Titulo Estágio
Addressing Limitations of Dynamic Analysis Tools restricting its usage in DevSecOps
Áreas de especialidade
Engenharia de Software
Comunicações, Serviços e Infraestruturas
Local do Estágio
DEI-SSE
Enquadramento
Efficient rapid deployment cycles are essential in modern software development practices. However, the limitations of dynamic analysis tools often hinder their effectiveness, leading to delays and compromised code quality. This proposal aims to address the practical challenges posed by dynamic analysis tools and develop hands-on approaches to enhance their usability in rapid deployment cycles.
This research will focus on practical investigations into the limitations of dynamic analysis tools that impact deployment speed and code quality. By conducting experiments and case studies, we will evaluate the accuracy, efficiency, and scalability of existing tools in automatically detecting vulnerabilities and ensuring reliable software releases. The research will also explore the challenges associated with integrating dynamic analysis tools into continuous integration and continuous deployment (CI/CD) pipelines.
Based on the findings, practical mitigation strategies will be developed to overcome the identified limitations. These strategies may involve optimizing tool configurations, developing custom rule sets, enhancing automation and tool integration, and leveraging parallelization techniques to handle large codebases efficiently.
Through this research, we aim to provide practical insights and solutions that empower software development teams to effectively utilize dynamic analysis tools within rapid deployment cycles. The outcomes of this research will help streamline the deployment process, reduce vulnerabilities, and improve the overall quality and security of software releases.
Objetivo
The primary learning objectives of this research are as follows:
• Gain practical knowledge of dynamic analysis tools and their limitations in the context of rapid deployment cycles.
• Acquire hands-on experience in evaluating the accuracy, efficiency, and scalability of static analysis tools.
• Develop practical skills in integrating dynamic analysis tools into CI/CD pipelines and optimizing their configurations.
• Explore practical strategies and techniques to mitigate the limitations of dynamic analysis tools and enhance their usability in rapid deployment cycles.
• Compare the use of static analysis tools with dynamic analysis tools when integrated into CI/CD pipelines.
Plano de Trabalhos - Semestre 1
T1. [09/09/2024 to 30/09/2024] Literature Review and Tool Familiarization.
During this initial phase, an extensive literature review will be conducted to understand the existing dynamic analysis tools, their capabilities, and limitations. Additionally, hands-on familiarization with selected tools will be undertaken to gain practical insights into their features and usage.
T2. [01/10/2024 to 31/10/2024] Evaluation of Tool Accuracy and Efficiency.
In this phase, experiments and case studies will be conducted to evaluate the accuracy and efficiency of dynamic analysis tools. Real-world codebases will be analyzed, and the tools' effectiveness in detecting vulnerabilities and producing reliable results will be assessed. Performance metrics, such as analysis time and false positive rates, will be measured to compare tool performance.
T3. [01/11/2024 to 30/11/2024] Integration of Tools in CI/CD Pipelines.
The focus of this phase will be on integrating dynamic analysis tools into CI/CD pipelines. Practical approaches for seamless tool integration will be explored, ensuring efficient and automated vulnerability detection during the deployment process. The integration process will be tested and validated using representative projects and pipeline setups.
T4. [01/12/2024 to 10/01/2025] Write the intermediate report.
Plano de Trabalhos - Semestre 2
T5. [11/01/2025 to 28/02/2025] Optimization and Customization of Tools.
In this hands-on phase, strategies for optimizing and customizing dynamic analysis tools will be developed. Configuration parameters, rule sets, and thresholds will be adjusted to enhance tool performance and reduce false positives. Practical guidelines and best practices for customization will be documented to facilitate efficient tool usage.
T6. [01/03/2025 to 30/04/2025] Development of Mitigation Strategies.
Based on the limitations identified and lessons learned, practical mitigation strategies will be developed. These strategies may include parallelization techniques, workflow enhancements, or the development of custom tool extensions. The effectiveness of these strategies will be evaluated through experiments and case studies.
T7. [01/05/2025 to 30/06/2025] Report and Documentation.
The final phase will involve documenting the research findings, methodologies, and practical recommendations. A comprehensive report summarizing the research outcomes, including the evaluation of tools, integration approaches, optimization techniques, and mitigation strategies, will be prepared. The report will also include hands-on guidelines for software development teams to apply the research findings in real-world scenarios.
Condições
- You will have a position in the SSE Laprie Lab
- Computational infrastructure will be provided to work
Observações
Recommended Bibliography:
- Roshan N. Rajapakse, Mansooreh Zahedi, M. Ali Babar, Haifeng Shen, Challenges and solutions when adopting DevSecOps: A systematic review, Information and Software Technology, Volume 141, 2022, 106700, ISSN 0950-5849, https://doi.org/10.1016/j.infsof.2021.106700.
Orientador
José Alexandre D'Abruzzo Pereira
josep@dei.uc.pt 📩