Roshan Namal Rajapakse,Mansooreh Zahedi,Muhammad Ali Babar

DOI: https://doi.org/10.48550/arXiv.2107.02096

2021-07-19

Abstract:Background: Security tools play a vital role in enabling developers to build secure software. However, it can be quite challenging to introduce and fully leverage security tools without affecting the speed or frequency of deployments in the DevOps paradigm. Aims: We aim to empirically investigate the key challenges practitioners face when integrating security tools into a DevOps workflow in order to provide recommendations to overcome them. Method: We conducted a study involving 31 systematically selected webinars on integrating security tools in DevOps. We used a qualitative data analysis method, i.e., thematic analysis, to identify the challenges and emerging solutions related to integrating security tools in rapid deployment environments. Results: We find that while traditional security tools are unable to cater for the needs of DevOps, the industry is moving towards new generations of tools that have started focusing on these requirements. We have developed a DevOps workflow that integrates security tools and a set of guidelines by synthesizing practitioners' recommendations in the analyzed webinars. Conclusion: While the latest security tools are addressing some of the requirements of DevOps, there are many tool-related drawbacks yet to be adequately addressed.

Cryptography and Security,Software Engineering

Xin Zhou,Runfeng Mao,He Zhang,Qiming Dai,Huang,Haifeng Shen,Jingyue Li,Guoping Rong

DOI: https://doi.org/10.1049/sfw2.12132

2023-01-01

IET Software

Abstract:By adopting agile and lean practices, DevOps aims to achieve rapid value delivery by speeding up development and deployment cycles, which however lead to more security concerns that cannot be fully addressed by an isolated security role only in the final stage of development. DevSecOps promotes security as a shared responsibility integrated into the DevOps process that seamlessly intertwines development, operations, and security from the start throughout to the end of cycles. While some companies have already begun to embrace this new strategy, both industry and academia are still seeking a common understanding of the DevSecOps movement. The goal of this study is to report the state-of-the-practice of DevSecOps, including the impact of DevOps on security, practitioners' understanding of DevSecOps, and the practices associated with DevSecOps as well as the challenges of implementing DevSecOps. The authors used a mixed-methods approach for this research. The authors carried out a grey literature review on DevSecOps, and surveyed the practitioners of DevSecOps in industry of China. The status quo of DevSecOps in industry is summarized. Three major software security risks are identified with DevOps, where the establishment of DevOps pipeline provides opportunities for security-related activities. The authors classify the interpretations of DevSecOps into three core aspects of DevSecOps capabilities, cultural enablers, and technological enablers. To materialise the interpretations into daily software production activities, the recommended DevSecOps practices from three perspectives-people, process, and technology. Although a preliminary consensus is that DevSecOps is regarded as an extension of DevOps, there is a debate on whether DevSecOps is a superfluous term. While DevSecOps is attracting an increasing attention by industry, it is still in its infancy and more effort needs to be invested to promote it in both research and industry communities.

Mohammad Ali Abudalou

DOI: https://doi.org/10.47760/ijcsmc.2024.v13i05.009

2024-05-30

International Journal of Computer Science and Mobile Computing

Abstract:"Protection DevOps: Security DevOps: Enhancing Application Delivery with Speed and Security" is a whole paper that explores the combination of synthetic intelligence (AI) technology into the protection DevOps framework. This integration goals to enhance software transport with the aid of AI-driven automation, predictive analytics, and chance intelligence. Inside the contemporary, rapid-paced virtual panorama, groups face developing pressure to deliver applications quickly while making sure sturdy safety capabilities are in proximity. The traditional method of protection frequently results in delays in deployment and hampers agility. With the aid of incorporating AI capabilities into DevOps protection practices, agencies can achieve stability among pace and safety. This paper examines how AI can optimize several factors of safety DevOps, together with: Automatic threat detection: AI-powered equipment can look at massive quantities of data in real-time to proactively come across and respond to protection threats. This functionality enables figuring out anomalies, predicting functionality dangers, and taking preemptive actions. Practical safety finding out: AI-pushed attempting out tools can carry out complete protection finding out, which includes vulnerability exams, penetration sorting out, and code assessment. Those gear leverage gadgets, studying algorithms to perceive safety gaps and advocate remediation measures. Predictive risk management: AI algorithms can examine historical protection statistics and patterns to expect future protection dangers. This proactive method lets companies put in place location-specific preventive measures and restrict the effects of safety incidents. Non-forestall compliance monitoring: AI-based total compliance system can display and implement regulatory compliance requirements at some point inside the improvement and deployment lifecycle. This guarantees that applications adhere to enterprise standards and regulatory hints. By incorporating AI into DevOps safety, businesses can gather accelerated software shipping without compromising protection. The synergistic aggregate of AI-driven automation, predictive analytics, and threat intelligence empowers DevOps organizations to respond to growing threats while preserving an excessive protection posture. This paper offers insights into the benefits of integrating AI into safety DevOps practices, uncommon use times, implementation strategies, and great practices. It courses agencies looking for to leverage AI technologies to decorate utility shipping with velocity and safety in a dynamic virtual environment.

Faheem Ullah,Adam Johannes Raft,Mojtaba Shahin,Mansooreh Zahedi,Muhammad Ali Babar

DOI: https://doi.org/10.48550/arXiv.1703.04277

2017-03-13

Abstract:Continuous Deployment (CD) has emerged as a new practice in the software industry to continuously and automatically deploy software changes into production. Continuous Deployment Pipeline (CDP) supports CD practice by transferring the changes from the repository to production. Since most of the CDP components run in an environment that has several interfaces to the Internet, these components are vulnerable to various kinds of malicious attacks. This paper reports our work aimed at designing secure CDP by utilizing security tactics. We have demonstrated the effectiveness of five security tactics in designing a secure pipeline by conducting an experiment on two CDPs - one incorporates security tactics while the other does not. Both CDPs have been analyzed qualitatively and quantitatively. We used assurance cases with goal-structured notations for qualitative analysis. For quantitative analysis, we used penetration tools. Our findings indicate that the applied tactics improve the security of the major components (i.e., repository, continuous integration server, main server) of a CDP by controlling access to the components and establishing secure connections.

Software Engineering,Cryptography and Security

Michael Fu,Jirat Pasuksmit,Chakkrit Tantithamthavorn

2024-09-13

Abstract:DevOps has emerged as one of the most rapidly evolving software development paradigms. With the growing concerns surrounding security in software systems, the DevSecOps paradigm has gained prominence, urging practitioners to incorporate security practices seamlessly into the DevOps workflow. However, integrating security into the DevOps workflow can impact agility and impede delivery speed. Recently, the advancement of artificial intelligence (AI) has revolutionized automation in various software domains, including software security. AI-driven security approaches, particularly those leveraging machine learning or deep learning, hold promise in automating security workflows. They reduce manual efforts, which can be integrated into DevOps to ensure uninterrupted delivery speed and align with the DevSecOps paradigm simultaneously. This paper seeks to contribute to the critical intersection of AI and DevSecOps by presenting a comprehensive landscape of AI-driven security techniques applicable to DevOps and identifying avenues for enhancing security, trust, and efficiency in software development processes. We analyzed 99 research papers spanning from 2017 to 2023. Specifically, we address two key research questions (RQs). In RQ1, we identified 12 security tasks associated with the DevSecOps process and reviewed existing AI-driven security approaches, the problems they addressed, and the 65 benchmarks used to evaluate those approaches. Drawing insights from our findings, in RQ2, we discussed state-of-the-art AI-driven security approaches, highlighted 15 challenges in existing research, and proposed 15 corresponding avenues for future opportunities.

Software Engineering,Artificial Intelligence

Runfeng Mao,He Zhang,Qiming Dai,Huang,Guoping Rong,Haifeng Shen,Lianping Chen,Kaixiang Lu

DOI: https://doi.org/10.1109/qrs51102.2020.00064

2020-01-01

Abstract:Context: Emerging from the agile culture, DevOps particularly emphasizes development and deployment speed to achieve rapid value delivery, which however brings some security risks to the software development process. DevSecOps is an extension of DevOps, which is considered as a means to intertwine development, operation and security. Some companies with security concerns begin to take DevSecOps into consideration when it comes to the application of DevOps. Objective: The goal of this study is to report the state-of-the-practice of DevSecOps as well as calling for academia to pay more attention to DevSecOps. Method: Using Google search engine to collect articles on DevSecOps, we conducted a Grey Literature Review (GLR) on the selected articles. Results: Whilst there exists three major software security risks in DevOps, the establishment of DevOps pipeline provides opportunities for software security activities. Based on the preliminary consensus that DevSecOps is an extension of DevOps, it is observed that the interpretations of DevSecOps can be classified into three core aspects, which are: DevSecOps capabilities, cultural enablers, and technological enablers. Furthermore, to materialize the interpretations into daily software production activities, the recommended DevSecOps practices we obtain from Grey Literature (GL) can be categorized in terms of process, infrastructure and collaboration. Conclusion: Although DevSecOps is getting increasing attention by industry, it is still in its infancy and needs to be promoted by both academia and industry.

Markus Voggenreiter,Florian Angermeir,Fabiola Moyón,Ulrich Schöpp,Pierre Bonvin

DOI: https://doi.org/10.1145/3639477.3639744

2024-01-12

Abstract:In recent years, DevOps, the unification of development and operation workflows, has become a trend for the industrial software development lifecycle. Security activities turned into an essential field of application for DevOps principles as they are a fundamental part of secure software development in the industry. A common practice arising from this trend is the automation of security tests that analyze a software product from several perspectives. To effectively improve the security of the analyzed product, the identified security findings must be managed and looped back to the project team for stakeholders to take action. This management must cope with several challenges ranging from low data quality to a consistent prioritization of findings while following DevOps aims. To manage security findings with the same efficiency as other activities in DevOps projects, a methodology for the management of industrial security findings minding DevOps principles is essential.

Software Engineering

Lombardi, Federico,Fanton, Alberto

DOI: https://doi.org/10.1007/s11219-023-09619-3

2023-04-27

Software Quality Journal

Abstract:Software engineering is evolving quickly leading to an urgency to discover more efficient development models. DevOps and its security-oriented extension DevSecOps promised to speed up the development process while ensuring more robust code. However, many third-party libraries and infrastructure vulnerabilities may still pose security flaws. Besides, regulatory compliance and standards go beyond secure software asking for comprehensive security and accurate infrastructure hardening. Thus, we may wonder: is DevSecOps enough? In this paper, we propose CyberDevOps, a novel architecture which integrates cybersecurity within DevSecOps. Specifically, (i) we revise software composition analysis to deal with nondeterministic environments and (ii) we incorporate vulnerability assessment and compliance within a further pipeline step. To assess the effectiveness of CyberDevOps, we conduct an experimental evaluation. Specifically, we attack a web application and we show how CyberDevOps is able to detect hidden defects while a standard DevSecOps pipeline fails. Furthermore, we assess code quality and security by comparing DevOps, DevSecOps, and CyberDevOps by monitoring two Conio code bases over a year. The results show that CyberDevOps helps to fix up to 100% of known bugs and vulnerabilities and improve significantly the code quality.

computer science, software engineering

Fabiola Moyón Constante,Rafael Soares,Maria Pinto-Albuquerque,Daniel Méndez,Kristian Beckers

DOI: https://doi.org/10.1007/978-3-030-64148-1_27

2021-05-27

Abstract:In the last decade, companies adopted DevOps as a fast path to deliver software products according to customer expectations, with well aligned teams and in continuous cycles. As a basic practice, DevOps relies on pipelines that simulate factory swim-lanes. The more automation in the pipeline, the shorter a lead time is supposed to be. However, applying DevOps is challenging, particularly for industrial control systems (ICS) that support critical infrastructures and that must obey to rigorous requirements from security regulations and standards. Current research on security compliant DevOps presents open gaps for this particular domain and in general for systematic application of security standards. In this paper, we present a systematic approach to integrate standard-based security activities into DevOps pipelines and highlight their automation potential. Our intention is to share our experiences and help practitioners to overcome the trade-off between adding security activities into the development process and keeping a short lead time. We conducted an evaluation of our approach at a large industrial company considering the IEC 62443-4-1 security standard that regulates ICS. The results strengthen our confidence in the usefulness of our approach and artefacts, and in that they can support practitioners to achieve security compliance while preserving agility including short lead times.

Software Engineering

Ricardo M. Czekster

2024-09-05

Abstract:DevOps (development and operations), has significantly changed the way to overcome deficiencies for delivering high-quality software to production environments. Past years witnessed an increased interest in embedding DevOps with cybersecurity in an approach dubbed secure DevOps. However, as the practices and guidance mature, teams must consider them within a broader risk context. We argue here how secure DevOps could profit from engaging with risk related activities within organisations. We focus on combining Risk Assessment (RA), particularly Threat Modelling (TM) and apply security considerations early in the software life-cycle. Our contribution provides a roadmap for enacting secure DevOps alongside risk objectives, devising informed ways to improve TM and establishing effective security underpinnings in organisations focusing on software products and services. We aim to outline proven methods over the literature on the subject discussing case studies, technologies, and tools. It presents a case study for a real-world inspired organisation employing the proposed approach with a discussion. Enforcing these novel mechanisms centred on security requires investment, training, and stakeholder engagement. It requires understanding the actual benefits of automation in light of Continuous Integration/Continuous Delivery settings that improve the overall quality of software solutions reaching the market.

Software Engineering,Cryptography and Security

Khirod Chandra Panda,,Shobhit Agrawal

DOI: https://doi.org/10.47363/jaicc/2022(1)280

2022-12-31

Abstract:Security is a paramount concern in DevOps. The adoption of Infrastructure as Code (IaC) has increased the potential impact of even minor flaws, particularly in critical domains like healthcare and maritime applications. Existing solutions typically focus on either Static Application Security Testing (SAST) or run-time behavior analysis. This paper introduces the IaC Scan Runner, an open-source tool developed in Python for inspecting various IaC languages during application design, and LOMOS, a run-time anomaly detection tool. Both tools work together to enhance the security of DevOps processes. In today’s rapidly evolving technological landscape, the vulnerability of infrastructure and applications is growing due to a combination of factors. Attackers are becoming more sophisticated, leveraging improved intelligence to exploit weaknesses. At the same time, there is a lack of technical capability in many organizations to effectively secure their systems. This paper explores a dual approach to cybersecurity: static security monitoring through rule matching and the application of self-supervised machine learning. By combining these approaches, organizations can better defend against cyber threats. One area of focus is supply chain resilience and smart logistics, where the integration of these methods is particularly critical. This approach emphasizes a self-learning and self-healing approach, allowing systems to adapt and respond to new threats autonomously. Integrating Artificial Intelligence (AI) and Machine Learning (ML) into DevSecOps practices is essential for improving security, efficiency, and innovation in software development and deployment. This paper delves into strategies and best practices for leveraging AI/ML within the DevSecOps framework. It discusses automated threat detection, predictive analytics for vulnerability management, and intelligent automation for continuous integration and deployment. However, this integration also presents challenges, such as data privacy, algorithm transparency, and ethical implications. The paper addresses these challenges and showcases how organizations can use AI/ML to optimize their DevSecOps pipelines, mitigate security risks, and foster continuous improvement. The adoption of Infrastructure as Code (IaC) has increased the potential impact of even minor flaws, especially in critical domains like healthcare and maritime applications. Existing solutions typically focus on either Static Application Security Testing (SAST) or run-time behavior analysis.

Florian Angermeir,Markus Voggenreiter,Fabiola Moyón,Daniel Mendez,Fabiola Moyon

DOI: https://doi.org/10.1109/icse-seip52600.2021.00037

2021-05-01

Abstract:Agile and DevOps are widely adopted by the industry. Hence, integrating security activities with industrial practices, such as continuous integration (CI) pipelines, is necessary to detect security flaws and adhere to regulators' demands early. In this paper, we analyze automated security activities in CI pipelines of enterprise-driven open source software (OSS). This shall allow us, in the long-run, to better understand the extent to which security activities are (or should be) part of automated pipelines. In particular, we mine publicly available OSS repositories and survey a sample of project maintainers to better understand the role that security activities and their related tools play in their CI pipelines. To increase transparency and allow other researchers to replicate our study (and to take different perspectives), we further disclose our research artefacts. Our results indicate that security activities in enterprise-driven OSS projects are scarce and protection coverage is rather low. Only 6.83% of the analyzed 8,243 projects apply security automation in their CI pipelines, even though maintainers consider security to be rather important. This alerts industry to keep the focus on vulnerabilities of 3rd Party software and it opens space for other improvements of practice which we outline in this manuscript.

Mali Senapathi,Jim Buchan,Hady Osman

DOI: https://doi.org/10.1145/3210459.3210465

2019-07-24

Abstract:DevOps is a set of principles and practices to improve collaboration between development and IT Operations. Against the backdrop of the growing adoption of DevOps in a variety of software development domains, this paper describes empirical research into factors influencing its implementation. It presents findings of an in-depth exploratory case study that explored DevOps implementation in a New Zealand product development organisation. The study involved interviewing six experienced software engineers who continuously monitored and reflected on the gradual implementation of DevOps principles and practices. For this case study the use of DevOps practices led to significant benefits, including increase in deployment frequency from about 30 releases a month to an average of 120 releases per month, as well as improved natural communication and collaboration between IT development and operations personnel. We found that the support of a number of technological enablers, such as implementing an automation pipeline and cross functional organisational structures, were critical to delivering the expected benefits of DevOps.

Software Engineering

Penghao Liang,Yichao Wu,Zheng Xu,Shilong Xiao,Jiaqiang Yuan

DOI: https://doi.org/10.53469/jtpes.2024.04(02).05

2024-02-28

Abstract:In modern software development and operations, DevOps (a combination of development and operations) has become a key methodology aimed at accelerating delivery, improving quality and enhancing security. Meanwhile, artificial intelligence (AI) and machine learning (ML) are also playing an increasingly important role in cybersecurity, helping to identify and respond to increasingly complex threats. In this article, we'll explore how AI and ML can be integrated into DevOps practices to ensure the security of software development and operations processes. We'll cover best practices, including how to use AI and ML for security-critical tasks such as threat detection, vulnerability management, and authentication. In addition, we will provide several case studies that show how these technologies have been successfully applied in real projects and how they have improved security, reduced risk and accelerated delivery. Finally, through this article, readers will learn how to fully leverage AI and ML in the DevOps process to improve software security, reduce potential risks, and provide more reliable solutions for modern software development and operations.

Roshan Namal Rajapakse,Mansooreh Zahedi,Muhammad Ali Babar

DOI: https://doi.org/10.48550/arXiv.2211.06953

2022-11-25

Abstract:DevSecOps is a software development paradigm that places a high emphasis on the culture of collaboration between developers (Dev), security (Sec) and operations (Ops) teams to deliver secure software continuously and rapidly. Adopting this paradigm effectively, therefore, requires an understanding of the challenges, best practices and available solutions for collaboration among these functional teams. However, collaborative aspects related to these teams have received very little empirical attention in the DevSecOps literature. Hence, we present a study focusing on a key security activity, Application Security Testing (AST), in which practitioners face difficulties performing collaborative work in a DevSecOps environment. Our study made novel use of 48 systematically selected webinars, technical talks and panel discussions as a data source to qualitatively analyse software practitioner discussions on the most recent trends and emerging solutions in this highly evolving field. We find that the lack of features that facilitate collaboration built into the AST tools themselves is a key tool-related challenge in DevSecOps. In addition, the lack of clarity related to role definitions, shared goals, and ownership also hinders Collaborative AST (CoAST). We also captured a range of best practices for collaboration (e.g., Shift-left security), emerging communication methods (e.g., ChatOps), and new team structures (e.g., hybrid teams) for CoAST. Finally, our study identified several requirements for new tool features and specific gap areas for future research to provide better support for CoAST in DevSecOps.

Software Engineering

Neelam Rawat,Prashant Agrawal

DOI: https://doi.org/10.1109/ICICT46931.2019.8977662

2019-09-01

Abstract:Organization’s proficiency to deliver services and applications at high velocity requires competing effectively in the market. The practices and tools for such management processes demands the quick and reliable model. Changes need to start at the software engineering level when building applications in the cloud, so there is a need to automate our DevOps processes using cloud and non-cloud DevOps automation tools. The aim of this paper is to move DevOps to Cloud and become more agile at software development and operations. In parallel, consideration of how to extend those DevOps process and automation into public and/or private clouds are the prime approach for this research. While investigating the emergence of DevOps, this paper paints it as a dramatic change in IT world for process improvement. Goal is to understand how the DevOps and Cloud work together to help businesses achieve their transformation goals.

Computer Science,Engineering

Abed Saif Ahmed Alghawli,Tamara Radivilova

DOI: https://doi.org/10.1016/j.aej.2024.07.036

2024-12-15

Abstract:Automated, secure software development is an important task of digitalization, which is solved with the DevSecOps approach. An important part of the DevSecOps approach is continuous risk assessment, which is necessary to identify and evaluate risk factors. Combining the development cycle with continuous risk assessment creates synergies in software development and operation and minimizes vulnerabilities. The article presents the main methods of deploying web applications, ways to increase the level of information security at all stages of product development, compares different types of infrastructures and cloud computing providers, and analyzes modern tools used to automate processes. The cloud cluster was deployed using Terraform and the Jenkins pipeline, which is written in the Groovy programming language, which checks program code for vulnerabilities and allows you to fix violations at the earliest stages of developing secure web applications. The developed cluster implements the proposed algorithm for automated risk assessment based on the calculation (modeling) of threats and vulnerabilities of cloud infrastructure, which operates in real time, periodically collecting all information and adjusting the system in accordance with the risk and applied controls. The algorithm for calculating risk and losses is based on statistical data and the concept of the FAIR information risk assessment methodology. The risk value obtained using the proposed method is quantitative, which allows more efficient forecasting of information security costs in software development.

Cryptography and Security

Mst Shapna Akter,Juanjose Rodriguez-Cardenas,Hossain Shahriar,Akond Rahman,Fan Wu

DOI: https://doi.org/10.48550/arXiv.2311.16944

2023-08-14

Cryptography and Security

Abstract:The field of DevOps security education necessitates innovative approaches to effectively address the ever-evolving challenges of cybersecurity. In adopting a student-centered ap-proach, there is the need for the design and development of a comprehensive set of hands-on learning modules. In this paper, we introduce hands-on learning modules that enable learners to be familiar with identifying known security weaknesses, based on taint tracking to accurately pinpoint vulnerable code. To cultivate an engaging and motivating learning environment, our hands-on approach includes a pre-lab, hands-on and post lab sections. They all provide introduction to specific DevOps topics and software security problems at hand, followed by practicing with real world code examples having security issues to detect them using tools. The initial evaluation results from a number of courses across multiple schools show that the hands-on modules are enhancing the interests among students on software security and cybersecurity, while preparing them to address DevOps security vulnerabilities.

Luís Prates,Rúben Pereira

DOI: https://doi.org/10.1007/s10207-024-00914-z

2024-11-06

International Journal of Information Security

Abstract:Nowadays, software development happens at a fast pace. At the same time, Information Technology organizations face higher demands and competition while struggling with external threats such as cyberattacks. Therefore, many organizations adopt DevOps as a working culture to improve their Software Development Lifecycle (SDL). However, the success of DevOps adoption remains inconsistent, and recently, IEEE introduced a DevOps standard that might help improve DevOps adoption. The standard mentions DevSecOps as the security aspect of DevOps, adding security practices to the SDL from inception, but what are these practices or capabilities? Which tools can be used to implement these practices? Therefore, a Multivocal Literature Review was performed to identify DevSecOps practices and their definitions, and which tools can be used to implement them.

computer science, information systems, theory & methods, software engineering

Arvind Kumar Bhardwaj,P.K. Dutta,Pradeep Chintale

DOI: https://doi.org/10.58496/bjn/2024/016

2024-08-20

Abstract:Integrating shift-left security practices and automated vulnerability detection in container images is imperative for modern software development, given the dynamics and vulnerability landscape. This crucial methodology emphasizes security from the initial stages of integration in container-based environments like Docker and Kubernetes. The paper examines containerization security challenges, including image vulnerabilities, insecure configurations, runtime risks, weak orchestration security, and supply chain weaknesses, while stressing compliance with regulatory rules. It explores how this automated approach leverages vulnerability detection methods integrated into Continuous Integration/Continuous Deployment (CI/CD) pipelines through static and dynamic analyses, vulnerability databases, and policy-enforcement mechanisms. Beyond identifying vulnerabilities in CI/CD pipelines, the paper outlines methods to avoid policy violations, mitigate vulnerable images, and prevent recurring practices. Importantly, it underscores the continuous enforcement and remediation of policies and security standards. Security teams must invest efforts in developing policies, automated executions, and remediation procedures, fostering cross-departmental collaboration. In essence, this proactive stance aims to enhance software security, reduce risks, and improve adherence in containerized ecosystems, making it an indispensable component of modern software development.