Integrating DAST in Kanban and CI/CD: A Real World Security Case Study
It addresses the problem of balancing security with speed in Agile development for software organizations, but it is incremental as it focuses on a specific case study without broad SOTA claims.
This study tackled the challenge of integrating Dynamic Application Security Testing (DAST) into Kanban and CI/CD workflows to identify and mitigate security vulnerabilities in web application development, using an action research case study to explore challenges and best practices from developers' perspectives.
Modern development methodologies, such as Kanban and continuous integration and continuous deployment (CI/CD), are critical for web application development -- as software products must adapt to changing requirements and deploy products to users quickly. As web application attacks and exploited vulnerabilities are rising, it is increasingly crucial to integrate security into modern development practices. Yet, the iterative and incremental nature of these processes can clash with the sequential nature of security engineering. Thus, it is challenging to adopt security practices and activities in modern development practices. Dynamic Application Security Testing (DAST) is a security practice within software development frameworks that bolsters system security. This study delves into the intersection of Agile development and DAST, exploring how a software organization attempted to integrate DAST into their Kanban workflows and CI/CD pipelines to identify and mitigate security vulnerabilities within the development process. Through an action research case study incorporating interviews among team members, this research elucidates the challenges, mitigation techniques, and best practices associated with incorporating DAST into Agile methodologies from developers' perspectives. We provide insights into integrating security practices with modern development, ensuring both speed and security in software delivery.