DevSecOps: A Security Model for Infrastructure as Code Over the Cloud

“…Organizational and management system DevSecOps is a logical continuation of the current scheme of software-digital production DevOps, with the above described system of safety testing (in various modes) integrated into the processes of software products production, which allows to obtain in conjunction with more complete (compared to DevOps) production communication management system between the key participants of software-digital engineering and production cycle -Figure 3 [23][24][25][26][27][28]. Analysis of relevant scientific papers and publications on the device and system of DevSecOps methodology functioning, such as R. N. Rajapakse [29] (system information and analytical review on the device of DevSecOps methodology and the problems of software-digital production transition from DevOps to the integration of the logical security-free section in the generalized concept of transition to DevSecOps), A. Ibrahim [30] (research and development of proposals for implementing DevSecOps in a modular solution (using cloud services) in DevOps-based digital production process), A. Landry [31] (analyzing the experience of implementing DevSecOps-based security tools and building an internal secure data transmission system in service communications for the US Department of Defense -DARPA Secure Handhelds on Assured Resilient networks at the tactical Edge (SHARE)), N. Harshitha [32] (analyzing the integration of DevSecOps security tools in Cloud Computing technologies), M. Orosz [33] (application of DevSecOps organizational and management system in the space industry), A. Schwan-Gijima [34] (information and analytical review regarding the device and methods for implementing DevSecOps security tools and blocks in software-digital production processes), Y. Malhotra [35] (study of the problems of implementing IaC, DevSecOps and MLops security tools in hybrid cloud computing with zero-trust beyond "lift and carry"), M. Ekoramaradhya [36] (study of the possibility of applying security tools for implementation in digital Internet of Things (IoT) protection protocols), allows to formulate a generalized system-wide view of the structure of the studied organizational and management system. According to the results of the conducted multi-literature search, we conclude that the methodology DevSecOps is a generalized closed-loop scheme of sequential stages of software-digital engineering and production (from planning a software product to its release), in which the main logical competent groups (developers, operators, administrators and testers) are linked by an optimized communication network, allowing with lower resource and time costs to obtain a stable and secure software product.…”

Secure Change Management Process: On the Effectiveness of DevSecOps

“…Organizational and management system DevSecOps is a logical continuation of the current scheme of software-digital production DevOps, with the above described system of safety testing (in various modes) integrated into the processes of software products production, which allows to obtain in conjunction with more complete (compared to DevOps) production communication management system between the key participants of software-digital engineering and production cycle -Figure 3 [23][24][25][26][27][28]. Analysis of relevant scientific papers and publications on the device and system of DevSecOps methodology functioning, such as R. N. Rajapakse [29] (system information and analytical review on the device of DevSecOps methodology and the problems of software-digital production transition from DevOps to the integration of the logical security-free section in the generalized concept of transition to DevSecOps), A. Ibrahim [30] (research and development of proposals for implementing DevSecOps in a modular solution (using cloud services) in DevOps-based digital production process), A. Landry [31] (analyzing the experience of implementing DevSecOps-based security tools and building an internal secure data transmission system in service communications for the US Department of Defense -DARPA Secure Handhelds on Assured Resilient networks at the tactical Edge (SHARE)), N. Harshitha [32] (analyzing the integration of DevSecOps security tools in Cloud Computing technologies), M. Orosz [33] (application of DevSecOps organizational and management system in the space industry), A. Schwan-Gijima [34] (information and analytical review regarding the device and methods for implementing DevSecOps security tools and blocks in software-digital production processes), Y. Malhotra [35] (study of the problems of implementing IaC, DevSecOps and MLops security tools in hybrid cloud computing with zero-trust beyond "lift and carry"), M. Ekoramaradhya [36] (study of the possibility of applying security tools for implementation in digital Internet of Things (IoT) protection protocols), allows to formulate a generalized system-wide view of the structure of the studied organizational and management system. According to the results of the conducted multi-literature search, we conclude that the methodology DevSecOps is a generalized closed-loop scheme of sequential stages of software-digital engineering and production (from planning a software product to its release), in which the main logical competent groups (developers, operators, administrators and testers) are linked by an optimized communication network, allowing with lower resource and time costs to obtain a stable and secure software product.…”

Secure Change Management Process: On the Effectiveness of DevSecOps

“…In our study, we investigate security vulnerabilities in infrastructure components. In the literature, researchers actively study the security of infrastructure as Code [17,18,19,20]. In their investigations, practitioners rely on tools for testing infrastructure security [21].…”

“…In the literature, several security analyses have been conducted on IaC projects [17,18,19,20]. However, these studies are generally limited.…”

Security Vulnerabilities in Infrastructure as Code: What, How Many, and Who?

“…To manage the high feature set of computing capacity under this paradigm, which is sometimes referred to as "Sky computing," infrastructure solutions like cloud orchestrators have emerged. The topology and orchestration specification for cloud applications (TOSCA) standard and the tools that have been cited the most in the literature-cloudify, heat, cloud formation, terraform, and cloud assembly-are both examined in this paper [3]. It was demonstrated through a practical experiment and a review of the literature in [3] that terraform and cloudify are well-suited for use in sky computing scenarios.…”

“…The topology and orchestration specification for cloud applications (TOSCA) standard and the tools that have been cited the most in the literature-cloudify, heat, cloud formation, terraform, and cloud assembly-are both examined in this paper [3]. It was demonstrated through a practical experiment and a review of the literature in [3] that terraform and cloudify are well-suited for use in sky computing scenarios. In the trial, terraform outperformed cloudify in a number of areas.…”

Comparing performance of bastion host on cloud using Amazon web services vs terraform