Skip to content

Implement automated security testing pipeline

  • Author: Janika Ruoranen
  • Date / Version: 19/02/2024

User roles

  1. Developer (Dev)
  2. Security Analyst (Sec)

Prerequisites / Conditions

  1. A functioning CI/CD pipeline is in place.
  2. Security scanning tools and software are pre-installed and configured.

uml diagram

Description of use case

  1. Developer commits code to the repository.
  2. CI/CD pipeline automatically initiates the security scan.
  3. Security scan identifies potential vulnerabilities.
  4. Security report is generated and sent to the Security Analyst.
  5. Security Analyst reviews the report and decides whether to update security rules or inform the developer to make changes.
  6. Security Analyst updates the security rules or guides the developer to resolve issues.

Exceptions

  • E1: Security scanning tools fail to initiate.
  • E2: Security report contains false positives or fails to detect actual threats.

Result

  • The security testing pipeline successfully detects and reports security issues, which are then addressed to enhance the system's security posture.

Use frequency

  • This use case is executed with every code commit by a developer or at least once daily (whichever is more frequent).

Additional information

  • Continuous integration of security testing into the CI/CD pipeline ensures early detection of vulnerabilities, reducing potential exploits.
  • Security rules and configurations should be reviewed and updated regularly to adapt to new security challenges.

Sources

Thanks to the original authors.