Abstract
Due to technical advances, old ways for securing DevOps software development have become obsolete. Thus, researchers and practitioners need new insights into the security challenges and practices of DevOps development. This paper reviews the data extraction and analysis phase and results of a Systematic Literature Review (SLR) study that was carried out in 2019. The outcome is an updated list of security challenges and practices for DevOps software development. Both reviews shows that the most essential challenges for the DevOps security deal with the complexity of the development pipelines and the overall complexity of the cloud and microservice environments. The security activities identified were classified by using the BSIMM maturity model for software security as a framework. Our review shows that DevOps security research focuses mostly on deployment phase and technical aspects of software security. We compared the security activities identified in our study with the ones identified by the BSIMM development company in their 2020 review of 128 practitioners’ security practices and found matching practices and similar trends.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Lwakatare, L., et al.: Devops in practice: a multiple case study of five companies. Inf. Softw. Technol. 114, 217–230 (2019)
Bass, L., Weber, I., Zhu, L.: DevOps: A Software Architect’s Perspective. Addison-Wesley Professional (2015)
Jaatun, M., Cruzes, D., Luna, J.: DevOps for better software security in the cloud. Invited paper. In: ARES ’17. Proceedings of the 12th International Conference on Availability, Reliability and Security 2017, Article no. 69, pp. 1–6. ACM (2017)
Hsu, T.: Hands-On Security in DevOps: Ensure Continuous Security, Deployment, and Delivery with DevSecOps. Packt Publishing Ltd. (2018)
Humble, J., Farley, D.: Continuous Delivery: Reliable Software Releases through Build, Test, and Deployment Automation. Pearson Education (2010)
Konersmann, M., Fitzgerald, B., Goedicke, M., Holmström Olsson, H., Bosch, J., Krusche, S.: Rapid continuous software engineering-state of the practice and open research questions: report on the 6th international workshop on Rapid Continuous Software Engineering (RCoSE 2020). ACM SIGSOFT Softw. Eng. Notes 46(1), 25–27 (2021)
RedGate Software The state of database devops 2021 report. https://www.red-gate.com/solutions/database-devops/report-2021
Vizard, M.: Survey finds wide gap between DevOps adoption and success. https://devops.com/survey-finds-wide-gap-between-devops-adoption-and-success/
Atlassian survey 2020 - DevOps trends. https://www.atlassian.com/whitepapers/devops-survey-2020
Williams, L., McGraw, G., Migues, S.: Engineering security vulnerability prevention, detection, and response. IEEE Softw. 35(5), 76–80 (2018)
Mohammed, N., Niazi, M., Alshayeb, M., Mahmood, S.: Exploring software security approaches in software development lifecycle: a systematic mapping study. Comput. Stan. Interfaces 50, 107–115 (2017)
Jaatun, M.: Software security activities that support incident management in secure DevOps. In: Proceedings of the 13th International Conference on Availability, Reliability and Security, pp. 1–6. ACM (2018)
Koskinen, A.: Devsecops: Building Security into the Core of Devops. University of Jyväskylä, Jyväskylä, Finland (2019)
Kitchenham, B.: Procedures for Performing Systematic Reviews, vol. 33, pp. 1–26. Keele University, UK (2004)
SynopsysSoftware: BSIMM12, 2021 Insights Trends Report. https://www.bsimm.com/
Kitchenham, B., Brereton, O., Budgen, D., Turner, M., Bailey, J., Linkman, S.: Systematic literature reviews in software engineering–a systematic literature review. Inf. Softw. Technol. 51(1), 7–15 (2009)
Brereton, P., Kitchenham, B.A., Budgen, D., Turner, M., Khalil, M.: Lessons from applying the systematic literature review process within the software engineering domain. J. Syst. Softw. 80(4), 571–583 (2007)
MacDonell, S., Shepperd, M., Kitchenham, B., Mendes, E.: How reliable are systematic reviews in empirical software engineering? IEEE Trans. Softw. Eng. 36(5), 676–687 (2010)
Wohlin, C.: Guidelines for snowballing in systematic literature studies and a replication in software engineering. In: EASE ’14. Proceedings of the 18th International Conference on Evaluation and Assessment in Software Engineering, pp. 1–10. ACM (2014)
Jalali, S., Wohlin, C.: Systematic literature studies: database searches vs. backward snowballing. In: Proceedings of the 2012 ACM-IEEE International Symposium on Empirical Software Engineering and Measurement, pp. 29–38. IEEE (2012)
Glas, B.; Comparing BSIMM SAMM. https://owaspsamm.org/blog/2020/10/29/comparing-bsimm-and-samm/
Mello, J.: BSIMM10. DevOps is changing how software teams approach security. https://techbeacon.com/security/bsimm-10-devops-changing-how-software-teams-approach-security
OWASP Foundation: OWASP software assurance maturity model. https://owasp.org/www-project-samm/
Pagel, T.: Overview of (DevSecOps) OWASP projects. https://owasp.org/www-chapter-germany/stammtische/frankfurt/assets/slides/48OWASPFrankfurtStammtisch1.pdf
OWASP DevSecOps maturity model. https://owasp.org/www-project-devsecops-maturity-model/
Felderer, M., Fourneret, E.: A systematic classification of security regression testing approaches. Int. J. Softw. Tools Technol. Transfer 17(3), 305–319 (2015)
Souza, E., Moreira, A., Goulão, M.: Deriving architectural models from requirements specifications: a systematic mapping study. Inf. Softw. Technol. 109, 26–39 (2019)
Ahmadvand, M., Pretschner, A., Ball, K., Eyring, D.: Integrity protection against insiders in microservice-based infrastructures: From threats to a security framework. In: Mazzara, M., Ober, I., Salaün, G. (eds.) STAF 2018. LNCS, vol. 11176, pp. 573–588. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-04771-9_43
Bass, L., Holz, R., Rimba, P., Tran, A., Zhu, L.: Securing a deployment pipeline. In: 2015 IEEE/ACM 3rd International Workshop on Release Engineering, pp. 4–7. IEEE (2015)
Beigi-Mohammadi, N., et al.: A DevOps framework for quality-driven self-protection in Web software systems. In: Proceedings of the 28th Annual International Conference on Computer Science and Software Engineering, pp. 270–274. IBM Corp. (2018)
Diekmann, C., Naab, J., Korsten, A., Carle, G.: Agile network access control in the container age. IEEE Trans. Netw. Serv. Manage. 16(1), 41–55 (2018)
Düllmann, T., Paule, C., van Hoorn, A.: Exploiting DevOps practices for dependable and secure continuous delivery pipelines. In: 2018 IEEE/ACM 4th International Workshop on Rapid Continuous Software Engineering (RCOSE), pp. 27–30. IEEE (2018)
Tigli, J.Y., Winter, T., Muntés-Mulero, V., Metzger, A., Velasco, E., Aguirre, A.: ENACT: development, operation, and quality assurance of trustworthy smart IoT systems. In: Software Engineering Aspects of Continuous Development and New Paradigms of Software Production and Deployment: First International Workshop, DEVOPS 2018, vol. 11350, p. 112. Springer, Heidelberg, 5–6 Mar 2018 (2019)
Mackey, T.: Building open source security into agile application builds. Netw. Secur. 2018(4), 5–8 (2018)
Mansfield-Devine, S.: DevOps: finding room for security. Netw. Secur. 2018(7), 15–20 (2018)
Michener, J., Clager, A.: Mitigating an oxymoron: compliance in a DevOps environments. In: 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC), vol. 1, pp. 396–398. IEEE (2016)
Rahman, A., Williams, L.: Software security in DevOps: synthesizing practitioners’ perceptions and practices. In: 2016 IEEE/ACM International Workshop on Continuous Software Evolution and Delivery (CSED), pp. 70–76. IEEE (2016)
Raj, A., Kumar, A., Pai, S., Gopal, A.: Enhancing security of docker using Linux hardening techniques. In: 2016 2nd International Conference on Applied and Theoretical Computing and Communication Technology (iCATccT), pp. 94–99. IEEE (2016)
Rios, E., Iturbe, E., Mallouli, W., Rak, M.: Dynamic security assurance in multi-cloud DevOps. In: 2017 IEEE Conference On Communications And Network Security (CNS), pp. 467–475. IEEE (2017)
Schoenen, S., Mann, Z.Á., Metzger, A.: Using risk patterns to identify violations of data protection policies in cloud systems. In: Braubach, L., Murillo, J.M., Kaviani, N., Lama, M., Burgueño, L., Moha, N., Oriol, M. (eds.) ICSOC 2017. LNCS, vol. 10797, pp. 296–307. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-91764-1_24
Thanh, T., Covaci,S., Magedanz. T., Gouvas, P., Zafeiropoulos, A.: Embedding security and privacy into the development and operation of cloud applications and services. In: 2016 17th International Telecommunications Network Strategy and Planning Symposium (NETWORKS), pp. 31–36. IEEE (2016)
Torkura, K.A., Sukmana, M.I.H., Cheng, F., Meinel, C.: Cavas: Neutralizing application and container security vulnerabilities in the cloud native era. In: Beyah, R., Chang, B., Li, Y., Zhu, S. (eds.) SecureComm 2018. LNICSSITE, vol. 254, pp. 471–490. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-01701-9_26
Ullah, F., Raft, A., Shahin, M., Zahedi, M., Babar, M.: Security support in continuous deployment pipeline. In: Proceedings of 21th International Conference on Evaluation of Novel Approaches to Software Engineering, 12 p. Cornell University Archive (2017)
SynopsysSoftware: BSIMM12.explanation of the activities. https://www.bsimm.com/framework/governance/compliance-and-policy.html
Luz, W.P., Pinto, G., Bonifácio, R.: Adopting DevOps in the real world: a theory, a model, and a case study. J. Syst. Softw. 157, 110384 (2019)
Rafi, S., Yu, W., Akbar, M.A., Alsanad, A., Gumaei, A.: Prioritization based taxonomy of DevOps security challenges using PROMETHEE. IEEE Access 8, 105426–105446 (2020)
SynopsysSoftware: BSIMM12 Digest:The CISO’s Guide to Next-Gen AppSec. https://www.synopsys.com/software-integrity/resources/ebooks/ciso-guide-modern-appsec.html
Acknowledgements
Authors wish to thank the two anonymous reviewers for their invaluable comments and feedback that helped greatly to improve the quality of paper. Specifically, the other reviewer offered a very thorough review with many good comments, ideas, and suggestions.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 Springer Nature Switzerland AG
About this paper
Cite this paper
Leppänen, T., Honkaranta, A., Costin, A. (2022). Trends for the DevOps Security. A Systematic Literature Review. In: Shishkov, B. (eds) Business Modeling and Software Design. BMSD 2022. Lecture Notes in Business Information Processing, vol 453. Springer, Cham. https://doi.org/10.1007/978-3-031-11510-3_12
Download citation
DOI: https://doi.org/10.1007/978-3-031-11510-3_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-11509-7
Online ISBN: 978-3-031-11510-3
eBook Packages: Computer ScienceComputer Science (R0)