DevOps in an ISO 13485 Regulated Environment: A Multivocal Literature Review

Background: Medical device development projects must follow proper directives and regulations to be able to market and sell the end-product in their respective territories. The regulations describe requirements that seem to be opposite to efficient software development and short time-to-market. As agile approaches, like DevOps, are becoming more and more popular in software industry, a discrepancy between these modern methods and traditional regulated development has been reported. Although examples of successful adoption in this context exist, the research is sparse. Aims: The objective of this study is twofold: to review the current state of DevOps adoption in regulated medical device environment; and to propose a checklist based on that review for introducing DevOps in that context. Method: A multivocal literature review is performed and evidence is synthesized from sources published between 2015 to March of 2020 to capture the opinions of experts and community in this field. Results: Our findings reveal that adoption of DevOps in a regulated medical device environment such as ISO 13485 has its challenges, but potential benefits may outweigh those in areas such as regulatory, compliance, security, organizational and technical. Conclusion: DevOps for regulated medical device environments is a highly appealing approach as compared to traditional methods and could be particularly suited for regulated medical development. However, an organization must properly anchor a transition to DevOps in top-level management and be supportive in the initial phase utilizing professional coaching and space for iterative learning; as such an initiative is a complex organizational and technical task.Comment: ACM / IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM '20), October 8--9, 2020, Bari, Ital

Integration of security standards in DevOps pipelines: An industry case study

In the last decade, companies adopted DevOps as a fast path to deliver software products according to customer expectations, with well aligned teams and in continuous cycles. As a basic practice, DevOps relies on pipelines that simulate factory swim-lanes. The more automation in the pipeline, the shorter a lead time is supposed to be. However, applying DevOps is challenging, particularly for industrial control systems (ICS) that support critical infrastructures and that must obey to rigorous requirements from security regulations and standards. Current research on security compliant DevOps presents open gaps for this particular domain and in general for systematic application of security standards. In this paper, we present a systematic approach to integrate standard-based security activities into DevOps pipelines and highlight their automation potential. Our intention is to share our experiences and help practitioners to overcome the trade-off between adding security activities into the development process and keeping a short lead time. We conducted an evaluation of our approach at a large industrial company considering the IEC 62443-4-1 security standard that regulates ICS. The results strengthen our confidence in the usefulness of our approach and artefacts, and in that they can support practitioners to achieve security compliance while preserving agility including short lead times.info:eu-repo/semantics/acceptedVersio

Towards a Secure DevOps Approach for Cyber-Physical Systems: An Industrial Perspective

Peer reviewe

Towards secure software development at Neste - a case study

Software development industry has been revolutionized through adoption of software develop- ment methods such as DevOps. While adopting DevOps can speed up development through collaborative culture between development and operations teams, speed-driven adoption can have an adverse impact on security aspects. DevSecOps is a concept that focuses on embed- ding security culture and activities into DevOps. Another contributing factor to the more agile development landscape is the widespread adoption of open source components. However, the risk of putting too much trust into the open source ecosystem has resulted in a whole new set of security issues that have not yet been adequately addressed by the industry. This thesis is commissioned by Neste Corporation. The company has set an initiative to in- corporate methods that enable better transparency, agility, and security into their software development projects. This thesis collects research data on secure software development prac- tices by combining findings of a literature review with a case study. The qualitative case study is done by interviewing eight stakeholders from four different software development teams. The literature review shows that securing software is very much an ongoing effort, especially in the open source ecosystem. Therefore, it might be not surprising that the results from the case study revealed multiple shortcomings on the subject matter despite obvious efforts from the participating teams. As a result, this thesis presents potential ideas for the case company to consider integrating into their software development projects in order to kickstart their secure software development journey

Challenges of DevSecOps

Software development speed has significantly increased in recent years with methodologies like Agile and DevOps that use automation, among other technics, to enable continuous delivery of new features and software updates to the market. This increased speed has given rise to concerns over guaranteeing security at such a pace. To improve security in today’s fast-paced software development, DevSecOps was created as an extension of DevOps. This thesis focuses on the experiences and challenges of organizations and teams striving to implement DevSecOps. We first view our concepts through existing literature. Then, we conduct an online survey of 37 professionals from both security and development backgrounds. The results present the participants’ overall sentiments towards DevSecOps and the challenges they struggle with. We also investigate what kind of solutions have been tried to mitigate these issues and if these solutions have indeed worked

Remote and agile improvement of industrial control and safety systems processes

Digitalization and remote operations introduce new possibilities for continuous and agile improvements of products in operation by exploiting inherent possibilities in software which is easily changeable and deployable. This approach is driven by data analysis, customer expectations and the possibility of frequent deployment over the air of improved software. Adding functionality into software, combined with connectivity to products, opens possibilities for manufacturers and operators, enabling new features and new operational models. This has also become relevant for regulated environments like industrial control and safety systems used in critical infrastructures. Adapted agile processes like SafeScrum and DevOps may be used to achieve continuous improvement. They enable speed and a continuum between development, maintenance and operation. For instance, experience and data from operation on new cybersecurity threats, must be fed back to the maintenance process to be resolved fast. Hence, the DevOps concept, which is imperative in non-safety domains, is now highly relevant in regulated environments as well. The speed of this process is vital where in particular cybersecurity threats must be resolved fast to avoid safety threats. The Agile Safety Case is an enabler of ensuring structured proof of compliance of safety performance for the involved stakeholders. This paper proposes a solution for a safety case which may be applied for continuous product improvements during operation considering safety as well as security. The solution involves the relevant stakeholders and results in a shift in responsibilities.publishedVersio

Critical success factors for integrating security into a DevOps environment

Integrating security into a DevOps environment, also known as DevSecOps, can allow organisations to deliver more secure applications and services faster to market. While many publications address the theoretical benefits and challenges of security integration, there is a lack of practical insight to guide organisations towards a successful integration. As a result, many organisations fail to achieve DevSecOps due to the historical differences that hinder collaboration between teams. This study investigates the critical success factors for DevSecOps integration using a case study approach. Semi-structured interviews were held with eight senior staff members directly involved in establishing DevSecOps integration within a large organisation. Thematic analysis of data across three categories (people, processes, and technology) identified eight major themes: executive support, security champions, security training, way-of-working, governance framework, secure pipeline, automation, and technology. Based on these findings a framework is proposed to inform and guide organisations on DevSecOps integration

Critical success factors for integrating security into a DevOps environment

Integrating security into a DevOps environment, also known as DevSecOps, can allow organisations to deliver more secure applications and services faster to market. While many publications address the theoretical benefits and challenges of security integration, there is a lack of practical insight to guide organisations towards a successful integration. As a result, many organisations fail to achieve DevSecOps due to the historical differences that hinder collaboration between teams. This study investigates the critical success factors for DevSecOps integration using a case study approach. Semi-structured interviews were held with eight senior staff members directly involved in establishing DevSecOps integration within a large organisation. Thematic analysis of data across three categories (people, processes, and technology) identified eight major themes: executive support, security champions, security training, way-of-working, governance framework, secure pipeline, automation, and technology. Based on these findings a framework is proposed to inform and guide organisations on DevSecOps integration

An Analysis of Multi-domain Command and Control and the Development of Software Solutions through DevOps Toolsets and Practices

Multi-Domain Command and Control (MDC2) is the exercise of command and control over forces in multiple operational domains (namely air, land, sea, space, and cyberspace) in order to produce synergistic effects in the battlespace, and enhancing this capability has become a major focus area for the United States Air Force (USAF). In order to meet demands for MDC2 software, solutions need to be acquired and/or developed in a timely manner, information technology infrastructure needs to be adaptable to new software requirements, and user feedback needs to drive iterative updates to fielded software. In commercial organizations, agile software development methodologies and concepts such as DevOps have been implemented to meet these demands. However, the USAF has been slow to adopt modern agile software development concepts such as DevOps in favor of traditional software development lifecycles and large contracts that can go nearly a decade without any value being released to the users. This work explores MDC2 software use cases and aims to show that MDC2 software can be successfully developed using modern agile software development practices in a timely manner