Dealing with Security in a Real DevOps Environment

  • Xabier LarruceaEmail author
  • Alberto Berreteaga
  • Izaskun Santamaria
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 1060)


Security is a hot topic in several domains especially in critical infrastructures such as the national health systems. Security practices, methods and tools enhance the resulting final products and services offered to citizens. There is no consensus on how security measures must be included within the DevOps pipeline. This paper provides a DevOps approach for managing security measures along the DevOps pipeline. This approach is based on source code analysis at the integration phase, and it is an initial step for injecting security along the DevOps process. This approach has been developed for a real scenario related to the health sector.


DevOps Security SecDevOps 



The projects leading to this paper have received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreements No. 727301.


  1. 1.
    Bass, L., Weber, I., Zhu, L.: DevOps: A Software Architect’s Perspective. Addison-Wesley Educational Publishers Inc., Boston (2015)Google Scholar
  2. 2.
    Wettinger, J., Breitenbücher, U., Kopp, O., Leymann, F.: Streamlining DevOps automation for cloud applications using TOSCA as standardized metamodel. Future Gener. Comput. Syst. 56, 317–332 (2016). Scholar
  3. 3.
    Sturm, R., Pollard, C., Craig, J.: DevOps and continuous delivery. In: Application Performance Management (APM) in the Digital Enterprise, pp. 121–135. Elsevier (2017). Scholar
  4. 4.
    Mohan, V., Othmane, L.B.: SecDevOps: is it a marketing Buzzword? - Mapping research on security in DevOps. In: 2016 11th International Conference on Availability, Reliability and Security (ARES), pp. 542–547. IEEE, Salzburg (2016).
  5. 5.
    Donaldson, S.E., Siegel, S.G., Williams, C.K., Aslam, A.: Enterprise cybersecurity and the cloud. In: Enterprise Cybersecurity, pp. 105–117. Apress, Berkeley (2015). Scholar
  6. 6.
    Myrbakken, H., Colomo-Palacios, R.: DevSecOps: a multivocal literature review. In: Mas, A., Mesquida, A., O’Connor, R.V., Rout, T., Dorling, A. (eds.) SPICE 2017. CCIS, vol. 770, pp. 17–29. Springer, Cham (2017). Scholar
  7. 7.
  8. 8.
    Bourquard, K., Le Gall, F., Cousin, P.: Standards for interoperability in digital health: selection and implementation in an eHealth project. In: Fricker, S.A., Thümmler, C., Gavras, A. (eds.) Requirements Engineering for Digital Health, pp. 95–115. Springer, Cham (2015). Scholar
  9. 9.
  10. 10.
    Larrucea, X., Santamaria, I., Palacios, R.C.: Assessing source code vulnerabilities in a cloud-based system for health systems: OpenNCP. IET Softw. (2019). Scholar
  11. 11.
    Staffa, M., et al.: An OpenNCP-based solution for secure eHealth data exchange. J. Netw. Comput. Appl. 116, 65–85 (2018). Scholar
  12. 12.
    Staffa, M., et al.: KONFIDO: an OpenNCP-based secure eHealth data exchange system. In: Gelenbe, E., et al. (eds.) Euro-CYBERSEC 2018. CCIS, vol. 821, pp. 11–27. Springer, Cham (2018). Scholar
  13. 13.
    Martino, R., D’Antonio, S., Coppolino, L., Romano, L.: Security in cross - border medical data interchange: a technical analysis and a discussion of possible improvements, July (2017).
  14. 14.
    Khan, M.A.: A survey of security issues for cloud computing. J. Netw. Comput. Appl. 71, 11–29 (2016). Scholar
  15. 15.
    Fitzgerald, B., Stol, K.-J.: Continuous software engineering: a roadmap and agenda. J. Syst. Softw. 123, 176–189 (2017). Scholar
  16. 16.
    Mohan, V., ben Othmane, L., Kres, A.: BP: security concerns and best practices for automation of software deployment processes: an industrial case study. In: 2018 IEEE Cybersecurity Development (SecDev), pp. 21–28. IEEE, Cambridge (2018).
  17. 17.
    Carter, K.: Francois Raynaud on DevSecOps. IEEE Softw. 34, 93–96 (2017). Scholar
  18. 18.
    Mansfield-Devine, S.: DevOps: finding room for security. Netw. Secur. 2018, 15–20 (2018). Scholar
  19. 19.
    Diaz, O., Munoz, M.: Reinforcing DevOps approach with security and risk management: an experience of implementing it in a data center of a mexican organization. In: 2017 6th International Conference on Software Process Improvement (CIMPS), pp. 1–7. IEEE, Zacatecas (2017).
  20. 20.
    Williams, L.: Continuously integrating security. In: Proceedings of the 1st International Workshop on Security Awareness from Design to Deployment - SEAD 2018, pp. 1–2. ACM Press, Gothenburg (2018).
  21. 21.
    de Kort, W.: Implementing Continuous Delivery with Release Management. In: DevOps on the Microsoft Stack, pp. 231–259. Apress, Berkeley (2016). Scholar
  22. 22.
    Yasar, H.: Experiment: sizing exposed credentials in GitHub public repositories for CI/CD. In: 2018 IEEE Cybersecurity Development (SecDev), p. 143. IEEE, Cambridge (2018).
  23. 23.
    Opara-Martins, J., Sahandi, R., Tian, F.: Critical analysis of vendor lock-in and its impact on cloud computing migration: a business perspective. J. Cloud Comput. 5 (2016).
  24. 24.
    Schaefer, A., Reichenbach, M., Fey, D.: Continuous integration and automation for DevOps. In: Kim, H., Ao, S.-I., Rieger, B. (eds.) IAENG Transactions on Engineering Technologies. LNCS, vol. 170, pp. 345–358. Springer, Dordrecht (2013). Scholar
  25. 25.
    Ravichandran, A., Taylor, K., Waterhouse, P.: Practical DevOps. In: DevOps for Digital Leaders, pp. 125–137. Apress, Berkeley (2016). Scholar
  26. 26.
    Menzies, T., Nichols, W., Shull, F., Layman, L.: Are delayed issues harder to resolve? Revisiting cost-to-fix of defects throughout the lifecycle. Empir. Softw. Eng. 22, 1903–1935 (2017). Scholar
  27. 27.
    Krishnan, S.P.T., Gonzalez, J.L.U.: Cloud platform DevOps toolbox. In: Building Your Next Big Thing with Google Cloud Platform, pp. 333–348. Apress, Berkeley (2015). Scholar
  28. 28.
    Shahin, M., Zahedi, M., Babar, M.A., Zhu, L.: An empirical study of architecting for continuous delivery and deployment. Empir. Softw. Eng. (2018). Scholar
  29. 29.
    Larrucea, X., Combelles, A., Favaro, J.: Safety-critical software [guest editors’ introduction]. IEEE Softw. 30, 25–27 (2013). Scholar
  30. 30.
    Larrucea, X., Gonzalez-Perez, C., McBride, T., Henderson-Sellers, B.: Standards-based metamodel for the management of goals, risks and evidences in critical systems development. Comput. Stand. Interfaces 48, 71–79 (2016). Scholar
  31. 31.
    Larrucea, X., Walker, A., Colomo-Palacios, R.: Supporting the management of reusable automotive software. IEEE Softw. 34, 40–47 (2017). Scholar
  32. 32.
    Sanchez-Gordon, M.-L., de Amescua, A., O’Connor, R.V., Larrucea, X.: A standard-based framework to integrate software work in small settings. Comput. Standards Interfaces 54, 162–175 (2017). Scholar
  33. 33.
    National Institute of Standards and Technology: Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 (2017).

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Xabier Larrucea
    • 1
    Email author
  • Alberto Berreteaga
    • 1
  • Izaskun Santamaria
    • 1
  1. 1.TECNALIADerioSpain

Personalised recommendations