Integrating SonarQube and IBM AppScan into Enterprise CI/CD Pipelines: A Vulnerability Mitigation Framework Achieving Over Eighty Percent Risk Reduction
DOI:
https://doi.org/10.63282/3050-9246.IJETCSIT-V4I3P124Keywords:
Sonarqube, IBM Appscan, SAST, DAST, CI/CD, Continuous Integration, Vulnerability Management, OWASP Top Ten, Secure Software Development Lifecycle, Healthcare Software, Jenkins, Bamboo, Github ActionsAbstract
Static Application Security Testing and Dynamic Application Security Testing have become standard expectations in enterprise software delivery. Both classes of tooling are widely available, but their integration into a continuous integration and continuous delivery pipeline in a way that materially reduces production risk requires more than tool installation. This paper describes a vulnerability mitigation framework deployed across multiple healthcare software products that combines SonarQube for static analysis and IBM AppScan for dynamic and interactive analysis. The framework was deployed in a setting in which the security team needed to demonstrate measurable reduction in identified risks against the Open Web Application Security Project Top Ten. Over the course of the deployment, analysis of code scan results identified and mitigated potential risks by more than eighty percent. The contribution of the paper is not the tools themselves but the integration patterns that made the tools effective: quality gates tied to severity, pull-request feedback that developers actually read, triage discipline that distinguished true positives from false positives quickly, and a tracking model that connected each finding through to its remediation. The paper covers the architecture, the integration with Jenkins, Bamboo, and GitHub Actions, and the operational discipline that kept developer trust in the framework over time. The paper closes with a discussion of how the framework supports compliance with the Health Insurance Portability and Accountability Act and other regulatory frameworks that require demonstrable security controls.
Downloads
References
[1] Open Web Application Security Project. OWASP Top Ten Web Application Security Risks, 2021 edition. https://owasp.org/Top10/2021/ | https://scholar.google.com/scholar?hl=en&q=OWASP Top Ten Web Application Security Risks, 2021 edition
[2] SonarSource. SonarQube product documentation. https://www.sonarsource.com/products/sonarqube/ | https://scholar.google.com/scholar?hl=en&q=SonarQube product documentation
[3] International Business Machines Corporation. IBM Security AppScan product documentation. https://scholar.google.com/scholar?hl=en&q=IBM Security AppScan product documentation
[4] Open Web Application Security Project. OWASP Application Security Verification Standard, Version 4.0.3. https://scholar.google.com/scholar?hl=en&q=OWASP Application Security Verification Standard, Version 4.0.3
[5] United States Department of Health and Human Services. Health Insurance Portability and Accountability Act Security Rule, 45 CFR Part 164 Subpart C. https://scholar.google.com/scholar?hl=en&q=Health Insurance Portability and Accountability Act Security Rule, 45 CFR Part 164 Subpart C
[6] European Union. General Data Protection Regulation, Regulation (EU) 2016/679. https://scholar.google.com/scholar?hl=en&q=General Data Protection Regulation, Regulation (EU) 2016/679
[7] State of California. California Consumer Privacy Act of 2018, Cal. Civ. Code 1798.100 et seq. https://scholar.google.com/scholar?hl=en&q=California Consumer Privacy Act of 2018, Cal
[8] National Institute of Standards and Technology. Secure Software Development Framework, NIST Special Publication 800-218. https://scholar.google.com/scholar?hl=en&q=Secure Software Development Framework, NIST Special Publication 800-218
[9] National Institute of Standards and Technology. Application Container Security Guide, NIST Special Publication 800-190. https://scholar.google.com/scholar?hl=en&q=Application Container Security Guide, NIST Special Publication 800-190
[10] Common Weakness Enumeration. CWE Top 25 Most Dangerous Software Weaknesses. https://cwe.mitre.org/top25/ | https://scholar.google.com/scholar?hl=en&q=CWE Top 25 Most Dangerous Software Weaknesses
[11] Open Web Application Security Project. OWASP Secure Coding Practices Quick Reference Guide. https://scholar.google.com/scholar?hl=en&q=OWASP Secure Coding Practices Quick Reference Guide
[12] Atlassian. Bamboo continuous integration server documentation. https://scholar.google.com/scholar?hl=en&q=Bamboo continuous integration server documentation
[13] Jenkins project. Jenkins user documentation. https://www.jenkins.io/doc/ | https://scholar.google.com/scholar?hl=en&q=Jenkins user documentation
[14] GitHub. GitHub Actions documentation. https://docs.github.com/en/actions | https://scholar.google.com/scholar?hl=en&q=GitHub Actions documentation
[15] PCI Security Standards Council. Payment Card Industry Data Security Standard, Version 4.0. https://scholar.google.com/scholar?hl=en&q=Payment Card Industry Data Security Standard, Version 4.0
[16] American Institute of Certified Public Accountants. SOC 2 Trust Services Criteria. https://scholar.google.com/scholar?hl=en&q=SOC 2 Trust Services Criteria
[17] International Organization for Standardization. ISO/IEC 27001 Information Security Management Systems. https://scholar.google.com/scholar?hl=en&q=ISO/IEC 27001 Information Security Management Systems
[18] Howard, M. and Lipner, S. The Security Development Lifecycle. Microsoft Press, 2006. https://scholar.google.com/scholar?hl=en&q=and Lipner, S
