Letteratura scientifica selezionata sul tema "Sécurité de la CI/CD"

Cette thèse explore les approches basées sur les données pour l'analyse automatique des causes profondes des échecs de construction dans les systèmes d'intégration continue et de déploiement continu (CI/CD), en se concentrant sur l'identification des échecs non déterministes, la localisation des messages de cause profonde dans les journaux de construction, et la caractérisation de la performance et de la sécurité des systèmes CI/CD. Basée sur des ensembles de données publics et industriels, nous explorons les propriétés des flux de travail CI/CD, telles que les temps d'exécution et les modèles d'échec. La recherche introduit l'utilisation du traitement du langage naturel (NLP) et des embeddings de graphes de connaissances (KGE) pour classifier les échecs de construction avec une précision de 94%. De plus, nous introduisons ChangeMyMind, une nouvelle méthode basée sur les réseaux neuronaux récurrents (RNNs) pour localiser avec précision les messages de cause profonde dans les journaux de construction sans étiquetage préalable des messages de cause profonde. Nous proposons X-Ray-TLS, une approche générique et transparente pour inspecter le trafic réseau chiffré TLS dans les environnements CI/CD. Enfin, la thèse revisite également les vulnérabilités de sécurité dans les systèmes CI/CD, démontrant le potentiel de compromissions à long terme indétectables. Ce travail a abouti à trois publications et deux soumissions en cours de révision, contribuant de manière significative à l'analyse et à l'optimisation des systèmes CI/CD<br>This thesis explores data-driven approaches for automated root cause analysis of CI/CD build failures, focusing on identifying non-deterministic failures, locating root cause messages in build logs, and characterizing CI/CD systems' performance and security. Grounded on public and industrial datasets, we explore CI/CD workflow properties, such as execution times and failure patterns. The research introduces the use of Natural Language Processing (NLP) and Knowledge Graphs Embeddings (KGE) for classifying build failures with a 94% accuracy. Additionally, we introduce ChangeMyMind, a new method based on Recurrent Neural Networks (RNNs) to accurately locate root cause messages in build logs without prior labeling of root cause messages. We propose X-Ray-TLS, a generic and transparent approach for inspecting TLS-encrypted network traffic in CI/CD environments. Finally, the thesis also revisits security vulnerabilities in CI/CD systems, demonstrating the potential for undetectable long-term compromises. This work has resulted in three publications and two under-review submissions, contributing significantly to CI/CD system analysis and optimization

The procedure of testing the implemented software is important and should be an essential and integrated part of the development process. In order for the testing to be meaningful it is important that the testing procedure ensures that the developed software meet certain requirements. The testing procure is often controlled by some sort of test specification. For many companies it is desirable to automate this procure. The focus of this thesis has been to automate a small subpart of the manual tests today performed related to SAAB:s air traffic management system. The automation has been achieved by studying the existing test specification which involves a lot of manual operations and to write software that mimics a few of these test cases. The thesis has resulted in a test framework which automates a small subset of the manual tests performed today. The framework has been designed to be scalable and to easily allow more test cases to be added by the personnel when time permits. The test framework has also been integrated with SAAB:s existing CI/CD workflow.

Multirepo model přístupu ke správě a verzování zdrojového kódu, jež zahrnuje použití mnoha oddělených repozitářů verzovacích systémů, je poslední dobou často zmiňován v odborné literatuře. Jednou z jeho nevýhod je množství zdlouhavých, nezajímavých a repetitivních úkonů, které je nutno provádět při hromadných operacích tvořících transakce napříč těmito repozitáři. Multirepo repozitáře navíc umožňují využití široké škály technologií, což jen umocňuje riziko lidské chyby, ke které při ručně prováděných hromadných operacích může dojít. V rámci této práce je navrženo, implementováno a otestováno řešení pro automatizaci operací prováděných napříč množstvím repozitářů uspořádaných v multirepo modelu, což s nimi uživatelům zlepšuje zkušenost.

Under VT 2019 ägde projektet rum varav denna rapport är ett av resultaten. Projektets mål var att skapa en CI/CD pipeline vars syfte var tänkt att frekvent kunna leverera färdigtestad kod till olika molntjänster som Google Cloud Platform, Amazon Web Services och Azure. Projektspecifikationerna gavs av företaget Skira för att skapa en snabbare integrationsprocess för nya utvecklare. Detta så en ny utvecklare skulle kunna lägga mer tid på att koda istället för att gräva ner sig i leverans-/testningsprocessen. Slutprodukten ger företag möjligheten att koda direkt på sitt utvecklingskluster.

Táto práca je prípadovou štúdiou postupného vývoja a nasadzovania lokačného softwaru v reálnom čase. Cieľom tejto práce je zrýchliť tento proces. Zvolený problém bol vyriešený s konvenčnými testovacími nastrojmi, vlastným nástrojom pre generovanie sieťovej prevádzky lokalizačnej platformy a nástrojmi CI/CD Gitlab. Prínosom tejto práce je zrýchlenie vývoja, zaručenie kvality vyvijaného softwaru a predstavenie spôsobu ako platformu pre lokalizáciu v reálnom čase testovať.

The focus of this study is on examining when employees in the IT industry experience that it is more favorable to use automated tests and manual tests, respectively. The purpose of this study is to investigate how different companies in practice, use, work with and think about the two different test methods. Four factors that influence the choice of test method have been developed as a workframe based on five articles, all of which discuss the requirements and criteria for the two different test methods. By conducting an interview study with semi-structured interviews, data has been retrieved from two different companies. The data has in turn been analyzed based on the four factors that have been developed, namely: the number of test cases/test runs, technical aspects, what functions that are to be tested and resources. Based on the analyzes, it has been clear that the opinions from the different respondents and from previous research often remain on the same track. Thus, the various criteria could be discussed and the motivation for when the respondents use each method could be outlined. However, it also becomes clear that in the end it is mainly resources, often the number of working hours and the monetary cost, that determines what practice of testing is to be used.<br>Denna studie riktar in sig på att undersöka när anställda inom IT-branschen upplever att det är mer gynnsamt att använda sig av automatiserade tester respektive manuella tester. Syftet med studien är att undersöka hur olika företag använder sig, arbetar med och ser på de två olika testmetoderna i praktiken. Fyra stycken faktorer som påverkar valet av testmetod har tagits fram som ramverk som är baserad på fem artiklar där samtliga diskuterar krav och kriterier för de två olika testmetoderna. Genom att utföra en intervjustudie med semi-strukturerade intervjuer har data samlats in från två olika företag. Den insamlade datan har i sin tur analyserats utifrån de olika faktorerna som tagits fram nämligen: Antalet testfall/testkörningar, tekniska aspekter, funktioner som ska testas samt resurser. Utifrån analysen har det varit tydligt att åsikterna från de olika respondenterna samt från tidigare forskning ofta är på samma spår. Därmed har de olika kriterierna kunnat diskuterats och motiveringarna till när respondenterna använder sig av respektive metod kunnat benas ut. Dock blir det också tydligt att i slutändan är det resurser, oftast antalet arbetstimmar och den monetära kostnaden, som styr vad som borde väljas.

L’azienda multinazionale Travelport Digital Ltd è una software house americana focalizzata sulle travel agencies che ha come obiettivo principale quello di semplificare la complessa industria dei trasporti e del turismo, fornendo servizi dedicati ai viaggiatori e ad organizzazioni terze. Il tirocinio di sei mesi presso la filiale di Dublino è stato speso lavorando in un Agile team e rivestendo il ruolo di Quality Assurance Engineer della componente Web frontend di un applicativo che aiuta le aziende a trovare le migliori opzioni di viaggio facendo scraping di voli, hotel, treni ed auto a noleggio. TripSource è un sistema di pianificazione e prenotazione unificata rivolto a business travellers che vogliono avere un itinerario dettagliato dei propri viaggi con update in tempo reale sullo stato dei mezzi prenotati. In particolare, mi sono occupato di svariate attività di sviluppo della test suite per l’applicativo TripSource: ho sviluppato test case per un progetto di User Interface Test Automation, migliorando la coverage della test suite end-to-end sulla componente grafica dell’applicativo Web; ho svolto attività di Manual Exploratory Testing sulle features appena terminate; ho contribuito alla scrittura di script per l’efficientamento della pipeline Continuous Integration e Continuous Delivery aziendale e per l’integrazione dei test automatici sviluppati. Per tutti i team di Travelport il testing e l’attenzione per la qualità sono componenti fondamentali del processo di sviluppo, ingredienti senza i quali il delivery non può avvenire. Il presente lavoro di tesi consiste quindi nello studio dell’attività di testing effettuata durante il periodo di tirocinio. In particolare si vuole approfondire design ed implementazione del progetto di Test Automation realizzato, fornendo anche una panoramica su come avviene l’integrazione del testing all’interno del complesso ciclo di sviluppo caratterizzante una realtà di business di dimensioni medio grandi.

Выпускная квалификационная работа 56 страниц, 19 рисунков, 11 источников, 8 приложений. Цель работы – разработка клиентской части веб-приложения «Мониторинг IT-конференций». В процессе работы был проведён анализ популярных фреймворков для веб-разработки, настроена интеграция с серверами CDN на базе сервиса Surge, создан Docker-образ с веб-приложением, настроена интеграция с GitHub Actions для CI/CD, настроен клиентский и серверный мониторинги на базе Sentry. В результате ВКР разработана клиентская часть на базе фреймворка Next.js для веб-приложения «Мониторинг IT-конференций».<br>Final qualification work 56 pages, 19 figures, 11 sources, 8 appendices. The purpose of the work is to develop the client part of the web application "Monitoring of IT conferences". In the process, we analyzed popular frameworks for web development, configured integration with CDN servers based on the Surge service, created a Docker image with a web application, configured integration with GitHub Actions for CI/CD, configured client and server monitoring based on Sentry. As a result of the final qualifying work, the client part was developed on the basis of the Next framework.js for the IT Conference Monitoring web application.

The amount of data being collected is increasing astronomically. Hence questions about privacy and data security are becoming more important than ever. A fast-changing culture is also reflected in the demands and requirements placed on software systems. Products and services need to evolve with the demands and feedback from customers to stay relevant on the market. Working methods and technologies have been refined to afford updating software continuously. However, rapidly changing software cause concern for the quality and level of security in the release. This thesis is a comprehensive literature study, reviewing the challenges of ensuring secure practises for continuously evolving software. The problem solved by the thesis is lack of an overall picture of the security concerns during continuous evolution. The findings are summarised in a checklist of areas of concern for security when maintaining and updating systems with continuous practises in cloud environments. This study shows that ensuring security, while delivering continuous releases, is a daunting task. It requires close collaboration between teams handling different aspects of software. This, in turn, entails a widening of competences to include knowledge about the work of other departments. It is concluded that personnel with this wide range of skill will be hard to acquire.<br>I en tid då mängden data som samlas in om individer ökar i ohindrad takt, blir frågor om integritet och informationssäkerhet viktigare än någonsin. Kraven på snabb utveckling och förändring präglar även metoderna för mjukvaruutveckling. Produkter och tjänster måste konstant anpassas efter kundernas önskemål för att förbli relevant på marknaden. Arbetssätt och teknologier har utvecklats över tid för att möjliggöra mjukvara som uppdateras kontinuerligt. Konstant föränderlig mjukvara leder dock till oro för kvalitén och säkerheten av uppdateringarna. Den här uppsatsen är en litteraturstudie som undersöker utmaningarna att säkerställa säkerhet för mjukvara som uppdateras kontinuerligt. Problemet som löses genom studien är den saknade helhetsbilden av säkerhetsproblem vid kontinuerligt föränderlig mjukvara. Resultatet sammanfattas i en checklista för områden som väcker oro för säkerheten vid arbetssätt som tillåter kontinuerliga uppdateringar i moln-miljöer. Studien visar att leverera säkra lösningar kontinuerligt är en svår uppgift. Det kräver nära samarbete mellan team som sköter olika delar av mjukvaruutveckling. Detta fordrar vida kompetenser som inkluderar förståelse av varandras arbete. Att finna personal med tillräckligt vida kompetenser uppskattas vara problematiskt.

This paper examines how adding security tools to a software pipeline affect the build time. Software development is an ever-changing field in a world where computers are trusted with almost everything society does. Meanwhile keeping build time low is crucial, and some aspects of quality assurance have therefore been left on the cutting room floor, security being one of the most vital and time-consuming. The time taken to scan for vulnerabilities has been suggested as a reason for the absence of security tests. By implementing nine different security tools into a generic DevOps pipeline, this paper aimed to examine the build times quantitatively.              The tools were selected using the OWASP Top Ten, coupled with an ISO standard, as a guideline. OWASP Juice Shop was used as the testing environment, and the scans managed to find most of the vulnerabilities in the Vulnerable Web Application. The pipeline was set up in Microsoft Azure and was configured in .yaml files. The resulting scan durations show that adding security measures to a build pipeline can add as little as 1/3 of the original build time.