72 research outputs found

    Report from GI-Dagstuhl Seminar 16394: Software Performance Engineering in the DevOps World

    Get PDF
    This report documents the program and the outcomes of GI-Dagstuhl Seminar 16394 "Software Performance Engineering in the DevOps World". The seminar addressed the problem of performance-aware DevOps. Both, DevOps and performance engineering have been growing trends over the past one to two years, in no small part due to the rise in importance of identifying performance anomalies in the operations (Ops) of cloud and big data systems and feeding these back to the development (Dev). However, so far, the research community has treated software engineering, performance engineering, and cloud computing mostly as individual research areas. We aimed to identify cross-community collaboration, and to set the path for long-lasting collaborations towards performance-aware DevOps. The main goal of the seminar was to bring together young researchers (PhD students in a later stage of their PhD, as well as PostDocs or Junior Professors) in the areas of (i) software engineering, (ii) performance engineering, and (iii) cloud computing and big data to present their current research projects, to exchange experience and expertise, to discuss research challenges, and to develop ideas for future collaborations

    A Framework of DevSecOps for Software Development Teams

    Get PDF
    This master's thesis explores a broad evaluation of automated security testing in the context of DevOps practices. The primary objective of this study is to propose a framework that facilitates the seamless integration of security scanning tools within DevOps practices. The thesis will focus on examining the existing set of tools and their effective integration into fully automated DevOps CI/CD pipelines. The thesis starts by examining the theoretical concepts of DevOps and provides guidelines for integrating security within DevOps methodologies. Furthermore, it assesses the current state of security by analysing the OWASP Web API top 10 security vulnerability list and evaluating existing security automation tools. Additionally, the research investigates the performance and efficacy of these tools across various stages of the SDLC and investigates ongoing research and development activities. A fully automated DevOps CI/CD pipeline is implemented to integrate security scanning tools, enforcing complete security checks throughout the SDLC. Azure DevOps build and release pipelines, along with Snyk, were used to create a comprehensive automated security scanning framework. The study considerably investigates the integration of these security scanning tools and assesses their influence on the overall security posture of the developed applications. The finding of the study reveals that security scanning tools can be efficiently integrated into fully automated DevOps practices. Based on the results, recommendations are provided for the selection of suitable tools and techniques to achieve a DevSecOps practice. In conclusion, this thesis provides valuable insights into security integration in DevOps practices, highlighting the effectiveness of security automation tools. The research also recommends areas for further improvements to meet the industry's evolving requirements

    Automated software security activities in a continuous delivery pipeline

    Get PDF
    Due to the rise of cyberattacks in IT companies, software security has become a topic for debate. Currently, to secure their products, companies often use manual methods, which makes development stalled and inefficient. To speed up a software development lifecycle, security work needs to be integrated and automated into the development process. This thesis will provide an initial solution for automating the security phase into a continuous software delivery process. This solution involves integrating security tools into a Github repository by using Github Actions to create automated vulnerability scanning workflows for a software project. The solution will then be tested and evaluated with three open-source projects and one project from our sponsor, Volue

    Continuous and secure integration framework for smart contracts

    Get PDF
    En tiempo reciente, el desarrollo de contratos inteligentes ha tenido un auge debido al interés generado por criptomonedas en la tecnología de blockchains. Investigadores han encontrado diferentes usos para los contratos inteligentes gracias a este interés. Debido a esto, se ha logrado evidenciar los problemas de seguridad que se han presentado con múltiples contratos y los problemas que pueden llegar a ocasionarse. Por tanto, decidimos evaluar los esquemas de DevOps actual para buscar adaptarlo a un modelo de trabajo compatible con los contratos inteligentes. Siguiendo múltiples investigaciones realizadas por otros investigadores en fases específicas, logramos identificar las falencias de DevOps en contratos inteligentes. Considerando la información que recolectamos, trabajamos en definir las fases y actividades que deben ir en estas. El resultado es haber logrado proponer un framework adaptable con todos los pasos a considerar durante el desarrollo de contratos inteligentes. Además, dicho framework es probado utilizando tecnologías para demostrar su viabilidad.MaestríaMagister en Ingeniería de Sistemas y Computació

    A systematic literature review on DevOps capabilities and areas

    Get PDF
    Businesses today need to respond to customer needs at an unprecedented speed. Driven by this need for speed, many companies are rushing to the DevOps movement. DevOps, the combination of Development and Operations, is a new way of thinking in the software engineering domain that recently received much attention. Since DevOps has recently been introduced as a new term and novel concept, no common understanding of what it means has yet been achieved. Therefore, the definitions of DevOps often are only partly relevant to the concept. This research presents a systematic literature review to identify the determining factors contributing to the implementation of DevOps, including the main capabilities and areas with which it evolves.info:eu-repo/semantics/acceptedVersio

    Empirical evaluation of information security risk assessment framework GBM-OA

    Get PDF
    Abstract. Importance of information security is rapidly increasing when new security breaches are continuously reported by companies and organizations. These breaches cause loss of confidentiality, reputation and revenue for companies and organizations. They can also get legal penalties due lack of information security. To improve information security, companies and organizations are required to conduct assessment and audits for their systems to make sure that they do not have open critical vulnerabilities. In addition, information security risks need to be evaluated as part of companies’ and organizations’ risk management to prepare against possible attackers. Multiple different information security risk assessment frameworks have been developed to help companies and organizations to conduct information security risk assessment. To find out which framework is suitable for their needs, management needs to compare the different frameworks, estimate how much time and how many people are available for the assessment and how the frameworks have worked previously in the context. In this thesis, suitability of genre-based security risk assessment framework GBM-OA is evaluated in context of centralized CI/CD environment. A canonical action research was conducted in a team providing centralized CI/CD solution for the company’s projects. In the study, information security risk assessment was conducted using GBM-OA, and after the assessment semi-structured interviews were conducted for the participants to find out if the framework was suitable in the context. The findings show that the framework provided sufficient results for the team without taking much time from the participants. Additionally, participants found value in definition of environment, which helps the team to understand how responsibilities are split to different stakeholders. Downsides were confusing terminology used in the framework and filling of the templates was found compelling. About suitability, it was found that the framework is not suitable in the context as it is. Participants did not like that the assessment should be done separately, but it should be integrated into automation or development cycle. Right now, there is not any instructions regarding integration or iteration, even though it is stated that it is possible. Participants also provided improvement suggestions to add step to the framework for risk impact definition

    DevOps and information technology service management: A problem management case study

    Get PDF
    The use of DevOps is a predominant attribute of businesses engaged in the development and maintenance of Information Technology systems. Although literature exploring DevOps practices has expanded, there is still much unexplored territory on its operational ramifications. This is particularly observed when considering their potential impact on ITSM frameworks such as ITIL, which governs Operations. This research aims to establish how DevOps principles and practices can be applied to Problem Management, a core Service Management process. Specifically, it explores which DevOps practices may be used throughout the Problem lifecycle, as well as benefits which may result from them. An exploratory case study was carried out with the participation of Problem Managers operating in a DevOps environment. Three data collection methods were applied: Semi structured interviews, in which participants described their experience and insight in relation to DevOps and Problem Management; documental analysis and observation, where processes and workflows were examined; and a focus group exercise in which study outcomes were discussed and systematized. This research indicates that DevOps practices have varying degrees of significance for a Problem Management process. Practices associated with continuous planning and collaboration are prone to having greater significance in a Problem lifecycle, with the potential of enabling benefits such as quicker Problem identification, higher quality Root Cause Analysis, and improved resolution times. The novelty of insight gathered in this study benefits both academics, through its contribution to an expanding body of knowledge, and professionals, considering the practical and applicable nature of findings. Future work is also presented.A utilização de metodologias DevOps é hoje uma característica predominante de organizações envolvidas no desenvolvimento e manutenção de sistemas de Tecnologia e Informação. Apesar da crescente produção de literatura a examinar práticas DevOps, existe muito território por explorar referente às suas ramificações a nível operacional. Isto é particularmente notável quando se consideram potenciais interações com frameworks de ITSM como o ITIL, que governam Operações. Esta pesquisa tem como objetivo estabelecer quais princípios e práticas DevOps podem ser aplicadas na Gestão de Problemas, um processo central para a Gestão de Serviços. Especificamente, exploramos quais práticas DevOps podem ser utilizadas ao longo do ciclo de vida de um Problema, tal como que benefícios poderão resultar da sua aplicação. Um caso de estudo exploratório foi realizado com a participação de Gestores de Problemas a operar num ambiente DevOps. Três métodos de recolha de dados foram aplicados: Entrevistas semiestruturadas, onde participantes descreveram a sua experiência e conhecimento em relação a DevOps e Gestão de Problemas; análise documental e observação, onde processos operacionais foram examinados; e uma discussão em grupo onde resultados do estudo foram discutidos e sistematizados. Esta investigação indica que práticas DevOps tem variados níveis de significância para um processo de Gestão de Problemas. Práticas associadas ao planeamento contínuo e colaboração tendem a ter maior significância no ciclo de vida de um Problema, com potencial para gerar benefícios como a mais rápida identificação de Problemas, maior qualidade na análise de causa, e melhorias nos tempos de resolução. As conclusões apresentadas neste estudo trazem benefícios tanto para académicos, expandindo o corpo de conhecimento disponível sobre o tema, como para profissionais, considerando a sua natureza prática e aplicável. Direções para trabalho futuro são também apresentadas
    corecore