Luís Prates,Rúben Pereira

DOI: https://doi.org/10.1007/s10207-024-00914-z

2024-11-06

International Journal of Information Security

Abstract:Nowadays, software development happens at a fast pace. At the same time, Information Technology organizations face higher demands and competition while struggling with external threats such as cyberattacks. Therefore, many organizations adopt DevOps as a working culture to improve their Software Development Lifecycle (SDL). However, the success of DevOps adoption remains inconsistent, and recently, IEEE introduced a DevOps standard that might help improve DevOps adoption. The standard mentions DevSecOps as the security aspect of DevOps, adding security practices to the SDL from inception, but what are these practices or capabilities? Which tools can be used to implement these practices? Therefore, a Multivocal Literature Review was performed to identify DevSecOps practices and their definitions, and which tools can be used to implement them.

computer science, information systems, theory & methods, software engineering

Xin Zhou,Runfeng Mao,He Zhang,Qiming Dai,Huang,Haifeng Shen,Jingyue Li,Guoping Rong

DOI: https://doi.org/10.1049/sfw2.12132

2023-01-01

IET Software

Abstract:By adopting agile and lean practices, DevOps aims to achieve rapid value delivery by speeding up development and deployment cycles, which however lead to more security concerns that cannot be fully addressed by an isolated security role only in the final stage of development. DevSecOps promotes security as a shared responsibility integrated into the DevOps process that seamlessly intertwines development, operations, and security from the start throughout to the end of cycles. While some companies have already begun to embrace this new strategy, both industry and academia are still seeking a common understanding of the DevSecOps movement. The goal of this study is to report the state-of-the-practice of DevSecOps, including the impact of DevOps on security, practitioners' understanding of DevSecOps, and the practices associated with DevSecOps as well as the challenges of implementing DevSecOps. The authors used a mixed-methods approach for this research. The authors carried out a grey literature review on DevSecOps, and surveyed the practitioners of DevSecOps in industry of China. The status quo of DevSecOps in industry is summarized. Three major software security risks are identified with DevOps, where the establishment of DevOps pipeline provides opportunities for security-related activities. The authors classify the interpretations of DevSecOps into three core aspects of DevSecOps capabilities, cultural enablers, and technological enablers. To materialise the interpretations into daily software production activities, the recommended DevSecOps practices from three perspectives-people, process, and technology. Although a preliminary consensus is that DevSecOps is regarded as an extension of DevOps, there is a debate on whether DevSecOps is a superfluous term. While DevSecOps is attracting an increasing attention by industry, it is still in its infancy and more effort needs to be invested to promote it in both research and industry communities.

Runfeng Mao,He Zhang,Qiming Dai,Huang,Guoping Rong,Haifeng Shen,Lianping Chen,Kaixiang Lu

DOI: https://doi.org/10.1109/qrs51102.2020.00064

2020-01-01

Abstract:Context: Emerging from the agile culture, DevOps particularly emphasizes development and deployment speed to achieve rapid value delivery, which however brings some security risks to the software development process. DevSecOps is an extension of DevOps, which is considered as a means to intertwine development, operation and security. Some companies with security concerns begin to take DevSecOps into consideration when it comes to the application of DevOps. Objective: The goal of this study is to report the state-of-the-practice of DevSecOps as well as calling for academia to pay more attention to DevSecOps. Method: Using Google search engine to collect articles on DevSecOps, we conducted a Grey Literature Review (GLR) on the selected articles. Results: Whilst there exists three major software security risks in DevOps, the establishment of DevOps pipeline provides opportunities for software security activities. Based on the preliminary consensus that DevSecOps is an extension of DevOps, it is observed that the interpretations of DevSecOps can be classified into three core aspects, which are: DevSecOps capabilities, cultural enablers, and technological enablers. Furthermore, to materialize the interpretations into daily software production activities, the recommended DevSecOps practices we obtain from Grey Literature (GL) can be categorized in terms of process, infrastructure and collaboration. Conclusion: Although DevSecOps is getting increasing attention by industry, it is still in its infancy and needs to be promoted by both academia and industry.

Ricardo M. Czekster

2024-09-05

Abstract:DevOps (development and operations), has significantly changed the way to overcome deficiencies for delivering high-quality software to production environments. Past years witnessed an increased interest in embedding DevOps with cybersecurity in an approach dubbed secure DevOps. However, as the practices and guidance mature, teams must consider them within a broader risk context. We argue here how secure DevOps could profit from engaging with risk related activities within organisations. We focus on combining Risk Assessment (RA), particularly Threat Modelling (TM) and apply security considerations early in the software life-cycle. Our contribution provides a roadmap for enacting secure DevOps alongside risk objectives, devising informed ways to improve TM and establishing effective security underpinnings in organisations focusing on software products and services. We aim to outline proven methods over the literature on the subject discussing case studies, technologies, and tools. It presents a case study for a real-world inspired organisation employing the proposed approach with a discussion. Enforcing these novel mechanisms centred on security requires investment, training, and stakeholder engagement. It requires understanding the actual benefits of automation in light of Continuous Integration/Continuous Delivery settings that improve the overall quality of software solutions reaching the market.

Software Engineering,Cryptography and Security

Fabiola Moyón Constante,Rafael Soares,Maria Pinto-Albuquerque,Daniel Méndez,Kristian Beckers

DOI: https://doi.org/10.1007/978-3-030-64148-1_27

2021-05-27

Abstract:In the last decade, companies adopted DevOps as a fast path to deliver software products according to customer expectations, with well aligned teams and in continuous cycles. As a basic practice, DevOps relies on pipelines that simulate factory swim-lanes. The more automation in the pipeline, the shorter a lead time is supposed to be. However, applying DevOps is challenging, particularly for industrial control systems (ICS) that support critical infrastructures and that must obey to rigorous requirements from security regulations and standards. Current research on security compliant DevOps presents open gaps for this particular domain and in general for systematic application of security standards. In this paper, we present a systematic approach to integrate standard-based security activities into DevOps pipelines and highlight their automation potential. Our intention is to share our experiences and help practitioners to overcome the trade-off between adding security activities into the development process and keeping a short lead time. We conducted an evaluation of our approach at a large industrial company considering the IEC 62443-4-1 security standard that regulates ICS. The results strengthen our confidence in the usefulness of our approach and artefacts, and in that they can support practitioners to achieve security compliance while preserving agility including short lead times.

Software Engineering

Nespoli, Pantaleone

DOI: https://doi.org/10.1007/s10207-024-00909-w

2024-10-06

International Journal of Information Security

Abstract:Recently, the DevSecOps practice has improved companies' agile production of secure software, reducing problems and improving return on investment. However, overreliance on security tools and traditional security techniques can facilitate the implementation of vulnerabilities in different stages of the software lifecycle.. Thus, this paper proposes the integration of a Large Language Model to help automate threat discovery at the design stage and Security Chaos Engineering to support the identification of security flaws that may be undetected by security tools. A specific use case is described to demonstrate how our proposal can be applied to a retail company that has the business need to produce rapidly secure software.

computer science, information systems, theory & methods, software engineering

Faheem Ullah,Adam Johannes Raft,Mojtaba Shahin,Mansooreh Zahedi,Muhammad Ali Babar

DOI: https://doi.org/10.48550/arXiv.1703.04277

2017-03-13

Abstract:Continuous Deployment (CD) has emerged as a new practice in the software industry to continuously and automatically deploy software changes into production. Continuous Deployment Pipeline (CDP) supports CD practice by transferring the changes from the repository to production. Since most of the CDP components run in an environment that has several interfaces to the Internet, these components are vulnerable to various kinds of malicious attacks. This paper reports our work aimed at designing secure CDP by utilizing security tactics. We have demonstrated the effectiveness of five security tactics in designing a secure pipeline by conducting an experiment on two CDPs - one incorporates security tactics while the other does not. Both CDPs have been analyzed qualitatively and quantitatively. We used assurance cases with goal-structured notations for qualitative analysis. For quantitative analysis, we used penetration tools. Our findings indicate that the applied tactics improve the security of the major components (i.e., repository, continuous integration server, main server) of a CDP by controlling access to the components and establishing secure connections.

Software Engineering,Cryptography and Security

Mohammad Ali Abudalou

DOI: https://doi.org/10.47760/ijcsmc.2024.v13i05.009

2024-05-30

International Journal of Computer Science and Mobile Computing

Abstract:"Protection DevOps: Security DevOps: Enhancing Application Delivery with Speed and Security" is a whole paper that explores the combination of synthetic intelligence (AI) technology into the protection DevOps framework. This integration goals to enhance software transport with the aid of AI-driven automation, predictive analytics, and chance intelligence. Inside the contemporary, rapid-paced virtual panorama, groups face developing pressure to deliver applications quickly while making sure sturdy safety capabilities are in proximity. The traditional method of protection frequently results in delays in deployment and hampers agility. With the aid of incorporating AI capabilities into DevOps protection practices, agencies can achieve stability among pace and safety. This paper examines how AI can optimize several factors of safety DevOps, together with: Automatic threat detection: AI-powered equipment can look at massive quantities of data in real-time to proactively come across and respond to protection threats. This functionality enables figuring out anomalies, predicting functionality dangers, and taking preemptive actions. Practical safety finding out: AI-pushed attempting out tools can carry out complete protection finding out, which includes vulnerability exams, penetration sorting out, and code assessment. Those gear leverage gadgets, studying algorithms to perceive safety gaps and advocate remediation measures. Predictive risk management: AI algorithms can examine historical protection statistics and patterns to expect future protection dangers. This proactive method lets companies put in place location-specific preventive measures and restrict the effects of safety incidents. Non-forestall compliance monitoring: AI-based total compliance system can display and implement regulatory compliance requirements at some point inside the improvement and deployment lifecycle. This guarantees that applications adhere to enterprise standards and regulatory hints. By incorporating AI into DevOps safety, businesses can gather accelerated software shipping without compromising protection. The synergistic aggregate of AI-driven automation, predictive analytics, and threat intelligence empowers DevOps organizations to respond to growing threats while preserving an excessive protection posture. This paper offers insights into the benefits of integrating AI into safety DevOps practices, uncommon use times, implementation strategies, and great practices. It courses agencies looking for to leverage AI technologies to decorate utility shipping with velocity and safety in a dynamic virtual environment.

Penghao Liang,Yichao Wu,Zheng Xu,Shilong Xiao,Jiaqiang Yuan

DOI: https://doi.org/10.53469/jtpes.2024.04(02).05

2024-02-28

Abstract:In modern software development and operations, DevOps (a combination of development and operations) has become a key methodology aimed at accelerating delivery, improving quality and enhancing security. Meanwhile, artificial intelligence (AI) and machine learning (ML) are also playing an increasingly important role in cybersecurity, helping to identify and respond to increasingly complex threats. In this article, we'll explore how AI and ML can be integrated into DevOps practices to ensure the security of software development and operations processes. We'll cover best practices, including how to use AI and ML for security-critical tasks such as threat detection, vulnerability management, and authentication. In addition, we will provide several case studies that show how these technologies have been successfully applied in real projects and how they have improved security, reduced risk and accelerated delivery. Finally, through this article, readers will learn how to fully leverage AI and ML in the DevOps process to improve software security, reduce potential risks, and provide more reliable solutions for modern software development and operations.

Roshan Namal Rajapakse,Mansooreh Zahedi,Muhammad Ali Babar

DOI: https://doi.org/10.48550/arXiv.2107.02096

2021-07-19

Abstract:Background: Security tools play a vital role in enabling developers to build secure software. However, it can be quite challenging to introduce and fully leverage security tools without affecting the speed or frequency of deployments in the DevOps paradigm. Aims: We aim to empirically investigate the key challenges practitioners face when integrating security tools into a DevOps workflow in order to provide recommendations to overcome them. Method: We conducted a study involving 31 systematically selected webinars on integrating security tools in DevOps. We used a qualitative data analysis method, i.e., thematic analysis, to identify the challenges and emerging solutions related to integrating security tools in rapid deployment environments. Results: We find that while traditional security tools are unable to cater for the needs of DevOps, the industry is moving towards new generations of tools that have started focusing on these requirements. We have developed a DevOps workflow that integrates security tools and a set of guidelines by synthesizing practitioners' recommendations in the analyzed webinars. Conclusion: While the latest security tools are addressing some of the requirements of DevOps, there are many tool-related drawbacks yet to be adequately addressed.

Cryptography and Security,Software Engineering

Florian Angermeir,Markus Voggenreiter,Fabiola Moyón,Daniel Mendez,Fabiola Moyon

DOI: https://doi.org/10.1109/icse-seip52600.2021.00037

2021-05-01

Abstract:Agile and DevOps are widely adopted by the industry. Hence, integrating security activities with industrial practices, such as continuous integration (CI) pipelines, is necessary to detect security flaws and adhere to regulators' demands early. In this paper, we analyze automated security activities in CI pipelines of enterprise-driven open source software (OSS). This shall allow us, in the long-run, to better understand the extent to which security activities are (or should be) part of automated pipelines. In particular, we mine publicly available OSS repositories and survey a sample of project maintainers to better understand the role that security activities and their related tools play in their CI pipelines. To increase transparency and allow other researchers to replicate our study (and to take different perspectives), we further disclose our research artefacts. Our results indicate that security activities in enterprise-driven OSS projects are scarce and protection coverage is rather low. Only 6.83% of the analyzed 8,243 projects apply security automation in their CI pipelines, even though maintainers consider security to be rather important. This alerts industry to keep the focus on vulnerabilities of 3rd Party software and it opens space for other improvements of practice which we outline in this manuscript.

Charan Shankar Kummarapurugu

DOI: https://doi.org/10.55041/ijsrem17273

2024-11-10

INTERANTIONAL JOURNAL OF SCIENTIFIC RESEARCH IN ENGINEERING AND MANAGEMENT

Abstract:Abstract—This paper presents a novel framework for inte- grating real-time AI-driven secure code analysis into DevSecOps practices within cloud-native CI/CD pipelines. As organizations increasingly adopt cloud- native architectures and agile develop- ment methodologies, the need for robust, automated security mea- sures becomes paramount. Our proposed framework leverages advanced machine learning algorithms to perform continuous, real-time code analysis, identifying potential vulnerabilities and security risks throughout the development lifecycle. By seamlessly integrating with existing CI/CD tools and cloud platforms, our solution enables organizations to enforce security policies, detect threats, and remediate issues without compromising development velocity. We evaluate the effectiveness of our framework through a series of case studies across diverse software projects, demon- strating significant improvements in threat detection accuracy, reduced false positives, and overall security posture. Our results indicate that the proposed AI-driven approach can enhance code security by up to 40% compared to traditional static analysis tools, while maintaining the agility of modern development prac- tices. This research contributes to the evolving field of DevSecOps by offering a scalable, intelligent solution for embedding security into the heart of cloud-native software development processes. Index Terms—DevSecOps, AI-driven security, cloud- native, CI/CD pipelines, secure code analysis

Engineering,Computer Science

Mayank Gokarna,Raju Singh

DOI: https://doi.org/10.48550/arXiv.2012.06145

2020-12-11

Abstract:DevOps is an emerging practice to be followed in Software Development life cycle. The name DevOps indicates that its an integration of Development and Operations team. It is followed to integrate the various stages of the development lifecycle. DevOps is an extended version of the existing Agile method. DevOps aims at Continuous Integration, Continuous Delivery, Continuous Improvement, faster Feedback and Security. This paper reviews the building blocks of DevOps, challenges in adopting DevOps, models to improve DevOps practices and Future works on DevOps.

Software Engineering

Fabiola Moyón,Florian Angermeir,Daniel Mendez

DOI: https://doi.org/10.1145/3639477.3639736

2024-01-12

Abstract:The intersection between security and continuous software engineering has been of great interest since the early years of the agile development movement, and it remains relevant as software development processes are more frequently guided by agility and the adoption of DevOps. Several authors have contributed studies about the framing of secure agile development and secure DevOps, motivating academic contributions to methods and practices, but also discussions around benefits and challenges. Especially the challenges captured also our interest since, for the last few years, we are conducting research on secure continuous software engineering from a more applied, practical perspective with the overarching aim to introduce solutions that can be adopted at scale. The short positioning at hands summarizes a relevant part of our endeavors in which we validated challenges with several practitioners of different roles. More than framing a set of challenges, we conclude by presenting four key research directions we identified for practitioners and researchers to delineate future work.

Software Engineering

Roshan Namal Rajapakse,Mansooreh Zahedi,Muhammad Ali Babar

DOI: https://doi.org/10.48550/arXiv.2211.06953

2022-11-25

Abstract:DevSecOps is a software development paradigm that places a high emphasis on the culture of collaboration between developers (Dev), security (Sec) and operations (Ops) teams to deliver secure software continuously and rapidly. Adopting this paradigm effectively, therefore, requires an understanding of the challenges, best practices and available solutions for collaboration among these functional teams. However, collaborative aspects related to these teams have received very little empirical attention in the DevSecOps literature. Hence, we present a study focusing on a key security activity, Application Security Testing (AST), in which practitioners face difficulties performing collaborative work in a DevSecOps environment. Our study made novel use of 48 systematically selected webinars, technical talks and panel discussions as a data source to qualitatively analyse software practitioner discussions on the most recent trends and emerging solutions in this highly evolving field. We find that the lack of features that facilitate collaboration built into the AST tools themselves is a key tool-related challenge in DevSecOps. In addition, the lack of clarity related to role definitions, shared goals, and ownership also hinders Collaborative AST (CoAST). We also captured a range of best practices for collaboration (e.g., Shift-left security), emerging communication methods (e.g., ChatOps), and new team structures (e.g., hybrid teams) for CoAST. Finally, our study identified several requirements for new tool features and specific gap areas for future research to provide better support for CoAST in DevSecOps.

Software Engineering

Neelam Rawat,Prashant Agrawal

DOI: https://doi.org/10.1109/ICICT46931.2019.8977662

2019-09-01

Abstract:Organization’s proficiency to deliver services and applications at high velocity requires competing effectively in the market. The practices and tools for such management processes demands the quick and reliable model. Changes need to start at the software engineering level when building applications in the cloud, so there is a need to automate our DevOps processes using cloud and non-cloud DevOps automation tools. The aim of this paper is to move DevOps to Cloud and become more agile at software development and operations. In parallel, consideration of how to extend those DevOps process and automation into public and/or private clouds are the prime approach for this research. While investigating the emergence of DevOps, this paper paints it as a dramatic change in IT world for process improvement. Goal is to understand how the DevOps and Cloud work together to help businesses achieve their transformation goals.

Computer Science,Engineering

Ahmad Mohsin,Helge Janicke,Surya Nepal,David Holmes

2023-09-24

Abstract:Digital Twins (DTs), optimize operations and monitor performance in Smart Critical Systems (SCS) domains like smart grids and manufacturing. DT-based cybersecurity solutions are in their infancy, lacking a unified strategy to overcome challenges spanning next three to five decades. These challenges include reliable data accessibility from Cyber-Physical Systems (CPS), operating in unpredictable environments. Reliable data sources are pivotal for intelligent cybersecurity operations aided with underlying modeling capabilities across the SCS lifecycle, necessitating a DT. To address these challenges, we propose Security Digital Twins (SDTs) collecting realtime data from CPS, requiring the Shift Left and Shift Right (SLSR) design paradigm for SDT to implement both design time and runtime cybersecurity operations. Incorporating virtual CPS components (VC) in Cloud/Edge, data fusion to SDT models is enabled with high reliability, providing threat insights and enhancing cyber resilience. VC-enabled SDT ensures accurate data feeds for security monitoring for both design and runtime. This design paradigm shift propagates innovative SDT modeling and analytics for securing future critical systems. This vision paper outlines intelligent SDT design through innovative techniques, exploring hybrid intelligence with data-driven and rule-based semantic SDT models. Various operational use cases are discussed for securing smart critical systems through underlying modeling and analytics capabilities.

Cryptography and Security,Emerging Technologies

Jonas Fritzsch,Justus Bogner,Markus Haug,Ana Cristina Franco da Silva,Carolin Rubner,Matthias Saft,Horst Sauer,Stefan Wagner

DOI: https://doi.org/10.1002/spe.3169

2022-10-13

Abstract:The domain of cyber-physical systems (CPS) has recently seen strong growth, e.g., due to the rise of the Internet of Things (IoT) in industrial domains, commonly referred to as "Industry 4.0". However, CPS challenges like the strong hardware focus can impact modern software development practices, especially in the context of modernizing legacy systems. While microservices and DevOps have been widely studied for enterprise applications, there is insufficient coverage for the CPS domain. Our goal is therefore to analyze the peculiarities of such systems regarding challenges and practices for using and migrating towards microservices and DevOps. We conducted a rapid review based on 146 scientific papers, and subsequently validated our findings in an interview-based case study with 9 CPS professionals in different business units at Siemens AG. The combined results picture the specifics of microservices and DevOps in the CPS domain. While several differences were revealed that may require adapted methods, many challenges and practices are shared with typical enterprise applications. Our study supports CPS researchers and practitioners with a summary of challenges, practices to address them, and research opportunities.

Software Engineering

J. A. V. M. K. Jayakody,W. M. J. I. Wijayanayake

DOI: https://doi.org/10.12821/ijispm110304

2023-10-04

International Journal of Information Systems and Project Management

Abstract:Adopting DevOps is challenging since it makes a significant paradigm shift in the Information Systems Development process. DevOps is a trending approach attached to the Agile Software Development Methodology, which facilitates adaptation to the customers' rapidly-changing requirements. It keeps one front step by introducing software operators who support the transmission between software and implementation into the software development team by confirming faster development, quality assurance, and easy maintenance of Information Systems (IS). However, software development companies reported challenges in adopting DevOps. It is critical to control those challenges while getting hold of the benefits by studying Critical Success Factors (CSF) for adopting DevOps. This study aimed to analyze the use of DevOps approach in IS developments by exploring CSFs of DevOps. A systematic literature review was applied to identify CSFs. These factors were confirmed by interviewing DevOps practitioners while identifying more frequent CSFs in the software development industry. Finally, the research presents a conceptual model for CSFs of DevOps, which is a guide to reap the DevOps benefits while reducing the hurdles for enhancing the success of IS. The conceptual model presents CSFs of DevOps by grouping them into four areas: collaborative culture, DevOps practices, proficient DevOps team, and metrics & measurement.

Manish Shrestha,Christian Johansen,Johanna Johansen

2024-10-03

Abstract:DevSecOps, as the extension of DevOps with security training and tools, has become a popular way of developing modern software, especially in the Internet of Things arena, due to its focus on rapid development, with short release cycles, involving the user/client very closely. Security classification methods, on the other hand, are heavy and slow processes that require high expertise in security, the same as in other similar areas such as risk analysis or certification. As such, security classification methods are hardly compatible with the DevSecOps culture, which to the contrary, has moved away from the traditional style of penetration testing done only when the software product is in the final stages or already deployed. In this work, we first propose five principles for a security classification to be \emph{DevOps-ready}, two of which will be the focus for the rest of the paper, namely to be tool-based and easy to use for non-security experts, such as ordinary developers or system architects. We then exemplify how one can make a security classification methodology DevOps-ready. We do this through an interaction design process, where we create and evaluate the usability of a tool implementing the chosen methodology. Since such work seems to be new within the usable security community, and even more so in the software development (DevOps) community, we extract from our process a general, three-steps `recipe' that others can follow when making their own security methodologies DevOps-ready. The tool that we build is in itself a contribution of this process, as it can be independently used, extended, and/or integrated by developer teams into their DevSecOps tool-chains. Our tool is perceived (by the test subjects) as most useful in the design phase, but also during the testing phase where the security class would be one of the metrics used to evaluate the quality of their software.

Cryptography and Security,Human-Computer Interaction,Software Engineering