Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Integrating DAST in Kanban and CI/CD: A Real World Security Case Study

Arpit Thool, Chris Brown

TL;DR

The paper tackles the challenge of embedding Dynamic Application Security Testing (DAST) within Kanban and CI/CD workflows in a real-world web development team. It adopts an action research approach with two iterative tool experiments (ZAP followed by BurpSuite) and qualitative interviews to derive practical insights. Key contributions include empirical evidence on willingness, impact, and improvements for DAST in Agile environments, plus actionable recommendations on automation, dedicated security ownership, and better reporting. The study demonstrates that automated security testing can align with modern fast-paced development while enhancing perceived security, though it also highlights tooling limitations and the need for cultural change.

Abstract

Modern development methodologies, such as Kanban and continuous integration and continuous deployment (CI/CD), are critical for web application development -- as software products must adapt to changing requirements and deploy products to users quickly. As web application attacks and exploited vulnerabilities are rising, it is increasingly crucial to integrate security into modern development practices. Yet, the iterative and incremental nature of these processes can clash with the sequential nature of security engineering. Thus, it is challenging to adopt security practices and activities in modern development practices. Dynamic Application Security Testing (DAST) is a security practice within software development frameworks that bolsters system security. This study delves into the intersection of Agile development and DAST, exploring how a software organization attempted to integrate DAST into their Kanban workflows and CI/CD pipelines to identify and mitigate security vulnerabilities within the development process. Through an action research case study incorporating interviews among team members, this research elucidates the challenges, mitigation techniques, and best practices associated with incorporating DAST into Agile methodologies from developers' perspectives. We provide insights into integrating security practices with modern development, ensuring both speed and security in software delivery.

Integrating DAST in Kanban and CI/CD: A Real World Security Case Study

TL;DR

The paper tackles the challenge of embedding Dynamic Application Security Testing (DAST) within Kanban and CI/CD workflows in a real-world web development team. It adopts an action research approach with two iterative tool experiments (ZAP followed by BurpSuite) and qualitative interviews to derive practical insights. Key contributions include empirical evidence on willingness, impact, and improvements for DAST in Agile environments, plus actionable recommendations on automation, dedicated security ownership, and better reporting. The study demonstrates that automated security testing can align with modern fast-paced development while enhancing perceived security, though it also highlights tooling limitations and the need for cultural change.

Abstract

Modern development methodologies, such as Kanban and continuous integration and continuous deployment (CI/CD), are critical for web application development -- as software products must adapt to changing requirements and deploy products to users quickly. As web application attacks and exploited vulnerabilities are rising, it is increasingly crucial to integrate security into modern development practices. Yet, the iterative and incremental nature of these processes can clash with the sequential nature of security engineering. Thus, it is challenging to adopt security practices and activities in modern development practices. Dynamic Application Security Testing (DAST) is a security practice within software development frameworks that bolsters system security. This study delves into the intersection of Agile development and DAST, exploring how a software organization attempted to integrate DAST into their Kanban workflows and CI/CD pipelines to identify and mitigate security vulnerabilities within the development process. Through an action research case study incorporating interviews among team members, this research elucidates the challenges, mitigation techniques, and best practices associated with incorporating DAST into Agile methodologies from developers' perspectives. We provide insights into integrating security practices with modern development, ensuring both speed and security in software delivery.

Paper Structure

This paper contains 42 sections, 3 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Kanban
  4. Dynamic Application Security Testing (DAST)
  5. Case Study Setting
  6. Team Organization
  7. Development Process
  8. Methodology
  9. Problem Diagnosis
  10. First Iteration
  11. Action Planning
  12. Action Taking
  13. Second Iteration
  14. Action Planning
  15. Action Taking
  16. ...and 27 more sections