Implementing Secure DevOps assessment for highly regulated environments

Yaşar, Hasan

doi:10.1145/3098954.3105819

Cited by 8 publications

(5 citation statements)

References 3 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Only some articles such as those by Lwakatare, 16 Smeds, 17 and Jones 18 have been written to show how organizations have adopted DevOps or continuous delivery and describe different challenges, which include (1) the redesign of systems toward continuous delivery, (2) the way DevOps is deployed in an organization, (3) the quality assessment of DevOps practices in organizations, and (4) the qualification of engineers for DevOps practice. Some other papers, as those published by Bobrov, 19 Yasar, 20 or Airaj, 21 revolve around the definition of concepts in the academic area, as they show the basics of DevOps and give insights about possible implementation curricula. When it comes to training DevOps practices, there is not much research done according to Leite et al 15 Moreover, according to these authors, there is a clear need of research regarding the training of operation topics in software engineers courses, as the adoption of DevOps is greatly conditioned by the level skill of the stakeholders.…”

Section: Related Workmentioning

confidence: 99%

DevOps: Is there a gap between education and industry?

Sánchez‐Cifo

Bermejo

Navarro

2023

J Software Evolu Process

View full text Add to dashboard Cite

DevOps has been identified by industry as one of the cornerstones of their development process. It is not just a set of tools but a set of principles and practices to build an efficient team improving the communication and collaboration. Its importance has greatly impacted even hiring processes being DevOps Engineer among the most recruited jobs according to LinkedIn. But it is not clear whether universities have noticed the magnitude this movement has attained in industry, despite the need of higher education and industry building up advances together. This led us to determine whether there is a gap between the training provided by higher education and the one expected from industry. For this aim, a questionnaire, defined after a careful review of the literature, has been run worldwide to answer the four research questions. The analysis arose several conclusions, such as higher prevalence of use than of training for most of the analyzed technological practices, except for those related to architecture, probably due to the migration cost these require. It was also found that the two practices with higher prevalence in industry, feedback and limit‐WIP, are scarcely trained in higher education. These conclusions provide interesting advice for future adaptations of computer science degrees.

show abstract

Section: Related Workmentioning

confidence: 99%

DevOps: Is there a gap between education and industry?

Sánchez‐Cifo

Bermejo

Navarro

2023

J Software Evolu Process

View full text Add to dashboard Cite

show abstract

“…In general, publications, that refer to DevOps and regulations-based security, are scarce. Authors explore security in regulated environments [30,19] and where to introduce security activities in DevOps [31,12]. However DevSecOps compliant with a particular standard or domain is still missing.…”

Section: Devsecops and Security Standardsmentioning

confidence: 99%

“…While DevOps was originally conceptualized for IT companies, industrial companies have started as well to embrace DevOps practices [1,5]. However, there are yet several challenges to overcome before DevOps can be largely applied in highly regulated domains with high demand for quality attributes, in particular security [30].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Integration of Security Standards in DevOps Pipelines: An Industry Case Study

Constante

Soares

Pinto-Albuquerque

et al. 2020

Lecture Notes in Computer Science

View full text Add to dashboard Cite

In the last decade, companies adopted DevOps as a fast path to deliver software products according to customer expectations, with well aligned teams and in continuous cycles. As a basic practice, DevOps relies on pipelines that simulate factory swim-lanes. The more automation in the pipeline, the shorter a lead time is supposed to be. However, applying DevOps is challenging, particularly for industrial control systems (ICS) that support critical infrastructures and that must obey to rigorous requirements from security regulations and standards. Current research on security compliant DevOps presents open gaps for this particular domain and in general for systematic application of security standards. In this paper, we present a systematic approach to integrate standard-based security activities into DevOps pipelines and highlight their automation potential. Our intention is to share our experiences and help practitioners to overcome the trade-off between adding security activities into the development process and keeping a short lead time. We conducted an evaluation of our approach at a large industrial company considering the IEC 62443-4-1 security standard that regulates ICS. The results strengthen our confidence in the usefulness of our approach and artefacts, and in that they can support practitioners to achieve security compliance while preserving agility including short lead times.

show abstract

“…In this work, we approach one of the several issues for agile and DevOps: security automation in continuous integration (cI) pipelines. In our experience from Finance, Health, and critical Infrastructure industries, development teams are urged by regulators to involve security activities in their development processes [10], [11]. This implies that CI pipelines should include checks to identify a set of security issues.…”

Section: Introductionmentioning

confidence: 99%

Enterprise-Driven Open Source Software: A Case Study on Security Automation

Angermeir

Voggenreiter

Moyón

et al. 2021

2021 IEEE/ACM 43rd International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP)

View full text Add to dashboard Cite

Agile and DevOps are widely adopted by the industry. Hence, integrating security activities with industrial practices, such as continuous integration (CI) pipelines, is necessary to detect security flaws and adhere to regulators' demands early.In this paper, we analyze automated security activities in CI pipelines of enterprise-driven open source software (OSS). This shall allow us, in the long-run, to better understand the extent to which security activities are (or should be) part of automated pipelines. In particular, we mine publicly available OSS repositories and survey a sample of project maintainers to better understand the role that security activities and their related tools play in their CI pipelines. To increase transparency and allow other researchers to replicate our study (and to take different perspectives), we further disclose our research artefacts. Our results indicate that security activities in enterprise-driven OSS projects are scarce and protection coverage is rather low. Only 6.83% of the analyzed 8,243 projects apply security automation in their CI pipelines, even though maintainers consider security to be rather important. This alerts industry to keep the focus on vulnerabilities of 3rd Party software and it opens space for other improvements of practice which we outline in this manuscript.

show abstract

Implementing Secure DevOps assessment for highly regulated environments

Cited by 8 publications

References 3 publications

DevOps: Is there a gap between education and industry?

DevOps: Is there a gap between education and industry?

Integration of Security Standards in DevOps Pipelines: An Industry Case Study

Enterprise-Driven Open Source Software: A Case Study on Security Automation

Contact Info

Product

Resources

About