Software Security Activities that Support Incident Management in Secure DevOps

Jaatun, Martin Gilje

doi:10.1145/3230833.3233275

Cited by 14 publications

(16 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…DevOps is usually allied with cloud implementations which help deploy security integration and carry out penetration tests between applications. 80,81 Nowadays, cloud providers offer services that promote the usage of DevOps, in which a security model for their customers is ensured. 82 As discussed earlier, DevOps is not only focused on automating processes and improved performance, but also on cross team collaboration and interaction between people.…”

Section: Ta B L Ementioning

confidence: 99%

DevOps benefits: A systematic literature review

et al. 2022

View full text Add to dashboard Cite

Among current IT work cultures, DevOps stands out as one of the most adopted worldwide. The focus of this culture is on bridging the gap between development and operations teams, enabling collaborative effort toward quickly producing software, without sacrificing its quality and support. DevOps is used to tackle a variety of issues; as such, there are differing benefits reported by authors when performing their analysis. For this research, we aim to reach consensus on the DevOps benefits reported in existing literature. To accomplish this objective, two systematic literature reviews. The first intends to find all benefits reported in the literature, while the second review will be used to map the benefits found in the first one with DevOps implementation case studies, providing empirical evidences of each benefit. To strengthen the results, the concept‐centric approach is used. During this research it was possible to observe that the most reported benefits are aligned with the DevOps premises of better collaboration between developers and operators, delivering software and products quicker. Based on DevOps implementation case studies, most reported benefits include a faster time to market as well as improvements in synergy and automation. Less reported benefits include a reduction in failed changes and security issues.

show abstract

Section: Ta B L Ementioning

confidence: 99%

DevOps benefits: A systematic literature review

et al. 2022

View full text Add to dashboard Cite

show abstract

“…Challenge of unrestricted collaboration [20], [23], [58], [79] CH12 Using unsuitable performance metrics for security evaluation [2], [69], [78], [79] CH13 Abundance of information is a serious threat to secure data [60], [62], [80] CH14 Use of immature automated deployment tools [61], [81], [82] CH15 Inadequate channel to monitor the collaboration of teams [52], [53], [71], [79]…”

Section: Ch11mentioning

confidence: 99%

“…Proper trainings and meeting sessions should be conducted to improve the expertise of teams. The capabilities to support and encourage team members by leadership to control the abundance of information causing problems to secure data[60,62,80] will process DevOps smoothly.The other frequently occurred challenge in an organization to secure DevOps activities is immature automated deployment tools[61,81,82], due to lack of testing knowledge. The DevOps team must corporate with security team to measure such challenging factors.…”

mentioning

confidence: 99%

Prioritization Based Taxonomy of DevOps Security Challenges Using PROMETHEE

Rafi

Akbar

et al. 2020

IEEE Access

View full text Add to dashboard Cite

DevOps is a combination of collaborative and multidisciplinary efforts of an organization to control continuous delivery and updates of new software while guaranteeing their reliability and correctness. In the software industry, the implementation of DevOps (development and operations units) faces many challenges that are specifically associated with the security. This study aims to develop a prioritization based taxonomy of DevOps security challenges using PROMETHEE-II approach. The total of eighteen DevOps security challenges were extracted from the literature and were further evaluated with experts using questionnaire survey study. In the third stage, multi criteria decision making PROMETHEE-II approach was used to prioritize and develop the taxonomy of identified factors and their categories. The implications of PROMETHEE-II approach are novel in this research domain as it has been used successfully in various other domains e.g. medical, banking, internet techniques and management etc. The contribution of this study is not limited to develop the taxonomy based structure of DevOps security challenges, but also the proper prioritization of these challenges by introducing PROMETHEE-II approach in the research field of DevOps. The study results will assist the practitioners to remove the uncertainty and vagueness in the opinion of DevOps experts to secure DevOps implementation for better and continuous software development process.

show abstract

“…A number of studies [40]- [45] have explicitly studied the management of NFRs in a CSE context; however, none of them focus on the associated lack of shared understanding. Feitelson describes how Facebook uses an open source tool, Perflab, to provide metrics which Facebook monitors to evaluate the PERFORMANCE of their system [43].…”

Section: Continuous Software Engineeringmentioning

confidence: 99%

“…For software SECURITY, Jaatun argues that proper attention to incident management, including involding and educating developers, can help alleviate SECURITY issues in CSE [40]; although this is strictly for SECURITY and is primarily focused on the Building Security In Maturity Model [46].…”

Section: Continuous Software Engineeringmentioning

confidence: 99%

The Lack of Shared Understanding of Non-Functional Requirements in Continuous Software Engineering: Accidental or Essential?

Werner¹,

Li²,

Ernst³

et al. 2020

Preprint

View full text Add to dashboard Cite

Building shared understanding of requirements is key to ensuring downstream software activities are efficient and effective. However, in continuous software engineering (CSE) some lack of shared understanding is an expected, and essential, part of a rapid feedback learning cycle. At the same time, there is a key trade-off with avoidable costs, such as rework, that come from accidental gaps in shared understanding. This tradeoff is even more challenging for non-functional requirements (NFRs), which have significant implications for product success. Comprehending and managing NFRs is especially difficult in small, agile organizations. How such organizations manage shared understanding of NFRs in CSE is understudied. We conducted a case study of three small organizations scaling up CSE to further understand and identify factors that contribute to lack of shared understanding of NFRs, and its relationship to rework. Our in-depth analysis identified 41 NFR-related software tasks as rework due to a lack of shared understanding of NFRs. Of these 41 tasks 78% were due to avoidable (accidental) lack of shared understanding of NFRs. Using a mixed-methods approach we identify factors that contribute to lack of shared understanding of NFRs, such as the lack of domain knowledge, rapid pace of change, and cross-organizational communication problems. We also identify recommended strategies to mitigate lack of shared understanding through more effective management of requirements knowledge in such organizations. We conclude by discussing the complex relationship between shared understanding of requirements, rework and, CSE.

show abstract

Software Security Activities that Support Incident Management in Secure DevOps

Cited by 14 publications

References 14 publications

DevOps benefits: A systematic literature review

DevOps benefits: A systematic literature review

Prioritization Based Taxonomy of DevOps Security Challenges Using PROMETHEE

The Lack of Shared Understanding of Non-Functional Requirements in Continuous Software Engineering: Accidental or Essential?

Contact Info

Product

Resources

About