Abstract
Software engineering is evolving quickly leading to an urgency to discover more efficient development models. DevOps and its security-oriented extension DevSecOps promised to speed up the development process while ensuring more robust code. However, many third-party libraries and infrastructure vulnerabilities may still pose security flaws. Besides, regulatory compliance and standards go beyond secure software asking for comprehensive security and accurate infrastructure hardening. Thus, we may wonder: is DevSecOps enough? In this paper, we propose CyberDevOps, a novel architecture which integrates cybersecurity within DevSecOps. Specifically, (i) we revise software composition analysis to deal with nondeterministic environments and (ii) we incorporate vulnerability assessment and compliance within a further pipeline step. To assess the effectiveness of CyberDevOps, we conduct an experimental evaluation. Specifically, we attack a web application and we show how CyberDevOps is able to detect hidden defects while a standard DevSecOps pipeline fails. Furthermore, we assess code quality and security by comparing DevOps, DevSecOps, and CyberDevOps by monitoring two Conio code bases over a year. The results show that CyberDevOps helps to fix up to 100% of known bugs and vulnerabilities and improve significantly the code quality.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Data availability
The datasets generated during the current study are available in the CDO DATASET repository of the author Lombardi (2022).
Notes
After DevSecOps, SecDevOps have been proposed. Although we detail their difference in the next section, for the sake of simplicity, in this paper, we refer to them only as “DevSecOps.”
Falcon Spotlight has a 15-day free trial.
Conio OSINT-VA uses machine learning inferences inspired by the PASCAL Forecaster (Lombardi et al., 2019).
The wrapper for Pillow we implemented can be found on the pypi.org website Fanton.
VirusTotal page of the gs binary under exam: https://www.virustotal.com/gui/file/13a6540ba15c62bac6340d0e6c64e9db766502bca15194621b537c4e4f0d29e6/details
API call to the MITRE DB: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ghostscript
The available Sonarqube metrics can be found in SonarSource S.A..
References
AICPA. (1997). System and Organization Controls: SOC Suite of Services. https://us.aicpa.org/interestareas/frc/assuranceadvisoryservices/sorhome
Aniello, L., Baldoni, R., & Lombardi, F. (2016). A blockchain-based solution for enabling log-based resolution of disputes in multi-party transactions. In International Conference in Software Engineering for Defence Applications (pp. 53–58). Springer.
Aqua Security. (2019). Trivy. https://github.com/aquasecurity/trivy
Aqua Security. (2021). Shift left DevOps. https://www.aquasec.com/cloud-native-academy/devsecops/shift-left-devops/
Artifex. (1998). Ghostscript. https://www.ghostscript.com/
Atlassian. (2020). Atlassian survey 2020 - DevOps trends. https://www.atlassian.com/whitepapers/devops-survey-2020
AWSLabs. (2016). git-secrets. https://github.com/awslabs/git-secrets
Baldoni, R., Cerocchi, A., Ciccotelli, C., Donno, A., Lombardi, F., & Montanari, L. (2014). Towards a non-intrusive recognition of anomalous system behavior in data centers. In: International Conference on Computer Safety, Reliability, and Security (pp. 350–359). Springer.
Bass, L., Holz, R., Rimba, P., Tran, A. B., & Zhu, L. (2015) Securing a deployment pipeline. In 2015 IEEE/ACM 3rd International Workshop on Release Engineering (pp. 4–7). IEEE.
Bird, J. (2016). DevOpsSec: Delivering secure software through continuous delivery. O’Reilly Media.
Bosch, J. (2014). Continuous software engineering: An introduction. Continuous Software Engineering (pp. 3–13). Springer.
Carter, K. (2017). Francois Raynaud on DevSecOps. IEEE Software, 34(5), 93–96.
Casey, K. (2018). How to build a strong DevSecOps culture: 5 tips. The Enterprisers Project. https://enterprisersproject.com/article/2018/6/how-build-strong-devsecops-culture-5-tips
Cash, S., Jain, V., Jiang, L., Karve, A., Kidambi, J., Lyons, M., Mathews, T., Mullen, S., Mulsow, M., & Patel, N. (2016). Managed infrastructure with IBM Cloud OpenStack Services. IBM Journal of Research and Development, 60(2–3), 6–1.
Center for Internet Security. (2017). CIS Oracle Linux 6 Benchmark. https://www.cisecurity.org/wp-content/uploads/2017/04/CIS_Oracle_Linux_6_Benchmark_v1.0.0.pdf
Chaillan, N., & Yasar, H. (2019). Waterfall to DevSecOps in DoD. Technical report, Carnegie Mellon University Software Engineering Institute Air Force.
Chen, L. (2015). Continuous delivery: Huge benefits, but challenges too. IEEE Software, 32(2), 50–54.
Chickowski, E. (2018). Seven winning DevSecOps metrics security should track. Bitdefender. https://businessinsights.bitdefender.com/seven-winning-devsecops-metrics-security-should-track
Ciccotelli, C., Aniello, L., Lombardi, F., Montanari, L., Querzoni, L., & Baldoni, R. (2015). Nirvana: A non-intrusive black-box monitoring framework for rack-level fault detection. In: 2015 IEEE 21st Pacific Rim International Symposium on Dependable Computing (PRDC) (pp. 11–20). IEEE.
Collins, R. (2017). PEP 508 – Dependency specification for Python Software Packages. https://www.python.org/dev/peps/pep-0508/
Conio Inc. (2018). Conio git Repository. https://github.com/Conio
Crouch, A. (2018). DevSecOps: Incorporate security into DevOps to reduce software risk. Birmingham: Pack Publishing. https://www.agileconnection.com/article/devsecops-incorporate-security-devops-reduce-software-risk
Desai, R., & Nisha, T. (2021). Best practices for ensuring security in devops: A case study approach. Journal of Physics: Conference Series, 1964, 042045.
Digkas, G., Chatzigeorgiou, A. N., Ampatzoglou, A., & Avgeriou, P. C. (2020). Can clean new code reduce technical debt density. IEEE Transactions on Software Engineering.
Dimov, A., & Dimitrov, V. (2021). Classification of software security tools, In: Information Systems and Grid Technologies.
Ecik, H. (2021). Comparison of active vulnerability scanning vs. passive vulnerability detection. In 2021 International Conference on Information Security and Cryptology (ISCTURKEY) (pp. 87–92). Turkey: ISC. https://doi.org/10.1109/ISCTURKEY53027.2021.9654331
Falcon. (2023). Spotlight. https://cloudprotectionworks.com/datasheets/FalconSpotlightDatasheetv2.pdf
Fanton, A. (2022). Vulnerable pillow wrapper. https://pypi.org/project/vuln-pillow-wrapper/
Farroha, B. S., & Farroha, D. L. (2014). A framework for managing mission needs, compliance, and trust in the DevOps environment. In 2014 IEEE Military Communications Conference (pp. 288–293). IEEE. https://doi.org/10.1109/MILCOM.2014.54
Fitzgerald, B., & Stol, K. -J. (2017). Continuous software engineering: A roadmap and agenda. Journal of Systems and Software, 123, 176–189.
Foo, D., Yeo, J., Xiao, H., & Sharma, A. (2019). The dynamics of software composition analysis. arXiv preprint arXiv:1909.00973
Fredrik, L., & Clark, A. (2016). Pillow. https://python-pillow.org/
GhostScript. (1998). Doc. https://www.ghostscript.com/doc/current/History9
Google. (2004). Virus Total. https://www.virustotal.com/
Greenbone. (2006). OpenVAS. https://www.openvas.org/
Hejase, H. J., Fayyad-Kazan, H. F., & Moukadem, I. (2020). Advanced persistent threats (APT): An awareness review. J. Econ. Econ. Educ. Res, 21, 1–8.
Hsu, T. (2018). Hands-on security in DevOps: ensure continuous security, deployment, and delivery with DevSecOps. Packt Publishing.
Hudson, M. (2012). Git Hooks. https://githooks.com/
Humphrey, A. (2018). Diving into DevSecOps: Measuring effectiveness and success. Armor. https://www.armor.com/blog/diving-devsecops-measuring-effectiveness-success/
Hutchins, E. M., Cloppert, M. J., Amin, R. M., et al. (2011). Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. Leading Issues in Information Warfare & Security Research, 1(1), 80.
Ibrahim, A., Yousef, A. H., & Medhat, W. (2022). DevSecOps: A security model for infrastructure as code over the cloud. In 2022 2nd International Mobile, Intelligent, and Ubiquitous Computing Conference (MIUCC) (pp. 284–288). MIUCC. https://doi.org/10.1109/MIUCC55081.2022.9781709
Imtiaz, N., Thorn, S., & Williams, L. (2021). A comparative study of vulnerability reporting by software composition analysis tools. In Proceedings of the 15th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM) (pp. 1–11). ACM.
ISO/IEC (2017) ISO/IEC 27001 Information Security Management. https://www.iso.org/isoiec-27001-information-security.html
Jerbi, A. (2018). KPIs for managing and optimizing DevSecOps success. InfoWorld. https://www.infoworld.com/article/3237046/kpis-for-managing-and-optimizing-devsecops-success.html
José, F. (2018). Effective DevSecOps. https://medium.com/@fabiojose/effective-devsecops-f22dd023c5cd
Kawaguchi, K. (2015). Jenkins. https://www.jenkins.io/
Leite, L., Rocha, C., Kon, F., Milojicic, D., & Meirelles, P. (2019). A survey of DevOps concepts and challenges. ACM Computing Surveys (CSUR), 52(6), 1–35.
Leppänen, M., Mäkinen, S., Pagels, M., Eloranta, V.-P., Itkonen, J., Mäntylä, M. V., & Männistö, T. (2015). The highways and country roads to continuous deployment. IEEE Software, 32(2), 64–72.
Leppänen, T., Honkaranta, A., & Costin, A. (2022). Trends for the DevOps security. A systematic literature review. In International Symposium on Business Modeling and Software Design (pp. 200–217). Springer.
Letouzey, J. -L., & Coq, T. (2010). The sqale models for assessing the quality of real time source code. Toulouse: ERTSS 2010.
Lombardi, F. (2022). CDO Dataset. https://github.com/FLombardi-PhD/CDO_DATASET/
Lombardi, F., Muti, A., Aniello, L., Baldoni, R., Bonomi, S., & Querzoni, L. (2019). Pascal: An architecture for proactive auto-scaling of distributed services. Future Generation Computer Systems, 98, 342–361.
Malware Tips. (2013). MalwareHub. https://malwaretips.com/categories/malware-hub.103/
Martorella, C. (2015). theHarvester. https://github.com/laramies/theHarvester
McCabe, T. (1976). A complexity measure ieee transactions on software engineering. IEEE Transactions on software Engineering, 2(4), 308–20.
MITRE. (2018). CVE-2018-16509. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16509
MITRE. (2000). CVE Vulnerability Database. https://www.cve.org/
Mohan, V., & Othmane, L. B. (2016). SecDevOps: Is it a marketing buzzword? Mapping research on security in DevOps. In 2016 11th International Conference on Availability, Reliability and Security (ARES) (pp. 542–547). IEEE.
Nath, K., Dhar, S., & Basishtha, S. (2014). Web 1.0 to web 3.0-evolution of the web and its various challenges. In 2014 International Conference on Reliability Optimization and Information Technology (ICROIT) (pp. 86–89). IEEE.
NIST. (1999). National Institute of Standards and Technology. https://www.nist.gov/
Offsec Services Ltd. (2009). ExploitDB. https://www.exploit-db.com/
OWASP. (2016). OWASP Zed Attack Proxy (ZAP). https://www.zaproxy.org/
OWASP. (2020a). OWASP Dependency Check. https://owasp.org/www-project-dependency-check/
OWASP. (2020b). OWASP ModSecurity Core Rule Set. https://owasp.org/www-project-modsecurity-core-rule-set/
Paule, C. (2018). Securing DevOps: Detection of vulnerabilities in CD pipelines.
PCI Security Standard Council. (2006). Payment Card Industry Data Security Standard. https://www.pcisecuritystandards.org
PortSwigger (2003). Burp Suite. https://portswigger.net/burp
Prates, L., Faustino, J., Silva, M., & Pereira, R. (2019). DevSecOps metrics. In EuroSymposium on Systems Analysis and Design (pp. 77–90). Springer.
PuppetLabs. (2014). State of DevOps report. technical report 2014.
PuppetLabs. (2019). State of DevOps report. technical report 2019.
PyCQA. (2018). Bandit. https://github.com/PyCQA/bandit
Pyup. (2017). Safety. https://pyup.io/safety/
Rahman, A. A. U., & Williams, L. (2016). Software security in DevOps: Synthesizing practitioners’ perceptions and practices. In 2016 IEEE/ACM International Workshop on Continuous Software Evolution and Delivery (CSED) (pp. 70–76). IEEE.
Rajapakse, R. N., Zahedi, M., Babar, M. A., & Shen, H. (2022). Challenges and solutions when adopting devsecops: A systematic review. Information and Software Technology, 141, 106700.
Rapid7. (2003). Metasploit Framework. https://www.metasploit.com/
Raynaud, F. (2017). DevSecOps whitepaper. DevSecCon. https://www.devseccon.com/pf/london-2017/
Reitz, K. (2020). Pipenv. https://pipenv.pypa.io/
Sallin, M., Kropp, M., Anslow, C., Quilty, J. W., & Meier, A. (2021). Measuring software delivery performance using the four key metrics of DevOps. In International Conference on Agile Software Development (pp. 103–119). Cham: Springer.
Schermann, G., Cito, J., Leitner, P., Zdun, U., & Gall, H. (2016). An empirical study on principles and practices of continuous delivery and deployment. PeerJ Preprints: Technical report.
Shahin, M., Babar, M. A., & Zhu, L. (2017). Continuous integration, delivery and deployment: A systematic review on approaches, tools, challenges and practices. IEEE Access, 5, 3909–3943.
Shahin, M., Zahedi, M., Babar, M. A., & Zhu, L. (2019). An empirical study of architecting for continuous delivery and deployment. Empirical Software Engineering, 24(3), 1061–1108.
Shodan. (2013). Shodan Search Engine. https://www.shodan.io/
SM7 Software. (2013). Spiderfoot. https://www.spiderfoot.net/
Sojan, A., Rajan, R., & Kuvaja, P. (2021). Monitoring solution for cloud-native DevSecOps. In: 2021 IEEE 6th International Conference on Smart Cloud (SmartCloud), pp. 125–131. https://doi.org/10.1109/SmartCloud52277.2021.00029
SonarSource S. A. (2013). Sonarqube. https://www.sonarqube.org/
SonarSource S. A. (2018). Metrics Definition. https://docs.sonarqube.org/latest/user-guide/metric-definitions/
Stahl, D., Martensson, T., & Bosch, J. (2017). Continuous practices and DevOps: Beyond the buzz, what does it all mean? In 2017 43rd Euromicro Conference on Software Engineering and Advanced Applications (SEAA) (pp. 440–448). IEEE.
Synopsys Software. (2021). BSIMM12, 2021 Insights Trends Report. https://www.bsimm.com/
Sysdig. (2015). Sysdig Secure. https://sysdig.com/products/secure/
TheHive Project. (2020). Cortex. https://github.com/TheHive-Project/Cortex
Tiangolo. (2019. FastAPI. https://fastapi.tiangolo.com/
Vijayan, J. (2019). 6 DevSecOps best practices: Automate early and often. TechBeacon. https://techbeacon.com/security/6-devsecops-best-practices-automate-early-often
Wazuh. (2008). The Open Source Security Platform. https://wazuh.com/
Wazuh. (2019). Defining an alert level threshold. https://documentation.wazuh.com/current/user-manual/manager/alert-threshold.html
Woodward, S. (2018). DevSecOps metrics approaches in 2018. Cloud Perspectives. https://www.brighttalk.com/webcast/499/333412
Zahedi, M., Rajapakse, R. N., & Babar, M. A. (2020). Mining questions asked about continuous software engineering: A case study of stack overflow. In Proceedings of the Evaluation and Assessment in Software Engineering (pp. 41–50). Association for Computing Machinery.
Author information
Authors and Affiliations
Contributions
The contribution of the authors is described as follows: Federico Lombardi — research, concept, methodology, implementation, paper writing. Alberto Fanton — methodology, implementation, evaluation, paper writing support.
Corresponding author
Ethics declarations
There are no ethical issues with the contribution provided in this work. The code prototype will be publicly released to the official Conio git repository (Conio Inc., 2018). The authors give their consent for publication in this journal.
Conflict of interest
The authors declare no competing interests.
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendix: Lightening the DevOps pipeline
Appendix: Lightening the DevOps pipeline
This appendix shows how we speed up the CI/CD process, either with DevOps or CyberDevOps, by detecting and addressing issues before running the pipeline. The goal is to solve problems at development time, in order to lighten the pipeline execution and avoid wasting time and computing resources. As a general practice, the sooner a defect is detected and fixed, the better it is. Furthermore, we practically observed that discovering issues at development time improves the developers’ code quality and security awareness; therefore, the entire CI/CD process can speed up.
Usually, pipelines run in a dedicated environment shared by developers. In Conio, we juxtapose a shorter pipeline also in developer local environments.
Specifically, each local environment is set to execute preliminary static checks and dynamic tests through Git Hooks (Hudson, 2012). Specifically, we run the following controls on pre-commit and pre-push hooks:
-
Pre-commit*: this hook triggers the execution of SCA, SAST, and unit test steps. Furthermore, we include linters and autoformatters that are not part of a common CI/CD pipeline, but they are good for the health of the code base in terms of both security and cleanness. This step is relatively fast to run and can detect preliminary security, quality, and functional problems;
-
Pre-push: this hook triggers all the steps of pre-commit adding some more computationally expensive steps such as the integration test step. We can afford to use some more time since push are less frequent of commit.
Following, an example of the preliminary tests set on the local environment:
-
id: SCA - Pipenv check stages: [commit, push] language: system entry: pipenv check types: [python]
-
id: SAST - bandit stages: [commit, push] language: system entry: pipenv run bandit types: [python]
-
id: Unit tests stages: [commit, push] language: system entry: pipenv run pytest unit
-
id: Integration tests stages: [push] language: system entry: pipenv run pytest integration
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Lombardi, F., Fanton, A. From DevOps to DevSecOps is not enough. CyberDevOps: an extreme shifting-left architecture to bring cybersecurity within software security lifecycle pipeline. Software Qual J 31, 619–654 (2023). https://doi.org/10.1007/s11219-023-09619-3
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11219-023-09619-3