Revisit security in the era of DevOps : An evidence-based inquiry into DevSecOps industry

By adopting agile and lean practices, DevOps aims to achieve rapid value delivery by speeding up development and deployment cycles, which however lead to more security concerns that cannot be fully addressed by an isolated security role only in the final stage of development. DevSecOps promotes security as a shared responsibility integrated into the DevOps process that seamlessly intertwines development, operations, and security from the start throughout to the end of cycles. While some companies have already begun to embrace this new strategy, both industry and academia are still seeking a common understanding of the DevSecOps movement. The goal of this study is to report the state-of-the-practice of DevSecOps, including the impact of DevOps on security, practitioners' understanding of DevSecOps, and the practices associated with DevSecOps as well as the challenges of implementing DevSecOps. The authors used a mixed-methods approach for this research. The authors carried out a grey literature review on DevSecOps, and surveyed the practitioners of DevSecOps in industry of China. The status quo of DevSecOps in industry is summarized. Three major software security risks are identified with DevOps, where the establishment of DevOps pipeline provides opportunities for security-related activities. The authors classify the interpretations of DevSecOps into three core aspects of DevSecOps capabilities, cultural enablers, and technological enablers. To materialise the interpretations into daily software production activities, the recommended DevSecOps practices from three perspectives—people, process, and technology. Although a preliminary consensus is that DevSecOps is regarded as an extension of DevOps, there is a debate on whether DevSecOps is a superfluous term. While DevSecOps is attracting an increasing attention by industry, it is still in its infancy and more effort needs to be invested to promote it in both research and industry communities

DevSecOps Services: A Study of the Most Common and Rarest DevSecOps Services Available in 2022

DevSecOps is an evolving set of practices within the prevalent DevOps paradigm that aims to include security at every stage of the development cycle. In order to understand how it has matured since its inception, we looked at a sample of 25 companies offering DevSecOps services to identify which services were most common and rarest. Multiple trends were identified, including a heavy lean towards DevSecOps services towards consultation and organizational adaptation. We also identified compliance to be a focus of many DevSecOps services. DevSecOps consultation and DevSecOps as a Service (DaaS) were identified as two of the most commonly available services in 2022, and isolation, SRE, SIEM, and orchestration were the rarest. Future studies on this subject might reveal different trends in the evolution of DevSecOps services, assuming DevSecOps hasn't been replaced by a more advanced paradigm

Monitoring solution for cloud-native DevSecOps

AbstractSoftware development and operations are increasingly adopting cloud-native environments. The popularity of development practices such as DevSecOps is one of the reasons for this change. It is identified that monitoring is one essential practice in DevSecOps and currently, a wide variety of tool offerings are available on the market to address this new transformation. However, an automated monitoring solution that covers both the infrastructure and application level is not available yet. We have developed a repeatable solution based on the popular microservice architectural style that monitors the cloud-native infrastructure and application level to address this gap. Furthermore, we have also added automation capability to this monitoring solution for easy deployment and event-triggered alerting. In the future, we plan to do a detailed evaluation and extend the proposed solution with more data collection features in order to enhance the monitoring solution.Abstract Software development and operations are increasingly adopting cloud-native environments. The popularity of development practices such as DevSecOps is one of the reasons for this change. It is identified that monitoring is one essential practice in DevSecOps and currently, a wide variety of tool offerings are available on the market to address this new transformation. However, an automated monitoring solution that covers both the infrastructure and application level is not available yet. We have developed a repeatable solution based on the popular microservice architectural style that monitors the cloud-native infrastructure and application level to address this gap. Furthermore, we have also added automation capability to this monitoring solution for easy deployment and event-triggered alerting. In the future, we plan to do a detailed evaluation and extend the proposed solution with more data collection features in order to enhance the monitoring solution

Critical success factors for integrating security into a DevOps environment

Integrating security into a DevOps environment, also known as DevSecOps, can allow organisations to deliver more secure applications and services faster to market. While many publications address the theoretical benefits and challenges of security integration, there is a lack of practical insight to guide organisations towards a successful integration. As a result, many organisations fail to achieve DevSecOps due to the historical differences that hinder collaboration between teams. This study investigates the critical success factors for DevSecOps integration using a case study approach. Semi-structured interviews were held with eight senior staff members directly involved in establishing DevSecOps integration within a large organisation. Thematic analysis of data across three categories (people, processes, and technology) identified eight major themes: executive support, security champions, security training, way-of-working, governance framework, secure pipeline, automation, and technology. Based on these findings a framework is proposed to inform and guide organisations on DevSecOps integration

DevSecOps: S-SDLC

L'objectiu principal d'aquesta tesis és veure com s'incorpora la seguretat a DevOps en un entorn corporatiu. En concret, aquesta tesis busca veure com implementar S-SDLC. A més a més, la tesis mostra la implementació d'un CI/CD ben fet. Durant el projecte s'han implementat noves eines que faciliten el desenvolupament segur i de qualitat al programador durant la fase de desenvolupament.The main objective of this thesis is to examine how security is incorporated into DevOps in a corporate environment. Specifically, this thesis aims to explore how to implement S-SDLC (Secure Software Development Life Cycle). Additionally, the thesis demonstrates the implementation of a well-executed CI/CD (Continuous Integration/Continuous Delivery). During the project, new tools have been implemented to facilitate secure and high-quality development for the programmer during the development phas

Introducing Agile/DevSecOps into the Space Acquisition Environment

Excerpt from the Proceedings of the Nineteenth Annual Acquisition Research SymposiumThe University of Southern California (USC) and its Information Sciences Institute (USC-ISI) is undertaking research into improving the space-based systems acquisition process through the adoption of agile and DevSecOps methodologies. The USC-ISI team is currently undertaking research and systems engineering analysis to explore the mission engineering methods, analysis, metrics and training needed to transition from a traditional DoDI 5000.02 waterfall development environment to an agile/DevSecOps space systems acquisition environment. Over the past several years, the project team has been embedded at the U.S. Space Force’s Space Systems Command, Production Corps (SSC/PC), developing performance measuring tools, collecting performance metrics and providing subject matter expertise on three projects – a traditional waterfall project, a hybrid parallel waterfall and agile development project and an on-going long-term highly agile development effort that is subject to traditional waterfall acquisition reporting requirements. This paper summarizes initial research results and lessons learned along with a discussion on next steps.Approved for public release; distribution is unlimited

On DevSecOps and Risk Management in Critical Infrastructures: Practitioners' Insights on Needs and Goals

Risk management is essential for ensuring the sustained viability of organizations over the long term. It plays a pivotal role in business by helping identify potential threats and vulnerabilities, enabling well-informed decision-making. Within the context of critical infrastructures (CIs), it takes on even greater significance. DevSecOps is an innovative approach to bolstering security of software applications. This approach is being heralded as a transformative solution that encourages the adoption of robust security practices, reduces risk, and ensures uninterrupted business continuity. This qualitative study explores the needs and goals of implementing DevSecOps in CIs from the perspective of DevOps, developers, and security experts. Findings show that the relevance of DevSecOps in CIs emerges from the need for proactive work, increased efficiency, automation, monitoring mechanisms, security, and outstanding products and services. Findings also identify the goals for establishing a stronger market presence, increasing revenues, and maintaining a leading position in the market. The study provides valuable insights on DevSevOps in risk management, that can potentially encourage the adoption of DevSecOps and guide practitioners interested in leveraging the inherent benefits of this approach in the context of CIs.publishedVersio

Towards secure software development at Neste - a case study

Software development industry has been revolutionized through adoption of software develop- ment methods such as DevOps. While adopting DevOps can speed up development through collaborative culture between development and operations teams, speed-driven adoption can have an adverse impact on security aspects. DevSecOps is a concept that focuses on embed- ding security culture and activities into DevOps. Another contributing factor to the more agile development landscape is the widespread adoption of open source components. However, the risk of putting too much trust into the open source ecosystem has resulted in a whole new set of security issues that have not yet been adequately addressed by the industry. This thesis is commissioned by Neste Corporation. The company has set an initiative to in- corporate methods that enable better transparency, agility, and security into their software development projects. This thesis collects research data on secure software development prac- tices by combining findings of a literature review with a case study. The qualitative case study is done by interviewing eight stakeholders from four different software development teams. The literature review shows that securing software is very much an ongoing effort, especially in the open source ecosystem. Therefore, it might be not surprising that the results from the case study revealed multiple shortcomings on the subject matter despite obvious efforts from the participating teams. As a result, this thesis presents potential ideas for the case company to consider integrating into their software development projects in order to kickstart their secure software development journey

Critical success factors for integrating security into a DevOps environment

Integrating security into a DevOps environment, also known as DevSecOps, can allow organisations to deliver more secure applications and services faster to market. While many publications address the theoretical benefits and challenges of security integration, there is a lack of practical insight to guide organisations towards a successful integration. As a result, many organisations fail to achieve DevSecOps due to the historical differences that hinder collaboration between teams. This study investigates the critical success factors for DevSecOps integration using a case study approach. Semi-structured interviews were held with eight senior staff members directly involved in establishing DevSecOps integration within a large organisation. Thematic analysis of data across three categories (people, processes, and technology) identified eight major themes: executive support, security champions, security training, way-of-working, governance framework, secure pipeline, automation, and technology. Based on these findings a framework is proposed to inform and guide organisations on DevSecOps integration