Journal of Computer Applications ›› 2024, Vol. 44 ›› Issue (11): 3470-3478.DOI: 10.11772/j.issn.1001-9081.2023101531

• Cyber security • Previous Articles     Next Articles

Survey of software security testing techniques in DevSecOps

Yixi LIU, Jun HE(), Bo WU, Bingtong LIU, Ziyu LI   

  1. College of Information and Communication,National University of Defense Technology,Wuhan Hubei 430000,China
  • Received:2023-11-13 Revised:2024-01-09 Accepted:2024-01-12 Online:2024-01-12 Published:2024-11-10
  • Contact: Jun HE
  • About author:LIU Yixi, born in 1993, M. S. candidate. His research interests include network security.
    WU Bo, born in 1985, Ph. D., associate professor. His research interests include network security.
    LIU Bingtong, born in 1994, M. S. Her research interests include network simulation.
    LI Ziyu, born in 1989, M. S. candidate. His research interests include network security.

DevSecOps中软件安全性测试技术综述

刘羿希, 何俊(), 吴波, 刘丙童, 李子玉   

  1. 国防科技大学 信息通信学院,武汉 430000
  • 通讯作者: 何俊
  • 作者简介:刘羿希(1993—),男,湖北襄阳人,硕士研究生,主要研究方向:网络安全
    吴波(1985—),男,四川资中人,副教授,博士,主要研究方向:网络安全
    刘丙童(1994—),女,山东济南人,硕士,主要研究方向:网络仿真
    李子玉(1989—),男,河北清苑人,硕士研究生,主要研究方向:网络安全。

Abstract:

Software security testing technology has become an essential method for software developers to improve software performance and resist network attacks in the Internet age. DevSecOps (Development, Security and Operations), as a new generation software development pattern which integrates Security and Operations into Development and maintenance, can identify the possible threats to the software and effectively evaluate the security of software, and can make software security risks within control. Therefore, starting from the process of DevOps (Development and Operations), the various stages of DevOps involving software security testing techniques were sorted out, including source code audit, fuzzing, vulnerability scanning, penetration testing, and security crowdsourced testing techniques. And by collecting and analyzing the relevant technical literature in the last three years in well-known index databases, such as SCI, EI, SCOPUS, CNKI, CSCD and WanFang, the research status of the above techniques was summarized and the recommendations for the use of relevant testing tools were given. At the same time, aiming at the advantages and disadvantages of each technical support means, the future development directions of software development mode DevSecOps were prospected.

Key words: DevSecOps (Development, Security and Operations), software security testing, fuzzing, vulnerability scanning, penetration testing

摘要:

软件安全性测试技术是互联网时代软件开发商完善软件性能和抵御网络攻击的重要手段,而将安全性(Security)融入开发(Development)和运维(Operations)过程中的理念DevSecOps作为新一代软件开发模式,能够识别软件可能存在的威胁和有效评估软件安全性,可将软件安全风险置于可控范围内。于是,以DevOps(Development and Operations)流程为研究起点,梳理DevOps软件开发模式各阶段涉及的软件安全性测试技术,包括源代码审计、模糊测试、漏洞扫描、渗透测试和安全众测技术;收集和分析SCI、EI、SCOPUS、CNKI、CSCD和万方等知名索引库中近三年的相关文献资料,归纳总结以上技术的研究现状,并给出相关测试工具的使用建议;同时针对各技术支撑手段的优缺点,对软件开发模式DevSecOps的未来发展方向进行了展望。

关键词: DevSecOps, 软件安全性测试, 模糊测试, 漏洞扫描, 渗透测试

CLC Number: