The software development market has been maturing quickly, going through a automation consolidation process from the creation to the delivery of software through development tracks, which are an automated software development and delivery solution for the client. However, security is still a major concern. Since the beginning of the COVID-19 pandemic, hacker attacks on software have grown exponentially. Many teaching and research institutions, and small and medium-sized companies, do not have the technological know-how to implement and maintain development tracks focused on code security, the so-called DevSecOps tracks.  

DevSecOps is a practice that combines the principles of software development, security, and operations to create a more efficient and secure software development process. It is designed to ensure that security is built into the software development process from the beginning through the use of automation, targeted testing and other practices that aim to identify and address potential security vulnerabilities before they can be exploited by hackers. The goal of DevSecOps is to create a more secure and efficient software development process, which can help reduce the risk of cyber-attacks and other security threats. 

In this way, the SecDeviaS solution, developed by GT-DeviaS, selected by the RNP Advanced Services R&D Program in 2022, promises to provide, within its services, DevSecOps tracks for any development team at universities, research centers, and companies, generating security reports indicating the vulnerabilities found. 

“These auto-tracks can be run at every code modification, preventing errors from being propagated to the production environment. In addition, the reports are generated in Portuguese, with great clarity and precision”, explains Cesar Marcondes, GT-DeviaS coordinator. "Thus, it allows developers to fix and update the security problems they find and, consequently, decrease the attack surface for the software."  

MVP was developed on a SaaS (Software as a Service) platform, which can be powered in several ways: from the developer sending a compressed file with his code, to even integrating the SecDeviaS auto-track directly into your preferred track environment, Gitlab or Github. 

MVP then performs vulnerability scanning on submitted code by addressing various types of vulnerability “scans”, doing a holistic search for security issues. In addition, the tool delivers the report texts in a uniform manner, classified according to criticality and type, and these texts are generated in easy-to-understand Portuguese. Supported programming languages are the most common like Python, Java, Java Script and Microsoft dotNet (.NET). A dashboard was also developed so that the developer has a temporal notion and by type of vulnerabilities. 

Preliminary results show that MVP being developed in SaaS mode, has several important code security features that customers are looking for. The validation of the MVP, as well as ways to make it economically viable, have been studied and will be put to the test with early adopters. 

"During the development of the MVP, we held many meetings with entrepreneurs (both from Brazil and Portugal), directors of development teams (from private and public companies), university personnel, military personnel and developers of large RNP projects to try to find the correct adhesion. And the results of the dialogues indicate interest", says Marcondes.  

Future vision 

Soon, the SecDeviaS solution will expand its vulnerability exploitation horizon by including new dynamic security tests (DAST) on supported types, as well as other types of semantic search for vulnerabilities, and search for software licensing issues. Finally, the adoption of a new feature of the platform will be explored, which does deep machine learning of vulnerabilities and indication through interpretation, to show the programmer the exact place in the code where it is vulnerable. 

According to the GT-DeviaS coordinator, machine learning models are like a "brain" that tries to learn about the world through a large set of examples, such as photos of animals of different species, uncovering patterns that differentiate them. “And in the meantime, innovation in interpretability refers to the ability of the model to make assertive decisions. This interpretation is particularly important in deep learning models, which can be very complex and difficult to understand”, he adds.  

The project is a partnership between RNP, Technological Institute of Aeronautics (ITA), Brazilian Army, Federal Institute of Education, Science and Technology of Tocantins (IFTO) and the startup Netconn.