk of software vulnerabilities. Technical report, Gaithersburg, MD.
Synopsys (2023). 2023 open source security and risk analysis (ossra) report. Relatório disponível online em [link].
Trivy (2024). Trivy. [link]. Acessado em: 04 de Julho, 2024.
ZupIT (2024). Horusec. [link]. Acessado em: 04 de Julho, 2024.
Chandramouli, R. (2022). Implementation of devsecops for a microservices-based application with service mesh. Technical report, Gaithersburg, MD.
Developers, S.-L. (2024). Kmeans. [link]. Acessado em: 04 de Julho, 2024.
GitHub (2024). Security at every step — github. [link]. Acessado em: 04 de Julho, 2024.
GitLab (2024). Gitlab sast. [link]. Acessado em: 04 de Julho, 2024.
Globo (2024a). huskyci - an open source sast for devsecops. [link]. Acessado em 30 de junho de 2024.
Globo (2024b). Tsuru: Uma plataforma de serviço aberta e extensível. [link]. Acessado em: 04 de Julho, 2024.
Gosec (2024). Gosec: Verificador de segurança go. [link]. Acessado em: 04 de Julho, 2024.
Hleap, S. (2024). Unmasking the outliers: Exploring the interquartile range method for reliable data analysis. [link]. Acessado em: 04 de Julho, 2024.
NIST (2024). Source code security analyzers. [link]. Acessado em: 21 de Agosto, 2024.
OWASP Foundation (2024). Source code analysis tools. [link]. Acessado em: 21 de Agosto, 2024.
Semgrep (2024). Semgrep. [link]. Acessado em: 04 de Julho, 2024.
Snyk (2024). Snyk. [link]. Acessado em: 04 de Julho, 2024.
Souppaya, M., Scarfone, K., and Dodson, D. (2022). Secure software development framework (ssdf) version 1.1 : recommendations for mitigating the risk of software vulnerabilities. Technical report, Gaithersburg, MD.
Synopsys (2023). 2023 open source security and risk analysis (ossra) report. Relatório disponível online em [link].
Trivy (2024). Trivy. [link]. Acessado em: 04 de Julho, 2024.
ZupIT (2024). Horusec. [link]. Acessado em: 04 de Julho, 2024.
Published
2024-09-16
How to Cite
LOTUFO, Thiago; CÂMARA, Sérgio.
HuskyCI: a security testing orchestrator for agile software development cycles. In: TOOLS - BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 24. , 2024, São José dos Campos/SP.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2024
.
p. 97-104.
DOI: https://doi.org/10.5753/sbseg_estendido.2024.243396.
