Everyone who has ever written code knows that it’s nearly impossible to develop software without making mistakes. Some software bugs are harmless and affect the application’s functionality only slightly. However, other mistakes can lead to severe consequences, such as data loss or software being compromised. Due to constraints in time and knowledge, developers often cannot detect and fix all critical vulnerabilities. To support software engineers in writing and deploying robust software systems, many secure coding approaches have been developed over the past years. All of these can be integrated into a CI/CD pipeline to automatically audit code when developers push their changes. This process is also a core aspect of the DevSecOps philosophy.
… explained by Prof. Dr. Viet Nguyeng, colleague at TH Köln, who has considerable experience in DevSecOps, and will supervise this topic.
The objective of this topic is to study secure coding tools such as DAST, SAST, SCA, Fuzzing, or container scanning in GitLab.
Research questions for this topic might include: