Advertisement

Dealing with Security in a Real DevOps Environment

  • Xabier LarruceaEmail author
  • Alberto Berreteaga
  • Izaskun Santamaria
Conference paper
  • 512 Downloads
Part of the Communications in Computer and Information Science book series (CCIS, volume 1060)

Abstract

Security is a hot topic in several domains especially in critical infrastructures such as the national health systems. Security practices, methods and tools enhance the resulting final products and services offered to citizens. There is no consensus on how security measures must be included within the DevOps pipeline. This paper provides a DevOps approach for managing security measures along the DevOps pipeline. This approach is based on source code analysis at the integration phase, and it is an initial step for injecting security along the DevOps process. This approach has been developed for a real scenario related to the health sector.

Keywords

DevOps Security SecDevOps 

Notes

Acknowledgements

The projects leading to this paper have received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreements No. 727301.

References

  1. 1.
    Bass, L., Weber, I., Zhu, L.: DevOps: A Software Architect’s Perspective. Addison-Wesley Educational Publishers Inc., Boston (2015)Google Scholar
  2. 2.
    Wettinger, J., Breitenbücher, U., Kopp, O., Leymann, F.: Streamlining DevOps automation for cloud applications using TOSCA as standardized metamodel. Future Gener. Comput. Syst. 56, 317–332 (2016).  https://doi.org/10.1016/j.future.2015.07.017CrossRefGoogle Scholar
  3. 3.
    Sturm, R., Pollard, C., Craig, J.: DevOps and continuous delivery. In: Application Performance Management (APM) in the Digital Enterprise, pp. 121–135. Elsevier (2017).  https://doi.org/10.1016/B978-0-12-804018-8.00010-3CrossRefGoogle Scholar
  4. 4.
    Mohan, V., Othmane, L.B.: SecDevOps: is it a marketing Buzzword? - Mapping research on security in DevOps. In: 2016 11th International Conference on Availability, Reliability and Security (ARES), pp. 542–547. IEEE, Salzburg (2016).  https://doi.org/10.1109/ARES.2016.92
  5. 5.
    Donaldson, S.E., Siegel, S.G., Williams, C.K., Aslam, A.: Enterprise cybersecurity and the cloud. In: Enterprise Cybersecurity, pp. 105–117. Apress, Berkeley (2015).  https://doi.org/10.1007/978-1-4302-6083-7_6CrossRefGoogle Scholar
  6. 6.
    Myrbakken, H., Colomo-Palacios, R.: DevSecOps: a multivocal literature review. In: Mas, A., Mesquida, A., O’Connor, R.V., Rout, T., Dorling, A. (eds.) SPICE 2017. CCIS, vol. 770, pp. 17–29. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-67383-7_2CrossRefGoogle Scholar
  7. 7.
  8. 8.
    Bourquard, K., Le Gall, F., Cousin, P.: Standards for interoperability in digital health: selection and implementation in an eHealth project. In: Fricker, S.A., Thümmler, C., Gavras, A. (eds.) Requirements Engineering for Digital Health, pp. 95–115. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-09798-5_5CrossRefGoogle Scholar
  9. 9.
  10. 10.
    Larrucea, X., Santamaria, I., Palacios, R.C.: Assessing source code vulnerabilities in a cloud-based system for health systems: OpenNCP. IET Softw. (2019).  https://doi.org/10.1049/iet-sen.2018.5294CrossRefGoogle Scholar
  11. 11.
    Staffa, M., et al.: An OpenNCP-based solution for secure eHealth data exchange. J. Netw. Comput. Appl. 116, 65–85 (2018).  https://doi.org/10.1016/j.jnca.2018.05.012CrossRefGoogle Scholar
  12. 12.
    Staffa, M., et al.: KONFIDO: an OpenNCP-based secure eHealth data exchange system. In: Gelenbe, E., et al. (eds.) Euro-CYBERSEC 2018. CCIS, vol. 821, pp. 11–27. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-95189-8_2CrossRefGoogle Scholar
  13. 13.
    Martino, R., D’Antonio, S., Coppolino, L., Romano, L.: Security in cross - border medical data interchange: a technical analysis and a discussion of possible improvements, July (2017).  https://doi.org/10.1109/COMPSAC.2017.209
  14. 14.
    Khan, M.A.: A survey of security issues for cloud computing. J. Netw. Comput. Appl. 71, 11–29 (2016).  https://doi.org/10.1016/j.jnca.2016.05.010CrossRefGoogle Scholar
  15. 15.
    Fitzgerald, B., Stol, K.-J.: Continuous software engineering: a roadmap and agenda. J. Syst. Softw. 123, 176–189 (2017).  https://doi.org/10.1016/j.jss.2015.06.063CrossRefGoogle Scholar
  16. 16.
    Mohan, V., ben Othmane, L., Kres, A.: BP: security concerns and best practices for automation of software deployment processes: an industrial case study. In: 2018 IEEE Cybersecurity Development (SecDev), pp. 21–28. IEEE, Cambridge (2018).  https://doi.org/10.1109/SecDev.2018.00011
  17. 17.
    Carter, K.: Francois Raynaud on DevSecOps. IEEE Softw. 34, 93–96 (2017).  https://doi.org/10.1109/MS.2017.3571578CrossRefGoogle Scholar
  18. 18.
    Mansfield-Devine, S.: DevOps: finding room for security. Netw. Secur. 2018, 15–20 (2018).  https://doi.org/10.1016/S1353-4858(18)30070-9CrossRefGoogle Scholar
  19. 19.
    Diaz, O., Munoz, M.: Reinforcing DevOps approach with security and risk management: an experience of implementing it in a data center of a mexican organization. In: 2017 6th International Conference on Software Process Improvement (CIMPS), pp. 1–7. IEEE, Zacatecas (2017).  https://doi.org/10.1109/CIMPS.2017.8169957
  20. 20.
    Williams, L.: Continuously integrating security. In: Proceedings of the 1st International Workshop on Security Awareness from Design to Deployment - SEAD 2018, pp. 1–2. ACM Press, Gothenburg (2018).  https://doi.org/10.1145/3194707.3194717
  21. 21.
    de Kort, W.: Implementing Continuous Delivery with Release Management. In: DevOps on the Microsoft Stack, pp. 231–259. Apress, Berkeley (2016).  https://doi.org/10.1007/978-1-4842-1446-6_12CrossRefGoogle Scholar
  22. 22.
    Yasar, H.: Experiment: sizing exposed credentials in GitHub public repositories for CI/CD. In: 2018 IEEE Cybersecurity Development (SecDev), p. 143. IEEE, Cambridge (2018).  https://doi.org/10.1109/SecDev.2018.00039
  23. 23.
    Opara-Martins, J., Sahandi, R., Tian, F.: Critical analysis of vendor lock-in and its impact on cloud computing migration: a business perspective. J. Cloud Comput. 5 (2016).  https://doi.org/10.1186/s13677-016-0054-z
  24. 24.
    Schaefer, A., Reichenbach, M., Fey, D.: Continuous integration and automation for DevOps. In: Kim, H., Ao, S.-I., Rieger, B. (eds.) IAENG Transactions on Engineering Technologies. LNCS, vol. 170, pp. 345–358. Springer, Dordrecht (2013).  https://doi.org/10.1007/978-94-007-4786-9_28CrossRefGoogle Scholar
  25. 25.
    Ravichandran, A., Taylor, K., Waterhouse, P.: Practical DevOps. In: DevOps for Digital Leaders, pp. 125–137. Apress, Berkeley (2016).  https://doi.org/10.1007/978-1-4842-1842-6_8CrossRefGoogle Scholar
  26. 26.
    Menzies, T., Nichols, W., Shull, F., Layman, L.: Are delayed issues harder to resolve? Revisiting cost-to-fix of defects throughout the lifecycle. Empir. Softw. Eng. 22, 1903–1935 (2017).  https://doi.org/10.1007/s10664-016-9469-xCrossRefGoogle Scholar
  27. 27.
    Krishnan, S.P.T., Gonzalez, J.L.U.: Cloud platform DevOps toolbox. In: Building Your Next Big Thing with Google Cloud Platform, pp. 333–348. Apress, Berkeley (2015).  https://doi.org/10.1007/978-1-4842-1004-8_15CrossRefGoogle Scholar
  28. 28.
    Shahin, M., Zahedi, M., Babar, M.A., Zhu, L.: An empirical study of architecting for continuous delivery and deployment. Empir. Softw. Eng. (2018).  https://doi.org/10.1007/s10664-018-9651-4CrossRefGoogle Scholar
  29. 29.
    Larrucea, X., Combelles, A., Favaro, J.: Safety-critical software [guest editors’ introduction]. IEEE Softw. 30, 25–27 (2013).  https://doi.org/10.1109/MS.2013.55CrossRefGoogle Scholar
  30. 30.
    Larrucea, X., Gonzalez-Perez, C., McBride, T., Henderson-Sellers, B.: Standards-based metamodel for the management of goals, risks and evidences in critical systems development. Comput. Stand. Interfaces 48, 71–79 (2016).  https://doi.org/10.1016/j.csi.2016.04.004CrossRefGoogle Scholar
  31. 31.
    Larrucea, X., Walker, A., Colomo-Palacios, R.: Supporting the management of reusable automotive software. IEEE Softw. 34, 40–47 (2017).  https://doi.org/10.1109/MS.2017.68CrossRefGoogle Scholar
  32. 32.
    Sanchez-Gordon, M.-L., de Amescua, A., O’Connor, R.V., Larrucea, X.: A standard-based framework to integrate software work in small settings. Comput. Standards Interfaces 54, 162–175 (2017).  https://doi.org/10.1016/j.csi.2016.11.009CrossRefGoogle Scholar
  33. 33.
    National Institute of Standards and Technology: Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 (2017). https://csrc.nist.gov/publications/detail/white-paper/2017/12/05/cybersecurity-framework-v11/draft

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Xabier Larrucea
    • 1
    Email author
  • Alberto Berreteaga
    • 1
  • Izaskun Santamaria
    • 1
  1. 1.TECNALIADerioSpain

Personalised recommendations