Automated Security Findings Management: A Case Study in Industrial DevOps
Markus Voggenreiter, Florian Angermeir, Fabiola Moyón, Ulrich Schöpp, Pierre Bonvin
TL;DR
The paper addresses the challenge of securely managing security findings in industrial DevOps, where automated tests generate large, heterogeneous data. It proposes a methodology for automated management and instantiates it as Security Flama, a semantic knowledge base that collects reports, cleans data, deduplicates, and reasons about findings. A two-project industry case study assesses impact on process indicators and stakeholder perception, highlighting continuous feedback and communication as critical. Results show reduced aggregated findings, improved visibility, and that the communication strategy is essential for usability, with future work on deeper backlog integration and proactive notifications.
Abstract
In recent years, DevOps, the unification of development and operation workflows, has become a trend for the industrial software development lifecycle. Security activities turned into an essential field of application for DevOps principles as they are a fundamental part of secure software development in the industry. A common practice arising from this trend is the automation of security tests that analyze a software product from several perspectives. To effectively improve the security of the analyzed product, the identified security findings must be managed and looped back to the project team for stakeholders to take action. This management must cope with several challenges ranging from low data quality to a consistent prioritization of findings while following DevOps aims. To manage security findings with the same efficiency as other activities in DevOps projects, a methodology for the management of industrial security findings minding DevOps principles is essential. In this paper, we propose a methodology for the management of security findings in industrial DevOps projects, summarizing our research in this domain and presenting the resulting artifact. As an instance of the methodology, we developed the Security Flama, a semantic knowledge base for the automated management of security findings. To analyze the impact of our methodology on industrial practice, we performed a case study on two DevOps projects of a multinational industrial enterprise. The results emphasize the importance of using such an automated methodology in industrial DevOps projects, confirm our approach's usefulness and positive impact on the studied projects, and identify the communication strategy as a crucial factor for usability in practice.