Integrating Automated Security tools into the SDLC framework to improve Software Security.

Abstract: Integration of security automation tools within the Software Development Life Cycle (SDLC) is important to enhance the security posture and establish a Secure Software Development Lifecycle. We have reviewed existing research papers, articles and identified gaps in them and tried to reduce and mitigate those gaps with our proposed solution Tools like SonarQube and Dependency check can be integrated with CI/CD pipeline and help in identifying security vulnerabilities early in software development lifecycle. GitHub is source code management and version control tool, which also helps in automation of the code merge and review process. Results of this scan will be uploaded in Defect Dojo, which is an open-source tool by OWASP. Defect Dojo will serve as a central vulnerability management solution. Proposed solution in this paper will help in achieving increased detection of vulnerabilities, reduction in manual effort and a better collaboration between engineering teams and security teams. The goal of this research is to offer a solid framework for incorporating security automation into the SDLC, utilising the advantages of different tools to improve security procedures by facilitating early detection and lower risks.

Keywords: DevSecOps, Security Automation, SAST, Secure SDLC, Security Integration, SonarQube, Continuous Security Assessment