Introduction

Application security is a living process that must constantly be addressed throughout the application lifecycle. This requires continuous security assessments at every phase of the Software Development Lifecycle (SDLC). The idea is that, whenever new code is merged into the current repository, the security test will be conducted, either locally or globally, to ensure the security of the software application.

Since a completely automated security evaluation service is not offered on commercial or open source platforms, we are going to create a web-base Continuous Authorization Service (CAS) that automates the whole security testing process. CAS system can let the user customize their security testing preference, and help extract the user-focused security issue from multiple automated static testing tools. Users do not need to look through every testing report or configure every testing tool by themselves.

In addition to the CAS web service, a plugin which enables the integration of CAS and continuous integration (CI) tools will also be a part of the final deliverables. During the development stage, the primary CI tool to integrate will be Jenkins. In the future, CAS wishes to support more continuous integration (CI) tools, such as TeamCity, Travis CI, Bamboo, etc.