Skip to main content
SpringerLink
Log in

Trends for the DevOps Security. A Systematic Literature Review

  • Conference paper
  • First Online:
Business Modeling and Software Design (BMSD 2022)

Part of the book series: Lecture Notes in Business Information Processing ((LNBIP,volume 453))

Included in the following conference series:

Abstract

Due to technical advances, old ways for securing DevOps software development have become obsolete. Thus, researchers and practitioners need new insights into the security challenges and practices of DevOps development. This paper reviews the data extraction and analysis phase and results of a Systematic Literature Review (SLR) study that was carried out in 2019. The outcome is an updated list of security challenges and practices for DevOps software development. Both reviews shows that the most essential challenges for the DevOps security deal with the complexity of the development pipelines and the overall complexity of the cloud and microservice environments. The security activities identified were classified by using the BSIMM maturity model for software security as a framework. Our review shows that DevOps security research focuses mostly on deployment phase and technical aspects of software security. We compared the security activities identified in our study with the ones identified by the BSIMM development company in their 2020 review of 128 practitioners’ security practices and found matching practices and similar trends.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 69.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 89.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Lwakatare, L., et al.: Devops in practice: a multiple case study of five companies. Inf. Softw. Technol. 114, 217–230 (2019)

    Article  Google Scholar 

  2. Bass, L., Weber, I., Zhu, L.: DevOps: A Software Architect’s Perspective. Addison-Wesley Professional (2015)

    Google Scholar 

  3. Jaatun, M., Cruzes, D., Luna, J.: DevOps for better software security in the cloud. Invited paper. In: ARES ’17. Proceedings of the 12th International Conference on Availability, Reliability and Security 2017, Article no. 69, pp. 1–6. ACM (2017)

    Google Scholar 

  4. Hsu, T.: Hands-On Security in DevOps: Ensure Continuous Security, Deployment, and Delivery with DevSecOps. Packt Publishing Ltd. (2018)

    Google Scholar 

  5. Humble, J., Farley, D.: Continuous Delivery: Reliable Software Releases through Build, Test, and Deployment Automation. Pearson Education (2010)

    Google Scholar 

  6. Konersmann, M., Fitzgerald, B., Goedicke, M., Holmström Olsson, H., Bosch, J., Krusche, S.: Rapid continuous software engineering-state of the practice and open research questions: report on the 6th international workshop on Rapid Continuous Software Engineering (RCoSE 2020). ACM SIGSOFT Softw. Eng. Notes 46(1), 25–27 (2021)

    Article  Google Scholar 

  7. RedGate Software The state of database devops 2021 report. https://www.red-gate.com/solutions/database-devops/report-2021

  8. Vizard, M.: Survey finds wide gap between DevOps adoption and success. https://devops.com/survey-finds-wide-gap-between-devops-adoption-and-success/

  9. Atlassian survey 2020 - DevOps trends. https://www.atlassian.com/whitepapers/devops-survey-2020

  10. Williams, L., McGraw, G., Migues, S.: Engineering security vulnerability prevention, detection, and response. IEEE Softw. 35(5), 76–80 (2018)

    Article  Google Scholar 

  11. Mohammed, N., Niazi, M., Alshayeb, M., Mahmood, S.: Exploring software security approaches in software development lifecycle: a systematic mapping study. Comput. Stan. Interfaces 50, 107–115 (2017)

    Article  Google Scholar 

  12. Jaatun, M.: Software security activities that support incident management in secure DevOps. In: Proceedings of the 13th International Conference on Availability, Reliability and Security, pp. 1–6. ACM (2018)

    Google Scholar 

  13. Koskinen, A.: Devsecops: Building Security into the Core of Devops. University of Jyväskylä, Jyväskylä, Finland (2019)

    Google Scholar 

  14. Kitchenham, B.: Procedures for Performing Systematic Reviews, vol. 33, pp. 1–26. Keele University, UK (2004)

    Google Scholar 

  15. SynopsysSoftware: BSIMM12, 2021 Insights Trends Report. https://www.bsimm.com/

  16. Kitchenham, B., Brereton, O., Budgen, D., Turner, M., Bailey, J., Linkman, S.: Systematic literature reviews in software engineering–a systematic literature review. Inf. Softw. Technol. 51(1), 7–15 (2009)

    Article  Google Scholar 

  17. Brereton, P., Kitchenham, B.A., Budgen, D., Turner, M., Khalil, M.: Lessons from applying the systematic literature review process within the software engineering domain. J. Syst. Softw. 80(4), 571–583 (2007)

    Article  Google Scholar 

  18. MacDonell, S., Shepperd, M., Kitchenham, B., Mendes, E.: How reliable are systematic reviews in empirical software engineering? IEEE Trans. Softw. Eng. 36(5), 676–687 (2010)

    Article  Google Scholar 

  19. Wohlin, C.: Guidelines for snowballing in systematic literature studies and a replication in software engineering. In: EASE ’14. Proceedings of the 18th International Conference on Evaluation and Assessment in Software Engineering, pp. 1–10. ACM (2014)

    Google Scholar 

  20. Jalali, S., Wohlin, C.: Systematic literature studies: database searches vs. backward snowballing. In: Proceedings of the 2012 ACM-IEEE International Symposium on Empirical Software Engineering and Measurement, pp. 29–38. IEEE (2012)

    Google Scholar 

  21. Glas, B.; Comparing BSIMM SAMM. https://owaspsamm.org/blog/2020/10/29/comparing-bsimm-and-samm/

  22. Mello, J.: BSIMM10. DevOps is changing how software teams approach security. https://techbeacon.com/security/bsimm-10-devops-changing-how-software-teams-approach-security

  23. SynopsysSoftware. https://news.synopsys.com/2020-09-15-Synopsys-Publishes-BSIMM11-Study-Highlighting-Fundamental-Shifts-in-Software-Security-Initiatives-in-Response-to-DevOps-and-Digital-Transformation

  24. OWASP Foundation: OWASP software assurance maturity model. https://owasp.org/www-project-samm/

  25. Pagel, T.: Overview of (DevSecOps) OWASP projects. https://owasp.org/www-chapter-germany/stammtische/frankfurt/assets/slides/48OWASPFrankfurtStammtisch1.pdf

  26. OWASP DevSecOps maturity model. https://owasp.org/www-project-devsecops-maturity-model/

  27. Felderer, M., Fourneret, E.: A systematic classification of security regression testing approaches. Int. J. Softw. Tools Technol. Transfer 17(3), 305–319 (2015)

    Article  Google Scholar 

  28. Souza, E., Moreira, A., Goulão, M.: Deriving architectural models from requirements specifications: a systematic mapping study. Inf. Softw. Technol. 109, 26–39 (2019)

    Article  Google Scholar 

  29. Ahmadvand, M., Pretschner, A., Ball, K., Eyring, D.: Integrity protection against insiders in microservice-based infrastructures: From threats to a security framework. In: Mazzara, M., Ober, I., Salaün, G. (eds.) STAF 2018. LNCS, vol. 11176, pp. 573–588. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-04771-9_43

    Chapter  Google Scholar 

  30. Bass, L., Holz, R., Rimba, P., Tran, A., Zhu, L.: Securing a deployment pipeline. In: 2015 IEEE/ACM 3rd International Workshop on Release Engineering, pp. 4–7. IEEE (2015)

    Google Scholar 

  31. Beigi-Mohammadi, N., et al.: A DevOps framework for quality-driven self-protection in Web software systems. In: Proceedings of the 28th Annual International Conference on Computer Science and Software Engineering, pp. 270–274. IBM Corp. (2018)

    Google Scholar 

  32. Diekmann, C., Naab, J., Korsten, A., Carle, G.: Agile network access control in the container age. IEEE Trans. Netw. Serv. Manage. 16(1), 41–55 (2018)

    Article  Google Scholar 

  33. Düllmann, T., Paule, C., van Hoorn, A.: Exploiting DevOps practices for dependable and secure continuous delivery pipelines. In: 2018 IEEE/ACM 4th International Workshop on Rapid Continuous Software Engineering (RCOSE), pp. 27–30. IEEE (2018)

    Google Scholar 

  34. Tigli, J.Y., Winter, T., Muntés-Mulero, V., Metzger, A., Velasco, E., Aguirre, A.: ENACT: development, operation, and quality assurance of trustworthy smart IoT systems. In: Software Engineering Aspects of Continuous Development and New Paradigms of Software Production and Deployment: First International Workshop, DEVOPS 2018, vol. 11350, p. 112. Springer, Heidelberg, 5–6 Mar 2018 (2019)

    Google Scholar 

  35. Mackey, T.: Building open source security into agile application builds. Netw. Secur. 2018(4), 5–8 (2018)

    Article  Google Scholar 

  36. Mansfield-Devine, S.: DevOps: finding room for security. Netw. Secur. 2018(7), 15–20 (2018)

    Article  Google Scholar 

  37. Michener, J., Clager, A.: Mitigating an oxymoron: compliance in a DevOps environments. In: 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC), vol. 1, pp. 396–398. IEEE (2016)

    Google Scholar 

  38. Rahman, A., Williams, L.: Software security in DevOps: synthesizing practitioners’ perceptions and practices. In: 2016 IEEE/ACM International Workshop on Continuous Software Evolution and Delivery (CSED), pp. 70–76. IEEE (2016)

    Google Scholar 

  39. Raj, A., Kumar, A., Pai, S., Gopal, A.: Enhancing security of docker using Linux hardening techniques. In: 2016 2nd International Conference on Applied and Theoretical Computing and Communication Technology (iCATccT), pp. 94–99. IEEE (2016)

    Google Scholar 

  40. Rios, E., Iturbe, E., Mallouli, W., Rak, M.: Dynamic security assurance in multi-cloud DevOps. In: 2017 IEEE Conference On Communications And Network Security (CNS), pp. 467–475. IEEE (2017)

    Google Scholar 

  41. Schoenen, S., Mann, Z.Á., Metzger, A.: Using risk patterns to identify violations of data protection policies in cloud systems. In: Braubach, L., Murillo, J.M., Kaviani, N., Lama, M., Burgueño, L., Moha, N., Oriol, M. (eds.) ICSOC 2017. LNCS, vol. 10797, pp. 296–307. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-91764-1_24

    Chapter  Google Scholar 

  42. Thanh, T., Covaci,S., Magedanz. T., Gouvas, P., Zafeiropoulos, A.: Embedding security and privacy into the development and operation of cloud applications and services. In: 2016 17th International Telecommunications Network Strategy and Planning Symposium (NETWORKS), pp. 31–36. IEEE (2016)

    Google Scholar 

  43. Torkura, K.A., Sukmana, M.I.H., Cheng, F., Meinel, C.: Cavas: Neutralizing application and container security vulnerabilities in the cloud native era. In: Beyah, R., Chang, B., Li, Y., Zhu, S. (eds.) SecureComm 2018. LNICSSITE, vol. 254, pp. 471–490. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-01701-9_26

    Chapter  Google Scholar 

  44. Ullah, F., Raft, A., Shahin, M., Zahedi, M., Babar, M.: Security support in continuous deployment pipeline. In: Proceedings of 21th International Conference on Evaluation of Novel Approaches to Software Engineering, 12 p. Cornell University Archive (2017)

    Google Scholar 

  45. SynopsysSoftware: BSIMM12.explanation of the activities. https://www.bsimm.com/framework/governance/compliance-and-policy.html

  46. Luz, W.P., Pinto, G., Bonifácio, R.: Adopting DevOps in the real world: a theory, a model, and a case study. J. Syst. Softw. 157, 110384 (2019)

    Article  Google Scholar 

  47. Rafi, S., Yu, W., Akbar, M.A., Alsanad, A., Gumaei, A.: Prioritization based taxonomy of DevOps security challenges using PROMETHEE. IEEE Access 8, 105426–105446 (2020)

    Article  Google Scholar 

  48. SynopsysSoftware: BSIMM12 Digest:The CISO’s Guide to Next-Gen AppSec. https://www.synopsys.com/software-integrity/resources/ebooks/ciso-guide-modern-appsec.html

Download references

Acknowledgements

Authors wish to thank the two anonymous reviewers for their invaluable comments and feedback that helped greatly to improve the quality of paper. Specifically, the other reviewer offered a very thorough review with many good comments, ideas, and suggestions.

Author information

Authors and Affiliations

  1. University of Jyväskylä, Jyväskylä, Finland

    Tiina Leppänen, Anne Honkaranta & Andrei Costin

Authors
  1. Tiina Leppänen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Anne Honkaranta
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Andrei Costin
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Anne Honkaranta .

Editor information

Editors and Affiliations

  1. Faculty of Information Sciences, University of Library Studies and Information Technologies, Sofia, Bulgaria

    Boris Shishkov

Rights and permissions

Reprints and permissions

Copyright information

© 2022 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Leppänen, T., Honkaranta, A., Costin, A. (2022). Trends for the DevOps Security. A Systematic Literature Review. In: Shishkov, B. (eds) Business Modeling and Software Design. BMSD 2022. Lecture Notes in Business Information Processing, vol 453. Springer, Cham. https://doi.org/10.1007/978-3-031-11510-3_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-11510-3_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-11509-7

  • Online ISBN: 978-3-031-11510-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation