Design and Implementation of a Software Security Dashboard for Continuous Integration Environments

Astract:

Continuous Integration (CI) practices constitute a promising possibility to build more secure software. Currently, there is no unified approach capable of effectively aggregating and communicating the results of dispersed security related data originating from various sources during the CI workflow. The thesis develops a first approach towards evaluating the degree of security of software being developed with CI. The research question focuses on how CI can be utilized to monitor and assess security of the software in development. This is addressed by designing and prototypically implementing a dashboard system. An initial literature review was conducted in order to develop an indicator system and dashboard concept, which was subsequently implemented.A dashboard concept with different layers of abstraction based on an adapted version of the Security Goal Indicator Trees [PJM08] indicator system was designed. The implemented system, named ”Ceres”, consists of a dashboard web application and a Jenkins plug-in. The system demonstrates how CI can be leveraged to automatically retrieve, evaluate and visualize heterogenous and dispersed security-related data derived from different lifecycle phases and software artifacts during development. This enables increased transparency regarding software security for development teams. However, limitations regarding the aggregation and abstraction of security goals and the proprietary effort necessary to implement good indicators need to be addressed in the future.