Integrating Open-Source Dependency Scanning into Software Development Life Cycle
Karpoja, Otto (2024)
2024
All rights reserved. This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-2024120231924
https://urn.fi/URN:NBN:fi:amk-2024120231924
Tiivistelmä
Modern software development relies extensively on open-source third-party components and libraries, which introduce significant challenges in cataloging dependencies and mitigating security risks. The thesis was commissioned by a small and medium-sized enterprise (SME). The objective was to develop the company-specific user documentation, best practices and framework templates for vulnerability, license and operational risk scanning. The theoretical framework consisted of the best practices from service providers, and white papers produced by government entities.
The development work was divided into three primary stages: development, testing, and production. During the development and testing phases, software composition analysis (SCA) focused on on-demand scanning and integration with software development tools. In the production phase, SCA aimed to notify software developers and security teams about previously unknown common vulnerabilities and exposures (CVEs).
The results of the development work included company-specific user documentation, best practice demonstration projects, and a framework template tailored for production environments. The user documentation covers the installation, usage and automation of on-demand SCA. The demonstration projects showcase the installation process, and best practices when adopting SCA automation. The framework template for production environment SCA is the key result of the development work, serving as a baseline upon which customized solutions will be built on, according to individual project specifications.
The development work was divided into three primary stages: development, testing, and production. During the development and testing phases, software composition analysis (SCA) focused on on-demand scanning and integration with software development tools. In the production phase, SCA aimed to notify software developers and security teams about previously unknown common vulnerabilities and exposures (CVEs).
The results of the development work included company-specific user documentation, best practice demonstration projects, and a framework template tailored for production environments. The user documentation covers the installation, usage and automation of on-demand SCA. The demonstration projects showcase the installation process, and best practices when adopting SCA automation. The framework template for production environment SCA is the key result of the development work, serving as a baseline upon which customized solutions will be built on, according to individual project specifications.