An Analysis of Multi-domain Command and Control and the Development of Software Solutions through DevOps Toolsets and Practices

Multi-Domain Command and Control (MDC2) is the exercise of command and control over forces in multiple operational domains (namely air, land, sea, space, and cyberspace) in order to produce synergistic effects in the battlespace, and enhancing this capability has become a major focus area for the United States Air Force (USAF). In order to meet demands for MDC2 software, solutions need to be acquired and/or developed in a timely manner, information technology infrastructure needs to be adaptable to new software requirements, and user feedback needs to drive iterative updates to fielded software. In commercial organizations, agile software development methodologies and concepts such as DevOps have been implemented to meet these demands. However, the USAF has been slow to adopt modern agile software development concepts such as DevOps in favor of traditional software development lifecycles and large contracts that can go nearly a decade without any value being released to the users. This work explores MDC2 software use cases and aims to show that MDC2 software can be successfully developed using modern agile software development practices in a timely manner

Collaborative Application Security Testing for DevSecOps: An Empirical Analysis of Challenges, Best Practices and Tool Support

DevSecOps is a software development paradigm that places a high emphasis on the culture of collaboration between developers (Dev), security (Sec) and operations (Ops) teams to deliver secure software continuously and rapidly. Adopting this paradigm effectively, therefore, requires an understanding of the challenges, best practices and available solutions for collaboration among these functional teams. However, collaborative aspects related to these teams have received very little empirical attention in the DevSecOps literature. Hence, we present a study focusing on a key security activity, Application Security Testing (AST), in which practitioners face difficulties performing collaborative work in a DevSecOps environment. Our study made novel use of 48 systematically selected webinars, technical talks and panel discussions as a data source to qualitatively analyse software practitioner discussions on the most recent trends and emerging solutions in this highly evolving field. We find that the lack of features that facilitate collaboration built into the AST tools themselves is a key tool-related challenge in DevSecOps. In addition, the lack of clarity related to role definitions, shared goals, and ownership also hinders Collaborative AST (CoAST). We also captured a range of best practices for collaboration (e.g., Shift-left security), emerging communication methods (e.g., ChatOps), and new team structures (e.g., hybrid teams) for CoAST. Finally, our study identified several requirements for new tool features and specific gap areas for future research to provide better support for CoAST in DevSecOps.Comment: Submitted to the Empirical Software Engineering journal_v

Report from GI-Dagstuhl Seminar 16394: Software Performance Engineering in the DevOps World

This report documents the program and the outcomes of GI-Dagstuhl Seminar 16394 "Software Performance Engineering in the DevOps World". The seminar addressed the problem of performance-aware DevOps. Both, DevOps and performance engineering have been growing trends over the past one to two years, in no small part due to the rise in importance of identifying performance anomalies in the operations (Ops) of cloud and big data systems and feeding these back to the development (Dev). However, so far, the research community has treated software engineering, performance engineering, and cloud computing mostly as individual research areas. We aimed to identify cross-community collaboration, and to set the path for long-lasting collaborations towards performance-aware DevOps. The main goal of the seminar was to bring together young researchers (PhD students in a later stage of their PhD, as well as PostDocs or Junior Professors) in the areas of (i) software engineering, (ii) performance engineering, and (iii) cloud computing and big data to present their current research projects, to exchange experience and expertise, to discuss research challenges, and to develop ideas for future collaborations

A Framework of DevSecOps for Software Development Teams

This master's thesis explores a broad evaluation of automated security testing in the context of DevOps practices. The primary objective of this study is to propose a framework that facilitates the seamless integration of security scanning tools within DevOps practices. The thesis will focus on examining the existing set of tools and their effective integration into fully automated DevOps CI/CD pipelines. The thesis starts by examining the theoretical concepts of DevOps and provides guidelines for integrating security within DevOps methodologies. Furthermore, it assesses the current state of security by analysing the OWASP Web API top 10 security vulnerability list and evaluating existing security automation tools. Additionally, the research investigates the performance and efficacy of these tools across various stages of the SDLC and investigates ongoing research and development activities. A fully automated DevOps CI/CD pipeline is implemented to integrate security scanning tools, enforcing complete security checks throughout the SDLC. Azure DevOps build and release pipelines, along with Snyk, were used to create a comprehensive automated security scanning framework. The study considerably investigates the integration of these security scanning tools and assesses their influence on the overall security posture of the developed applications. The finding of the study reveals that security scanning tools can be efficiently integrated into fully automated DevOps practices. Based on the results, recommendations are provided for the selection of suitable tools and techniques to achieve a DevSecOps practice. In conclusion, this thesis provides valuable insights into security integration in DevOps practices, highlighting the effectiveness of security automation tools. The research also recommends areas for further improvements to meet the industry's evolving requirements

Towards a Secure DevOps Approach for Cyber-Physical Systems: An Industrial Perspective

Peer reviewe

Automated software security activities in a continuous delivery pipeline

Due to the rise of cyberattacks in IT companies, software security has become a topic for debate. Currently, to secure their products, companies often use manual methods, which makes development stalled and inefficient. To speed up a software development lifecycle, security work needs to be integrated and automated into the development process. This thesis will provide an initial solution for automating the security phase into a continuous software delivery process. This solution involves integrating security tools into a Github repository by using Github Actions to create automated vulnerability scanning workflows for a software project. The solution will then be tested and evaluated with three open-source projects and one project from our sponsor, Volue

Continuous Security Testing:A Case Study on Integrating Dynamic Security Testing Tools in CI/CD Pipelines

Continuous Integration (CI) and Continuous Delivery (CD) have become a well-known practice in DevOps to ensure fast delivery of new features. This is achieved by automatically testing and releasing new software versions, e.g. multiple times per day. However, classical security management techniques cannot keep up with this quick Software Development Life Cycle (SDLC). Nonetheless, guaranteeing high security quality of software systems has become increasingly important. The new trend of DevSecOps aims to integrate security techniques into existing DevOps practices. Especially, the automation of security testing is an important area of research in this trend. Although plenty of literature discusses security testing and CI/CD practices, only a few deal with both topics together. Additionally, most of the existing works cover only static code analysis and neglect dynamic testing methods. In this paper, we present an approach to integrate three automated dynamic testing techniques into a CI/CD pipeline and provide an empirical analysis of the introduced overhead. We then go on to identify unique research/technology challenges the DevSecOps communities will face and propose preliminary solutions to these challenges. Our findings will enable informed decisions when employing DevSecOps practices in agile enterprise applications engineering processes and enterprise security