DevSecOps metrics

DevSecOps is an emerging paradigm that breaks the Security Team Silo into the DevOps Methodology and adds security practices to the Software Development Cycle (SDL). Security practices in SDL are important to avoid data breaches, guarantee compliance with the law and is an obligation to protect customers data. This study aims to identify metrics teams can use to measure the effectiveness of DevSecOps methodology implementation inside organizations. To that end, we performed a Multivocal Literature Review (MLR), where we reviewed a selection of grey literature. Several metrics purposed by professionals to monitor DevSecOps were identified and listed.info:eu-repo/semantics/acceptedVersio

DevSecOps metrics: Learning from academics and professionals

DevSecOps is an emerging paradigm that breaks the Security team silo into the DevOps team, adding security practices to the Software Development Lifecycle (SDL) from inception. Security practices, in SDL, are important to avoid data breaches, guarantee compliance with the law and for organizations, it is an obligation to protect customer data. This study aims to identify metrics teams can use to measure the effectiveness of DevSecOps implementation inside organizations. To that end, this study was conducted using a Design Science Research (DSR) as its research methodology, with the intent of producing an artefact containing the most relevant DevSecOps metrics. A total of nine DevSecOps metrics purposed by professionals and academics were identified and listed on the artefact produced by this study. Interviews were conducted with DevSecOps professionals as a method of evaluating if the identified metrics were useful. Through the interviews, it was possible to identify the metrics that are being used by professionals and which are the most useful. Interviewees purposed three additional metrics. This study identifies a total of twelve metrics that can be used to measure effectiveness in DevSecOps.Ao longo dos anos, várias são as abordagens que tem sido adotadas como processo de desenvolvimento de Software, tais como o modelo em Cascata e o desenvolvimento Ágil, mais recentemente o termo DevOps foi introduzido, refere-se a uma abordagem que junta elementos da equipa de desenvolvimento e operações na mesma equipa, de modo a que exista uma coloboração mais próxima e partilha de conhecimento entre estes elementos, com o intuito de se atingir entregas do Software em desenvolvimento com tempos menores, com mais frequência e qualidade. DevSecOps é uma abordagem ao processo de desenvolvimento de Software emergente que junta elementos da equipa de segurança à equipa de DevOps, trazendo práticas de segurança para o ciclo de desenvolvimento de Software. As práticas de segurança são cada vez mais importantes no ciclo de desenvolvimento de software pois visam a evitar violações de dados e verificar o cumprimento da lei. Mais, ganharam extrema importância para as organizações visto que as mesmas têm por obrigação a proteção de dados dos seus clientes. Este estudo pretende identificar métricas, que podem ser utilizadas pelas equipas de modo a medir a eficiência da implementação de DevSecOps nas suas organizações. Para identificar essas métricas, este estudo foi realizado usando como metodologia de investigação uma Ciência de Design, esta metodologia caracteriza-se por ser uma pesquisa orientada a resultados, tendo sido escolhida, com o objetivo de produzir um artefacto, contendo, as métricas para DevSecOps mais relevantes. Foi possível identificar 9 métricas para DevSecOps, sugeridas por profissionais e académicos da área estando estas listadas no artefacto produzido por este estudo. Mais, foram conduzidas entrevistas com os profissionais de DevSecOps com o intuito de avaliar a utilidade das métricas. Com a ajuda das entrevistas, foi possível identificar as métricas utilizadas pelos profissionais e determinar as mais úteis e relevantes. Os entrevistados sugeriram 3 métricas adicionais perfazendo assim 12 métricas incluídas neste documento

Revisit security in the era of DevOps : An evidence-based inquiry into DevSecOps industry

By adopting agile and lean practices, DevOps aims to achieve rapid value delivery by speeding up development and deployment cycles, which however lead to more security concerns that cannot be fully addressed by an isolated security role only in the final stage of development. DevSecOps promotes security as a shared responsibility integrated into the DevOps process that seamlessly intertwines development, operations, and security from the start throughout to the end of cycles. While some companies have already begun to embrace this new strategy, both industry and academia are still seeking a common understanding of the DevSecOps movement. The goal of this study is to report the state-of-the-practice of DevSecOps, including the impact of DevOps on security, practitioners' understanding of DevSecOps, and the practices associated with DevSecOps as well as the challenges of implementing DevSecOps. The authors used a mixed-methods approach for this research. The authors carried out a grey literature review on DevSecOps, and surveyed the practitioners of DevSecOps in industry of China. The status quo of DevSecOps in industry is summarized. Three major software security risks are identified with DevOps, where the establishment of DevOps pipeline provides opportunities for security-related activities. The authors classify the interpretations of DevSecOps into three core aspects of DevSecOps capabilities, cultural enablers, and technological enablers. To materialise the interpretations into daily software production activities, the recommended DevSecOps practices from three perspectives—people, process, and technology. Although a preliminary consensus is that DevSecOps is regarded as an extension of DevOps, there is a debate on whether DevSecOps is a superfluous term. While DevSecOps is attracting an increasing attention by industry, it is still in its infancy and more effort needs to be invested to promote it in both research and industry communities

ВИКОРИСТАННЯ ПІДХОДУ DEVSECOPS ДЛЯ АНАЛІЗУ СУЧАСНИХ ЗАГРОЗ ІНФОРМАЦІЙНОЇ БЕЗПЕКИ

This article presents a study of the use of the DevSecOps approach to analyze modern threats. Defines a methodology to implement and adapt the DevSecOps approach. DevSecOps is presented in this article as an approach to the culture of developing, automating and designing an information platform that integrates security as a shared responsibility throughout the software development lifecycle. The approach described in this article helps to solve the problem of implementing security controls in the software development process. This approach allows organizations to continually integrate security into SDLC so that DevOps teams can quickly and efficiently develop secure applications. The possibility of implementing security in the early stages of software development in the workflow is being investigated, as it will allow to identify and eliminate security vulnerabilities and vulnerabilities faster. This concept is part of the "left shift" that shifts security testing to developers, allowing them to fix security issues in their code almost in real time, rather than waiting until the end of the SDLC, where security has been embedded in traditional development environments.Describes DevSecOps approach as business processes, which minimize the risks associated with modern threats and zero-day vulnerabilities. SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), SCA (Software Composition Analysis) analysis was used to assess the possibilities of using these technologies to optimize the process of secure software development. The DevSecOps process is presented for organizations that can easily integrate security into their existing practices of continuous integration and continuous delivery (CI / CD). The DevSecOps process in this article covers the entire SDLC from planning and design to coding, testing, and release, with continuous real-time feedback, and defined DevSecOps process technical controls in accordance with ISO 27001/02 and NIST standards.У даній статті подано дослідження використання підходу DevSecOps для аналізу сучасних загроз. Визначення методології для реалізації та адаптації DevSecOps підходу. DevSecOps у даній статті подано як підхід до культури розробки, автоматизації та дизайну інформаційної платформи, який інтегрує безпеку як спільну відповідальність протягом усього життєвого циклу розробки програмного забезпечення. Підхід, описаний у даній статті, допомагає вирішити проблему впровадження контролей безпеки в процесі розробки програмного забезпечення. Визначений підхід дозволяє організації постійно вбудовувати безпеку в SDLC, щоб команди DevOps могли швидко та якісно розробляти безпечні програми. Досліджується можливість впровадження безпеки на ранніх етапах розробки програмного забезпечення в робочий процес, так як  це дозволить швидше виявити та усунути слабкі та вразливі місця безпеки. Ця концепція є частиною «зміщення ліворуч», яка переміщує тестування безпеки до розробників, що дозволяє їм виправляти проблеми безпеки в своєму коді майже в реальному часі, а не чекати до кінця SDLC, де безпека була закріплена в традиційних середовищах розробки. Описано бізнес процеси для мінімізації ризиків пов’язані з сучасними загрозами та вразливостями нульового дня у рамках DevSecOps підходу. Проведено аналіз SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), SCA (Software Composition Analysis) застосунків для оцінки можливого використання даних технологій для оптимізації процесу безпечної розробки додатків. Подано процес DevSecOps для організацій, що зможуть легко інтегрувати безпеку в свою існуючу практику безперервної інтеграції та безперервної доставки (CI/CD). DevSecOps процес в даній статті охоплює весь SDLC від планування та проектування до кодування, побудови, тестування та випуску, з безперервним зворотним зв’язком в реальному часі та сформовано технічні контролі процесу DevSecOps у відповідності до ISO 27001/02 та NIST стандартів

DevOps and software quality : a systematic mapping

Quality pressure is one of the factors affecting processes for software development in its various stages. DevOps is one of the proposed solutions to such pressure. The primary focus of DevOps is to increase the deployment speed, frequency and quality. DevOps is a mixture of different developments and operations to its multitudinous ramifications in software development industries, DevOps have attracted the interest of many researchers. There are considerable literature surveys on this critical innovation in software development, yet, little attention has been given to DevOps impact on software quality. This research is aimed at analyzing the implications of DevOps features on software quality. DevOps can also be referred to a change in organization cultures aimed at removal of gaps between the development and operations of an organization. The adoption of DevOps in an organization provides many benefits including quality but also brings challenges to an organization. This study presents systematic mapping of the impact of DevOps on software quality. The results of this study provide a better understanding of DevOps on software quality for both professionals and researchers working in this area. The study shows research was mainly focused in automation, culture, continuous delivery, fast feedback of DevOps. There is need of further research in many areas of DevOps (for instance: measurement, development of metrics of different stages to assess its performance, culture, practices toward ensuring quality assurance, and quality factors such as usability, efficiency, software maintainability and portability). Keywords: DevOps, development, operations, software, software quality, automation, measurement, systematic mappingpublishedVersio

Automated Data for DevSecOps Programs

Excerpt from the Proceedings of the Nineteenth Annual Acquisition Research SymposiumAutomation in DevSecOps (DSO) transforms the practice of building, deploying, and managing software intensive programs. Although this automation supports continuous delivery and rapid builds, the persistent manual collection of information delays (by weeks) the release of program status metrics and the decisions they are intended to inform. Emerging DSO metrics (e.g., deployment rates, lead times) provide insight into how software development is progressing but fall short of replacing program control metrics for assessing progress (e.g., burn rates against spend targets, integration capability tar-get dates, and schedule for the minimum viable capability release). By instrumenting the (potentially in-teracting) DSO pipelines and supporting environments, the continuous measurement of status, identifica-tion of emerging risks, and probabilistic projections are possible and practical. In this paper, we discuss our research on the information modeling, measurement, metrics, and indicators necessary to establish a continuous program control capability that can keep pace with DSO management needs. We discuss the importance of interactive visualization dashboards for addressing program information needs. We also identify and address the gaps and barriers in the current state of the practice. Finally, we recommend future research needs based on our initial findings.Approved for public release; distribution is unlimited

Automated Data for DevSecOps Programs

Excerpt from the Proceedings of the Nineteenth Annual Acquisition Research SymposiumAutomation in DevSecOps (DSO) transforms the practice of building, deploying, and managing software intensive programs. Although this automation supports continuous delivery and rapid builds, the persistent manual collection of information delays (by weeks) the release of program status metrics and the decisions they are intended to inform. Emerging DSO metrics (e.g., deployment rates, lead times) provide insight into how software development is progressing but fall short of replacing program control metrics for assessing progress (e.g., burn rates against spend targets, integration capability tar-get dates, and schedule for the minimum viable capability release). By instrumenting the (potentially in-teracting) DSO pipelines and supporting environments, the continuous measurement of status, identifica-tion of emerging risks, and probabilistic projections are possible and practical. In this paper, we discuss our research on the information modeling, measurement, metrics, and indicators necessary to establish a continuous program control capability that can keep pace with DSO management needs. We discuss the importance of interactive visualization dashboards for addressing program information needs. We also identify and address the gaps and barriers in the current state of the practice. Finally, we recommend future research needs based on our initial findings.Approved for public release; distribution is unlimited

What is There About DevOps Assessment? A Systematic Mapping

DevOps has been established as a framework used by software development companies seeking to set mechanisms to automate their development processes. Consequently, over the last decade, many companies have adopted DevOps to support their project’s development process and perform continuous improvement tasks to ensure that it is applied correctly. To achieve this, companies are looking for solutions that allow them to evaluate the degree of implementation of DevOps in their internal processes. In this sense, the objective of this study focuses on identifying, through a systematic mapping of the literature, the mechanisms used to assess DevOps in software development companies. According to the above, the current state of knowledge related to the proposal of processes, models, techniques, tools, and methodological guides is presented to conduct the DevOps assessment. As a result, it is noted that there are multiple methodological solutions that seek to assess DevOps; however, a high degree of heterogeneity was evidenced in the identified solutions, resulting in the need to establish a clear framework that serves as the basis for proposing a generic, structured, and unambiguous DevOps assessment model applicable to software companies

A maturity model for DevOps

Nowadays, businesses aim to respond to customer needs at unprecedented speed. Thus, many companies are rushing to the DevOps movement. DevOps is the combination of Development and Operations and a new way of thinking in the software engineering domain. However, no common understanding of what it means has yet been achieved. Also, no adoption models or fine-grained maturity models to assist DevOps maturation and implementation were identified. Therefore, this research attempt to fill these gaps. A systematic literature review is performed to identify the determining factors contributing to the implementation of DevOps, including the main capabilities and areas with which it evolves. Then, two sets of interviews with DevOps experts were performed and their experience used to build the DevOps Maturity Model. The DevOps maturity model was then developed grounded on scientific and professional viewpoints. Once developed the Maturity Model was demonstrated in a real organisation.info:eu-repo/semantics/acceptedVersio

Metrics Model to Complement the Evaluation of DevOps in Software Companies

This article presents a model to complement the evaluation of DevOps in software companies. It was designed by harmonizing the elements of the DevOps process identified through a systematic mapping of the literature and aimed to know the state of the art of methodological solutions and tools to evaluate DevOps in the industry. The process elements were identified, compared, and integrated into a common process structure that was used to establish a total of 11 metrics using the Goal-Question-Metric approach. The model was evaluated by a focus group of expert DevOps professionals. They determined that the model is clear, easy to apply, and provides valuable information to companies to improve their DevOps practices