Automating Vulnerability Remediation: A Continuous SAST and FOSS Integration Framework for Production Support Pipelines
DOI:
https://doi.org/10.15662/IJEETR.2024.0602014Keywords:
SAST, FOSS, Software Composition Analysis, DevSecOps, Vulnerability Remediation, CI/CD, Production Support, Application Security, Technical Debt, Compliance AutomationAbstract
Financial businesses houses are increasingly relying on a range of critical foundational applications to support core operations. This has in turn given rise to a problem: How to regulate a growing number of bugs in the software, especially those generated by code written in-house. Application code is scanned through the help of Static Application Security Testing (SAST) software as well as free and open-source libraries having been compiled (not; researched) with the help of Free and Open-Source Software (FOSS) Releases
This paper will focus on developing a working model for the incorporation of SAST and FOSS vulnerability as part of the application production support processes
This study represents the development, execution and results of embedding a security automation project within day-to-day operational support business processes. The scope covers artifact scanning and risk-based bulleting, along with automated ticketing and principles of iterative feedback, for developer support and delivery, all of which maintains the operational continuity of the applications. The core improvements involve mitigation of vulnerabilities 40% faster on average; effectively reducing the number of ‘open’ vulnerability findings for high severity issues by 65%; and maintaining the integrity of the procedure with respect to in depth customer audits. The study outlines ideas on how organizations can employ a framework on continuous security hygiene especially in such environments
References
1. Ayewah, N., Pugh, W., Morgenthaler, J. D., Penix, J., & Zhou, Y. (2008). Evaluating static analysis defect warnings on production software. PASTE '07 Proceedings of the 7th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering.
2. Chess, B., & West, J. (2007). Secure Programming with Static Analysis. Addison-Wesley Professional.
3. CISA. (2021). Stakeholder-Specific Vulnerability Categorization (SSVC). Cybersecurity and Infrastructure Security Agency. https://www.cisa.gov/ssvc
4. Decan, A., Mens, T., & Constantinou, E. (2019). On the evolution of technical lag in the npm package dependency network. Proceedings of the 2018 IEEE International Conference on Software Maintenance and Evolution (ICSME).
5. Federal Housing Finance Agency (FHFA). (2023). Advisory Bulletin AB 2023-01: Cybersecurity Vulnerability Remediation Standards. FHFA.
6. Kim, G., Humble, J., Debois, P., & Willis, J. (2016). The DevOps Handbook: How to Create World-Class Agility, Reliability, and Security in Technology Organizations. IT Revolution Press.
7. Mirhosseini, A., & Parnin, C. (2017). Can automated pull requests encourage software developers to upgrade out-of-date dependencies? Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering.
8. Nicoletti, B. (2021). Agile and DevOps: Security Automation in Financial Services. Springer International Publishing.
9. NIST. (2022). SP 800-204C: Implementation of DevSecOps for a Microservices-based Application with Service Mesh. National Institute of Standards and Technology.
10. Spring, J., Hatleback, E., Householder, A., Manion, A., & Shick, D. (2021). Time to Change the CVSS? IEEE Security & Privacy, 19(2), 74-78.
11. Synopsys. (2023). State of DevSecOps 2023. Synopsys Cybersecurity Research Centre (CyRC).
12. Talamo, M., Arcieri, F., Dimitri, G., & Schunck, C. H. (2021). An Architecture for Continuous Security Compliance in Cloud Financial Services. IEEE Cloud Computing, 8(1), 22-31.
13. Veracode. (2024). State of Software Security 2024: Financial Services Sector Report. Veracode.
14. Zerouali, A., Mens, T., Robles, G., Cosentino, V., & Gonzalez-Barahona, J. M. (2019). On the impact of outdated and vulnerable JavaScript packages in docker images. Proceedings of the 2019 IEEE International Conference on Software Architecture Companion (ICSA-C).
15. Alenezi, M., & Basuhail, A. (2020). Software vulnerability detection using static analysis tools: A systematic literature review. IEEE Access, 8, 213452–213470. https://doi.org/10.1109/ACCESS.2020.3039675
16. Behl, A., Behl, K., & Mishra, N. (2021). Cybersecurity and cyberwar: What everyone needs to know. Oxford University Press.
17. Beller, M., Gousios, G., & Zaidman, A. (2020). Oops, my tests broke the build: An explorative analysis of Travis CI with GitHub. Empirical Software Engineering, 25(1), 1–38. https://doi.org/10.1007/s10664-019-09751-1
18. Camilo, J., & Meneely, A. (2021). An empirical study of vulnerabilities in open-source software ecosystems. IEEE Transactions on Software Engineering, 47(11), 2399–2415.
19. CISA. (2022). Implementing DevSecOps practices for secure software development. Cybersecurity and Infrastructure Security Agency. https://www.cisa.gov
20. Decan, A., Mens, T., & Constantinou, E. (2019). On the evolution of technical lag in the npm package dependency network. IEEE International Conference on Software Maintenance and Evolution.
21. Johnson, B., Song, Y., Murphy-Hill, E., & Bowdidge, R. (2020). Why don’t software developers use static analysis tools to find bugs? IEEE Software, 37(5), 64–72.
22. Kaur, K., & Kaur, P. (2022). DevSecOps adoption: Integrating security in CI/CD pipelines. Journal of Information Security and Applications, 63, 103045. https://doi.org/10.1016/j.jisa.2021.103045
23. Kim, G., Humble, J., Debois, P., & Willis, J. (2021). The DevOps handbook (2nd ed.). IT Revolution Press.
24. Li, Z., Xia, X., Lo, D., & Grundy, J. (2020). Automatic detection of outdated dependencies in software systems. ACM Transactions on Software Engineering and Methodology, 29(2), 1–36.
25. Mirhosseini, A., & Parnin, C. (2019). Can automated pull requests encourage developers to upgrade dependencies? Proceedings of the IEEE/ACM International Conference on Automated Software Engineering.
26. NIST. (2022). SP 800-204C: DevSecOps practices for microservices-based applications. National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-204C
27. OWASP Foundation. (2023). OWASP Top 10: The ten most critical web application security risks. https://owasp.org
28. Synopsys. (2024). State of open source security report 2024. Synopsys Cybersecurity Research Center.
29. Veracode. (2024). State of software security 2024: Global report. Veracode Inc.
