Implementation of DevSecOps by Integrating Static

and Dynamic Security Testing in CI/CD Pipelines

Agung Maulana Putra Herman Kabetta
Department of Cybersecurity Engineering Department of Cryptographic Engineering
Politeknik Siber dan Sandi Negara Politeknik Siber dan Sandi Negara
Bogor, Indonesia Bogor, Indonesia
2022 IEEE International Conference of Computer Science and Information Technology (ICOSNIKOM) | 979-8-3503-9907-3/22/$31.00 ©2022 IEEE | DOI: 10.1109/ICOSNIKOM56551.2022.10034883

[email protected] [email protected]

Abstract— Problems at the build, test, and deploy stages are more attention to security threats [2]. Therefore there is a need
standard in the development lifecycle of systems with Agile. for security integration as a need for security in DevOps,
They are time-consuming and cause releases to fall behind namely DevSecOps. DevSecOps aims to integrate security
schedule. DevSecOps provide the solution to this problem. This controls and processes into the DevOps software development
study delivers a build, test, and deployment automation solution life cycle with collaboration among the security, development,
for those working in an Agile SDLC environment. This study is and operations teams.
an approach to implementing DevSecOps on an information
system's Agile SDLC, a web-based software developed with the
Node.js and Dart programming languages, Express.js, and
Flutter frameworks. The process carried out in this study uses
GitLab and Docker tools, consisting of five stages: continuous
development, continuous testing, continuous integration,
continuous deployment, and continuous monitoring. This
approach shortens the time and streamlines the build, testing,
and deployment, whereas previously, the process of system Fig. 1. Differences in Design, Coding, Testing, and Deploy in Agile
development was done manually. It took up to several hours to and DevOps
Source: reprocessed from [1]
only take 3-4 minutes after automation was applied to the
deployment process. In addition, we conduct a combination of In this study, auto deploys to the server will be carried out
automated static and dynamic security testing to help ensure the to speed up and streamline the release process using GitLab
system's security by obtaining results related to vulnerabilities. CI/CD. It performs automated static and dynamic security
automation testing before auto-deploy the system through the
Keywords—Build, Deploy, Docker, Test, DevSecOps, DevOps git commit mechanism. So the DevSecOps method is
expected to be a solution for developing an information
I. INTRODUCTION system.
Most information systems use the Agile development life
cycle in their development and maintenance. Agile is a II. RELATED WORKS
relatively modern method because it emphasizes Shajadi, Abdollah [16] conducted the research on
improvisation and adaptation. Even so, the Agile method Automating Security Tests For Web Applications In
workflow still applies the traditional systematic pattern. In Continuous Integration And Deployment Environments. In
Agile work environments, there are frequent issues with the his study, the tools and process mechanisms were developed
build and deploy phases, which are time-consuming and lead to implement automated security tests for web applications.
to unscheduled release times. The technology used is the Burp Suite Pro tool, the Python
DevOps (Development and Operations) is a new method programming language, and the GitLab CI/CD tool. The
that takes a collaborative and integrative approach between results show that a Python script named Skinner performs
the development team (Dev) and the software operations team automated security testing with Burp Suite Pro on the GitLab
(Ops) in the process of developing and delivering software to CI pipeline using the DevSecOps implementation procedure.
infrastructure [1]. The DevOps method is proven to be able to The second study was conducted by Tohirin et al. [1]. In
reduce some of the development stages that exist in the old his study, DevOps was implemented on the SDLC Agile
method. DevOps is able to shorten the time between software Scrum web-based Covid-19 e-Screening application
development and operation without compromising the quality developed with the PHP programming language and the
of the software itself. DevOps is capable of delivering early- Laravel framework. This research results show that DevOps
release software with a high frequency. The build, test, and can be implemented well in the development process of e-
deployment processes can detect problems earlier, so the code Screening Covid-19 applications. Its code merging occurs
can be rolled back if there is an error during an update. The quickly, daily builds are smooth, and code health and
auto-deploy process can make earlier and more effective feasibility checks occur every time the developer commits and
releases for software requiring a high update frequency. pushes. Tohirin et al. [1] use the DevSecOps method to the
Figure 1 shows Agile's coding and testing process and how it Dart and Node.js programming languages with the Flutter and
compares with DevOps. Express.js frameworks, which are applied to an information
Technological advances such as Continuous Engineering, system based on mobile and web applications.
specifically DevOps, allow some organizations to gain a The third research is conducted by Shama, Abriza
competitive advantage. However, security concerns have Mahandis, and Dian W. Chandra [17]. In this research, a
increased due to security breaches, such as large-scale data DevSecOps system was created for automation to speed up
breaches, which have forced organizations worldwide to pay developer work and improve code quality. The result of this

XXX-X-XXXX-XXXX-X/XX/$XX.00 ©20XX IEEE

Authorized licensed use limited to: Universitas Indonesia. Downloaded on August 31,2023 at 04:16:39 UTC from IEEE Xplore. Restrictions apply.
research is the developer's work process at PT. Emporia create, manage, and share code in the repository [1]. To do
Digital Raya is faster because it is assisted by the CI/CD coding in software using git to maintain code (version
process and improves the quality of the program code with the control) to make it easier, so that system control can be
SAST process. The result of this research is the developer's done.
work process at PT. Emporia Digital Raya is faster because it • Continuous Testing
is assisted by the CI/CD process and improves the quality of In this study, the build phase was carried out to automate
the program code with the SAST process. In this study, the and standardize the process for building and implementing
GitLab CI/CD tool is used as a system for auto deploy to the code on information systems. The test is the stage of
server to speed up and streamline the release process for an conducting unit testing of application features to check for
information system development. vulnerabilities or check public endpoints to ensure they are
The fourth research is conducted by Rangnau et al. [24]. accessible [16]. In the aspect of security testing, we
In his study, a case study applies three different testing perform static and dynamic tests automatically after the
techniques in CI/CD. This will enable us to identify pitfalls, code is committed. Static testing is performed by
challenges, and shortcomings DevOps teams may encounter automating the NJSSCAN tools, whereas dynamic testing
while automating security tests. Three dynamic application is performed by automating the OWASP ZAP tools. This
security testing techniques are integrated into a CI/CD research focuses on the implementation of this stage.
pipeline. There are WebApplication Security Scanning • Continuous Integration
(WAST) using Zed Attack Proxy (ZAP), Security API In this study, GitLab is used to detect commits made by
Scanning (SAS) with JMeter, and Behaviour Driven Security developers as early as possible and perform code
Testing (BDST) using SeleniumBase automation framework. integration which involves compiling and reviewing code.
The result of this research is to enable informed decisions GitLab is connected to the server so the deployment
when implementing DevSecOps practices in agile enterprise process can be carried out.
applications engineering processes and enterprise security.
TABLE I. RELATED WORKS COMPARISON • Continuous Deployment
Deployment automation accelerates software deployment,
Factor Related Works This ensures more consistency in the development process and
Study deploys secure configurations for all systems and services.
[1] [16 [17] [24] The Docker and GitLab CI/CD tools were used [17]. This
DAST ✓ ✓ ✓ stage is rejected when the automated security test in the
continuous testing result failed.
SAST ✓ ✓ ✓
• Continuous Monitoring
Open Source ✓ ✓ In this study, the monitoring stage is carried out on
Testing Tools software performance after the application is deployed on
the server to identify network or server problems and root
Adopt in Agile ✓ ✓ ✓ causes and maintain security [17].
Software
Development IV. RESULT AND DISCUSSION
At this stage, the DevSecOps implementation is carried
Continuous ✓ out to auto-deploy the system using GitLab CI/CD starting
Deployment from the development stage to the deployment and monitoring
process.
A. Continuous Development
III. RESEARCH METHODOLOGY The first step at this stage is to create a GitLab project and
This research method performs several stages in planning, add the application files. Furthermore, cloning the repository
analysis, implementation, and testing, as seen in figure 2. locally to be able to run the application locally and perform
testing on the application. Then a remote repository of GitLab
is carried out to a local repository which aims to integrate the
development process.

Fig. 2. Research Design

Source: reprocessed from [1]

• Continuous Development
The plan is the stage where the planning process is carried
out in a job [1]. At this stage, we use GitLab tools because
CI/CD tools can do CI/CD storage and code management Fig. 3. GitLab cloning and remote process
in the same place. Code is the stage where developers

Authorized licensed use limited to: Universitas Indonesia. Downloaded on August 31,2023 at 04:16:39 UTC from IEEE Xplore. Restrictions apply.
 Then the data in the local repository is committed and
pushed to GitLab using git bash. All data in the local
repository is automatically executed to the GitLab repository.

Fig. 4. Execute git commit and git push

To have a repository on the Docker Hub, you can sign up
or register at the Docker Hub and create a Docker account in Fig. 6. Dockerfile Configuration
the free version. The image registry address in Docker Hub is
used to push images built by the pipeline into that repository. B. Continuous Testing
GitLab requires the username and password credentials of the At the Build stage, the release pipeline builds for the
user's Docker Hub account to enter the registry before the Node.js application by executing application tests, building a
push image is performed. The username and password docker image, and deploying it to the server. Here is the
credentials of the Docker Hub account are not included in the configuration of the image build process:
pipeline code because the pipeline is part of a publicly before_script:
accessible repository. Therefore a project variable is created - docker login -u $REGISTRY_USER -p
in the CI/CD pipeline configured in the GitLab project $REGISTRY_PASS
settings. Of course, it is more secure to protect confidential Build:
stage: build
data or sensitive data.
script:
- docker build -t
$CONTAINER_RELEASE_IMAGE .
- docker tag $CONTAINER_RELEASE_IMAGE
$CONTAINER_RELEASE_IMAGE
- docker push $CONTAINER_RELEASE_IMAGE
tags:
- agung

Values in the pipeline, such as image tag names, can be

extracted into custom variables. Using variables, among
others, can store values you want to reuse and reduce code
duplication [20].
variables:
CONTAINER_RELEASE_IMAGE:
Fig. 5. Project variables that have been created agungmp30/system:v1
The code management process is carried out at the Code Furthermore, security testing is carried out at this stage,
stage using the CI/CD pipeline on GitLab. All CI/CD including static and dynamic tests. Testing is done using
configurations are written in YAML file format with the Njsscan and OWASP-ZAP tools.
name ".gitlab-ci.yml". Tasks in the CI/CD pipeline are
configured as jobs, such as running testing, building images,
and deploying to the server. To build a Docker image from a
Node.js application, a Dockerfile is used, which defines the
base image of the application server and as a place to install
all the dependencies required by the application.
A Dockerfile is a text document that contains a command
to build an image. Using the Docker build command, the user
can execute multiple command line instructions sequentially.
The FROM instruction initializes a new build stage and sets Fig. 7. Security testing integration scheme
the base image for the next instruction. Figure 6 shows the Source: personal processing
contents of the dockerfile configuration used The following is a static testing configuration using Njsscan.

Authorized licensed use limited to: Universitas Indonesia. Downloaded on August 31,2023 at 04:16:39 UTC from IEEE Xplore. Restrictions apply.
 SAST: and other software modules run with the same privileges as
stage: test1 the application are vulnerable to exploitation [19].
image: python
script: C. Continuous Integration
- njsscan . --html -o report.html || Continuous integration includes a configuration process
exit 0 coordinated by GitLab CI/CD with the deployment server. At
allow_failure: true this stage, register the GitLab runner on the GitLab project that
artifacts:
has been created. GitLab Runner is registered on the server for
when: always
untracked: false
deployment. In addition, the deployment server is needed to
expire_in: 30 days auto-deploy and as a place to run Docker applications on the
paths: server. The server is built using the Amazon Web Service
- report.html (AWS) platform with the configuration requirements, which
tags: can be seen in table III as follows.
- agung TABLE III. CONFIGURATION ON AMAZON MACHINE IMAGE
The following is a dynamic testing configuration using No Type Information
OWASP-ZAP. 1 Software Image
Ubuntu Server 20.04 LTS (HVM),
DAST: Canonical, amd64 focal image, 64-bit (x86)
Virtual
stage: test2 2 Tipe t2.medium, 2 vCPU, 4 GB Memory
Server/Instance
image: owasp/zap2docker-stable:latest 3 Storage SSD Volume 8 GB
script: 4 Private Key RSA type, .pem file format
- docker run -i owasp/zap2docker-
stable zap-cli quick-scan --self- The key pair allows connecting to the instance securely.
contained --start-options '-config When prompted, store the private key in a secure, accessible
api.disablekey=true' location on the local machine to connect to the instance. RSA
http://$SERVER_ADDRESS:8080 > encrypted private and public keys. The private key .pem file
zapreport.html format is used with OpenSSH. The server is accessed remotely
allow_failure: true from the local machine using the SSH (Secure Shell)
artifacts: command by applying the SSH key added by the security
when: always
settings on the server. SSH is used to access remote servers
untracked: false
expire_in: 30 days
over the internet securely.
paths: D. Continuous Deployment
- zapreport.html
tags: The continuous deployment phase includes the
- agung deployment process, which is carried out with push images to
servers operated via the GitLab CI/CD pipeline and Docker
In running the testing process, the job pipeline also containers. The server is connected to the local machine by
automatically generates artifacts. The artifact contains using the SSH command and the server IP address, which is
information related to the application code scanning test the public IP address, and adding username credentials as
results regarding the vulnerabilities contained in the authentication to connect to the server. After initialization, the
application. configuration is done by installing Docker on the server to be
TABLE II. RESULT OF SECURITY TESTING ARTIFACT able to run the Docker container in the process of deploying
the Docker image to the server.
RULE ID node_insecure_random_generator
In the pipeline configuration, a new stage called "deploy"
CWE-327: Use of a Broken or Risly
CWE
Cryptographic Algorithm
is added by creating a new job. The steps taken are using the
SSH command locally, and GitLab Runner was starting the
A9: Using Components with Known container for the deploy job. The "docker run" command is
OWASP-WEB
Vulnerabilities
executed to run Docker on the deployment server. The
Crypto.pseudoRandomBytes()/Math.random() is a
DESCRIPTION cryptographically weak random number
application runs on port 8080, which is exposed on the host.
generator. Before executing the "docker run" command, stop and delete
existing containers or stop containers running on port 8080 so
SEVERITY WARNING
that new containers can be created on each subsequent
File app/utils/telebot.js execution run.
Match
264 - 227 - docker pull $CONTAINER_RELEASE_IMAGE
Position
FILES Line - docker stop $(docker ps -a -q) || true &&
24 docker rm -f $(docker ps -a -q) || true
Number(s)
Match String let message = ‘\n${name} - docker run -d -p 8080:8080
$CONTAINER_RELEASE_IMAGE
It can be seen in table II that there is a security gap based
on CWE-327, namely the Use of a Broken or Risky Deployment validation can be performed via the GitLab
Cryptographic Algorithm, which is an unnecessary risk that CI/CD pipeline, inspecting Docker containers running
can result in the disclosure of sensitive information [18]. In through the server and accessing the application via a web
addition, there are also security holes based on OWASP-WEB browser. Figure 8 shows the job status completed on CI/CD
A9 regarding Using Components with Known Vulnerabilities, pipeline.
where components such as libraries, frameworks, websites,

Authorized licensed use limited to: Universitas Indonesia. Downloaded on August 31,2023 at 04:16:39 UTC from IEEE Xplore. Restrictions apply.
 Therefore, compared with the development process on an
information system that still applies the Agile system
development life cycle, the results of the implementation of
DevSecOps in this study can meet the needs in the application
Fig. 8. Job status-completed on pipeline of system automation and shorten the work process in an
information system. A comparison of the work process in an
E. Continuous Monitoring information system with the system applied in this study can
In the continuous monitoring stage, the monitoring process be seen in table IV.
is carried out on the GitLab CI/CD pipeline as a place to run
TABLE IV. COMPARISON OF WORK PROCESS
deployment automation commands and on the server, which
No The work process in an The work process applied to the
includes collection, reporting, CPU usage storage, memory information system research
usage, RAM allocation, and pipeline modifications used in
The process of deploying to Deploy process to a server
system development. Server services must be accessible and 1
the server manually automatically with CI/CD system
run appropriately without experiencing interference, so server
monitoring is needed so that the server's performance can run The deployment work The deployment process takes 3-4
2
process takes 2-3 hours minutes
normally.
There is no security testing
3 There is a security testing process
process
Not deploying Docker Implementing a Docker container
4
containers on the system on the system

Based on the information above, it can be seen that the

system automation carried out in the implementation of
DevSecOps is able to increase efficiency in the aspect of the
work process, whereas, in an information system, it takes up
to several hours because the implementation process on the
system is still done manually. While in this study, the process
is conducted automatically with the CI/CD system. It uses
Docker by making the application an image that is run in the
Docker container to simplify and speed up the build, test, and
deployment process. Security testing is carried out on the
automation process to ensure system security.
V. CONCLUSION
DevSecOps has been successfully implemented using
GitLab and Docker tools integrated with the deployment
server. This implementation consists of 5 parts: continuous
development, continuous testing, continuous integration,
continuous deployment, and continuous monitoring. System
automation carried out in the implementation of DevSecOps
is able to increase efficiency in the aspect of the work process,
whereas, in an information system, it takes up to several hours
because the implementation process on the system is still done
Fig. 9. Monitoring Dashboard manually. While in this study, the process is carried out
automatically with a CI/CD system where the deployment
Monitoring activities help developers identify problems takes only 3-4 minutes using Docker, which renders the
that can arise from system software. In addition, it can provide application as an image and runs in a Docker container to
feedback that can be used for decision-making and simplify and speed up the build, test, and deploy process.
improvement of the developed device by showing
vulnerabilities and serving as material for the subsequent The combination of automated static and dynamic security
evaluation of the system development team. testing performed in a DevSecOps implementation can help
ensure system security. Real-time test results can quickly
F. Analysis notify developers about security holes or vulnerabilities in the
Based on the implementation that has been carried out, the program so that repairs can be made as soon as possible to
results of the implementation of automation throughout the improve system security.
deployment chain can accelerate the work process for
developers of an information system assisted by the CI/CD
process and improve the quality of system security because REFERENCES
there is a security testing process. The time required for this [1] T. Tohirin, S. F. Utami, S. R. Widianto, and W. A. Mauludyansah,
process is 3 minutes 18 seconds which can be seen in figure “Implementasi DevOps Pada Pengembangan Aplikasi e-Skrining
16. Covid-19,” MULTINETICS, vol. 6, no. 1, pp. 15–20, May 2020.
[2] V. Gupta, P. K. Kapur, and D. Kumar, “Modeling and measuring
attributes influencing DevOps implementation in an enterprise using
structural equation modeling,” Inf. Softw. Technol., vol. 92, pp. 75–91,
Dec. 2017.
[3] texnokot, “DevSecOps controls - Cloud Adoption Framework.”
Fig. 10. Job time status on pipeline https://docs.microsoft.com/en-us/azure/cloud-adoption-
framework/secure/devsecops-controls (accessed Jan. 11, 2022).

Authorized licensed use limited to: Universitas Indonesia. Downloaded on August 31,2023 at 04:16:39 UTC from IEEE Xplore. Restrictions apply.
[4] B. A. Skurla, “DevOps Integration of Security Practices,” p. 55, 2020. [17] “DevSecOps: Incorporate Security into DevOps to Reduce Software
[5] A. Agarwal, S. Gupta, and T. Choudhury, “Continuous and Integrated Risk,” Agile Connection.
Software Development using DevOps,” in 2018 International https://www.agileconnection.com/article/devsecops-incorporate-
Conference on Advances in Computing and Communication security-devops-reduce-software-risk (accessed Jan. 11, 2022).
Engineering (ICACCE), Paris, Jun. 2018, pp. 290–293. [18] Y. He, R. S. Camacho, H. Soygazi, and C. Luo, “Attacking and
[6] C. Ebert, G. Gallardo, J. Hernantes, and N. Serrano, “DevOps,” IEEE Defence Pathways for Intelligent Medical Diagnosis System (IMDS),”
Softw., vol. 33, no. 3, pp. 94–100, May 2016. International Journal of Medical Informatics, vol. 148, no. 104415,
2021.
[7] S. Sharma, “DevOps For Dummies,” the knowledge, p. 76, 2015.
[19] H. Tupsamudre, M. Sahu, K. Vidhani, and S. Lodha, “Fixing the Fixes:
[8] J. Van Baarsen, GitLab Cookbook: over 60 hands-on recipes to
Assessing the Solutions of SAST Tools for Securing Password
efficiently self-host your own Git repository using GitLab. Birmingham
Storage,” International Conference on Financial Cryptography and
Mumbai: Packt Publishing, 2014.
Data Security, pp. 192–206, Springer, Cham, 2020.
[9] S. Chacon and B. Straub, “Pro Git Second Edition,” Apress.
[20] N. Vendor, B. Mosolygo, and P. Hegelus, “Comparing ML-Based
[10] Anonymous, “How to convince leadership to adopt CI CD,” GitLab. Predictions and Static Analyzer Tools for Vulnerability Detection,”
https://page.gitlab.com/2021_eBook_leadershipCICD.html (accessed International Conference on Computational Science and Its
Dec. 28, 2021). Applications, pp. 92-105, Springer, Cham, 2022.
[11] A. Mardan, "Express.js Guide," Leanpub, 2014. [21] D. Hariyadi, F. E. Nastiti, “Analisis Keamanan Sistem Informasi
[12] B. B. Rad, H. J. Bhatti, and M. Ahmadi, "An introduction to docker and Menggunakan Sudomy dan OWASP ZAP di Universitas Duta Bangsa
analysis of its performance," International Journal of Computer Surakarta,” Jurnal Komtika (Komputasi dan Informatika), vol. 5, no. 1,
Science and Network Security (IJCSNS), vol. 17, no. 3, p. 228, 2017. pp. 35–42, 2021.
[13] I. Miell, A. Sayers, "Docker in practice," Simon and Schuster, 2019. [22] S. Chalishhafshejani and B. K. Pham, "Automated software security
[14] D. Sagar, S. Kukreja, J. Brahma, S. Tyagi, and P. Jain, "Studying open activities in a continuous delivery pipeline," Faculty of Science and
source vulnerability scanners for vulnerabilities in web applications," Technology, Springer semester, 2021.
IIOAB JOURNAL, vol. 9, no.2, pp. 43-49, 2018. [23] Fathurrahman and Ester, "Automatic Scanner Tools Analysis As A
[15] F. Holik, and S. Neradova, "Vulnerabilities of modern web Website Penetration Testing," Jurnal Mantik, vol. 4 no. 2, pp. 1138-
applications," 2017 40th International Convention on Information and 1144, 2020.
Communication Technology, Electronics and Microelectronics [24] T. Rangnau, R. v. Buijtenen, F. Fransen and F. Turkmen, "Continuous
(MIPRO), pp. 1256-1261) IEEE, May 2017. Security Testing: A Case Study on Integrating Dynamic Security
[16] A. Shajadi, “Automating Security Tests For Web Applications In Testing Tools in CI/CD Pipelines," EDOC Conference, IEEE, 2020.
Continuous Integration And Deployment Environment,” p. 64.

Authorized licensed use limited to: Universitas Indonesia. Downloaded on August 31,2023 at 04:16:39 UTC from IEEE Xplore. Restrictions apply.