Archive/Empirical Evaluation of a DevSecOps Proxy Pipeline for Multi-Tier Web Applications
Empirical Evaluation of a DevSecOps Proxy Pipeline for Multi-Tier Web Applications
Abderrahim Rida, Abdelaziz Bakhil, Ayoub Ait Lahcen
17 de julho de 2026
en

Abstract

The use of DevSecOps seeks to ensure that the functionality of securing software is incorporated throughout the software development life cycle, but the difference between the theoretical model and the empirically proven version, specifically for multi-tier web applications, remains wide. This research proposes the evaluation of a “proxy” DevSecOps pipeline, defined as an automated intermediary architecture that decouples intensive security scanning from the primary build flow to prevent bottlenecks. Designed specifically for multi-tier PHP-based web applications, the model leverages infrastructure as code (Terraform) and Static Application Security Testing (SAST) to ensure that security validation remains continuous without impeding the integration speed. This research utilized the Terraform model on the Amazon Web Services cloud platform, with three EC2 instances and Jenkins integration, and the use of many tools for the testing process, divided into the following experiments for DevSecOps functionality measurement: the first for the baseline efficiency process, the dynamic scaling process, the validation test for the fail-safe mechanism, and the accuracy process for the vulnerabilities’ detection. This research indicates that the process exhibited stability and consistency for the average execution times, which took 122.08 ± 1.69 s, and low values for the 5.04% additional cost for concurrent executions. The 100% activation process for the fail-safe mechanism for the injection of vulnerabilities indicates that the process took 41.82% of the total pipeline execution time, demonstrating that security validation is the most time-intensive part of the automated proxy workflow, and the low costs of 0.0047 dollars for the entire process, specifically for the infrastructure aspect. The false positives for the process were measured as 10–15%, and the low costs for the entire process, which took 0.56–0.58 s for the total process.

IPC Classification

G06

Keywords

empiricalevaluationdevsecopsproxypipelinemulti-tierapplicationsfutureinternetseeksensurefunctionalitysecuringsoftwareincorporatedthroughoutdevelopmentlifecycledifferencetheoreticalmodelempiricallyproven
Referencie esta publicação

€ 4.00