DevSecOps中软件安全性测试技术综述  

作　　者：刘羿希 何俊 吴波 刘丙童 李子玉 LIU Yixi;HE Jun;WU Bo;LIU Bingtong;LI Ziyu(College of Information and Communication,National University of Defense Technology,Wuhan Hubei 430000,China)

机构地区：[1]国防科技大学信息通信学院,武汉430000

出　　处：《计算机应用》2024年第11期3470-3478,共9页journal of Computer Applications

摘　　要：软件安全性测试技术是互联网时代软件开发商完善软件性能和抵御网络攻击的重要手段,而将安全性(Security)融入开发(Development)和运维(Operations)过程中的理念DevSecOps作为新一代软件开发模式,能够识别软件可能存在的威胁和有效评估软件安全性,可将软件安全风险置于可控范围内。于是,以DevOps(Development and Operations)流程为研究起点,梳理DevOps软件开发模式各阶段涉及的软件安全性测试技术,包括源代码审计、模糊测试、漏洞扫描、渗透测试和安全众测技术;收集和分析SCI、EI、SCOPUS、CNKI、CSCD和万方等知名索引库中近三年的相关文献资料,归纳总结以上技术的研究现状,并给出相关测试工具的使用建议;同时针对各技术支撑手段的优缺点,对软件开发模式DevSecOps的未来发展方向进行了展望。Software security testing technology has become an essential method for software developers to improve software performance and resist network attacks in the Internet age.DevSecOps(Development,Security and Operations),as a new generation software development pattern which integrates Security and Operations into Development and maintenance,can identify the possible threats to the software and effectively evaluate the security of software,and can make software security risks within control.Therefore,starting from the process of DevOps(Development and Operations),the various stages of DevOps involving software security testing techniques were sorted out,including source code audit,fuzzing,vulnerability scanning,penetration testing,and security crowdsourced testing techniques.And by collecting and analyzing the relevant technical literature in the last three years in well-known index databases,such as SCI,EI,SCOPUS,CNKI,CSCD and WanFang,the research status of the above techniques was summarized and the recommendations for the use of relevant testing tools were given.At the same time,aiming at the advantages and disadvantages of each technical support means,the future development directions of software development mode DevSecOps were prospected.

关 键 词：DevSecOps 软件安全性测试 模糊测试 漏洞扫描 渗透测试 

分 类 号：TP393.07[自动化与计算机技术—计算机应用技术] TP311.52[自动化与计算机技术—计算机科学与技术]