Implement automated security testing pipeline
- Author: Janika Ruoranen
- Date / Version: 19/02/2024
User roles
- Developer (Dev)
- Security Analyst (Sec)
Prerequisites / Conditions
- A functioning CI/CD pipeline is in place.
- Security scanning tools and software are pre-installed and configured.
Description of use case
- Developer commits code to the repository.
- CI/CD pipeline automatically initiates the security scan.
- Security scan identifies potential vulnerabilities.
- Security report is generated and sent to the Security Analyst.
- Security Analyst reviews the report and decides whether to update security rules or inform the developer to make changes.
- Security Analyst updates the security rules or guides the developer to resolve issues.
Exceptions
- E1: Security scanning tools fail to initiate.
- E2: Security report contains false positives or fails to detect actual threats.
Result
- The security testing pipeline successfully detects and reports security issues, which are then addressed to enhance the system's security posture.
Use frequency
- This use case is executed with every code commit by a developer or at least once daily (whichever is more frequent).
Additional information
- Continuous integration of security testing into the CI/CD pipeline ensures early detection of vulnerabilities, reducing potential exploits.
- Security rules and configurations should be reviewed and updated regularly to adapt to new security challenges.
Sources
Thanks to the original authors.