Titulo Estágio
Evaluating the CI server ability to deploy vulnerable applications in DevSecOps SDLC
Áreas de especialidade
Engenharia de Software
Local do Estágio
DEI-FCTUC
Enquadramento
Efficient rapid deployment cycles are essential in modern software development practices [1]. Most software development teams rely on Continuous Integration (CI) practices, in which the source code is frequently pushed to a central source code repository, and it triggers actions to start building the software, and running automated tests if they are available. For mature teams, the source code can also be released to a production environment [2] either manually (CDE – Continuous Delivery) or automatically (CD – Continuous Deployment).
The CI practices are usually supported by CI server tools, such Jenkins, GitHub Actions, GitLab CI, Atlassian Bamboo, Azure DevOps, among others. However, these tools can also have security issues, allowing the applications to be deployed with software vulnerabilities [3]. In the DevSecOps SDLC (Software Development Lifecycle), where the development, security and operations teams work together, usually security checks such as Software vulnerability detection (SVD) tools (e.g. static code analysis tools and penetration testing tools) are implemented. However, they are not native from the CI servers.
The main objective of this research is to understand if CI servers are prepared to stop the deployment of applications that are forcedly vulnerable (or at least inform the software development team). Also, a comparison of different CI servers should be performed to understand which mechanism each tool has natively available. Examples of forcedly vulnerable web applications include software vulnerabilities (e.g., SQL Injection, Cross-site scripting), use of vulnerable components either on the software build (e.g., the Log4J vulnerable component) or in the environment (e.g., docker/podman vulnerable image, VM image vulnerable started as part of IaC (Infrastructure as a code) deployment). To do that, pipelines should be configured in CI servers, and vulnerable web applications should be added to them. Such applications should be either developed from scratch (of programming languages that do not have an unsafe application) or reused/adapted from a known repository.
Objetivo
The primary learning objectives of this research are as follows:
• Understand the complete SDLC of rapid deployment cycles.
• Acquire hands-on experience in configuring build/deployment pipelines in the context of DevSecOps.
• Gain practical knowledge to develop web applications and in the configuration of software security tools (e.g., static code analysis tools, penetration testing tools) in the SDLC.
• Compare and benchmark the several CI Servers (e.g., GitLab CI/CD, Azure DevOps, Jenkins, GitHub Actions).
The long-term research objective linked to this project is to evaluate the security while developing applications in all phases of the DevSecOps SDLC.
Plano de Trabalhos - Semestre 1
T1. [09/09/2025 to 15/10/2025] Literature Review
During this initial phase, an extensive literature review will be conducted to understand the state of the art regarding the security mechanism present in the CI servers
T2. [16/10/2025 to 31/10/2025] Web application review and design of insecure application
Review the existing insecure web applications (e.g., WebGoat, OWASP Juice Shop), and plan the changes for making them more insecure or develop a new one from scratch.
T3. [01/11/2025 to 31/10/2025] Tool Setup and Preliminary Evaluation
Select the available CI servers and SVD tools to be configured as part of the build/deployment pipeline.
T4. [01/12/2025 to 10/01/2026] Write the intermediate report
Plano de Trabalhos - Semestre 2
T5. [11/01/2026 to 28/02/2026] Develop (web) applications forcedly vulnerable
Such applications will be used to evaluate the ability of CI servers to identify security issues natively. The vulnerabilities can be in the source code (e.g., SQL Injection, Cross-site scripting), through vulnerable components, or through vulnerable environments (docker/podman images, VM images).
T6. [01/03/2026 to 30/04/2026] Evaluate the CI servers with the vulnerable applications
The vulnerable applications should be deployed through the CI servers, and they should be evaluated about their ability to deploy or not (e.g., informing the team that the application is vulnerable).
T7. [01/05/2025 to 31/05/2025] Write a technical paper
Write a paper to submit to a journal/conference reporting the main finding of this research.
T8. [01/06/2025 to 30/06/2025] Report and Documentation
The final phase will involve documenting the research findings, methodologies, and results. A comprehensive report summarizing the research outcomes, including the developed artifacts, will be prepared.
Condições
- You will have a position in the SSE Laprie Lab
- Proposal in the scope of the CSLab (Cybersecurity Laboratory)
- Computational infrastructure will be provided to work
Observações
Recommended Bibliography:
[1] Roshan N. Rajapakse, Mansooreh Zahedi, M. Ali Babar, Haifeng Shen, Challenges and solutions when adopting DevSecOps: A systematic review, Information and Software Technology, Volume 141, 2022, 106700, ISSN 0950-5849, https://doi.org/10.1016/j.infsof.2021.106700.
[2] “Continuous Delivery: Reliable Software Releases through Build, Test, and Deployment Automation”, Jez Humble, David Farley Addison-Wesley Signature Series (Fowler), 2010, ISBN-13: 978-0321601919
[3] Daniel Krivelevich, Omer Gil, “OWASP Top 10 CI/CD Security Risks”, https://owasp.org/www-project-top-10-ci-cd-security-risks/
This work is co-supervised by João Campos.
Orientador
José Alexandre D'Abruzzo Pereira
josep@dei.uc.pt 📩