Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Continuous risk assessment in secure DevOps

Ricardo M. Czekster

TL;DR

This work argues here how secure DevOps could profit from engaging with risk related activities within organisations, and focuses on combining Risk Assessment (RA), particularly Threat Modelling (TM) and apply security considerations early in the software life-cycle.

Abstract

DevOps (development and operations), has significantly changed the way to overcome deficiencies for delivering high-quality software to production environments. Past years witnessed an increased interest in embedding DevOps with cybersecurity in an approach dubbed secure DevOps. However, as the practices and guidance mature, teams must consider them within a broader risk context. We argue here how secure DevOps could profit from engaging with risk related activities within organisations. We focus on combining Risk Assessment (RA), particularly Threat Modelling (TM) and apply security considerations early in the software life-cycle. Our contribution provides a roadmap for enacting secure DevOps alongside risk objectives, devising informed ways to improve TM and establishing effective security underpinnings in organisations focusing on software products and services. We aim to outline proven methods over the literature on the subject discussing case studies, technologies, and tools. It presents a case study for a real-world inspired organisation employing the proposed approach with a discussion. Enforcing these novel mechanisms centred on security requires investment, training, and stakeholder engagement. It requires understanding the actual benefits of automation in light of Continuous Integration/Continuous Delivery settings that improve the overall quality of software solutions reaching the market.

Continuous risk assessment in secure DevOps

TL;DR

This work argues here how secure DevOps could profit from engaging with risk related activities within organisations, and focuses on combining Risk Assessment (RA), particularly Threat Modelling (TM) and apply security considerations early in the software life-cycle.

Abstract

DevOps (development and operations), has significantly changed the way to overcome deficiencies for delivering high-quality software to production environments. Past years witnessed an increased interest in embedding DevOps with cybersecurity in an approach dubbed secure DevOps. However, as the practices and guidance mature, teams must consider them within a broader risk context. We argue here how secure DevOps could profit from engaging with risk related activities within organisations. We focus on combining Risk Assessment (RA), particularly Threat Modelling (TM) and apply security considerations early in the software life-cycle. Our contribution provides a roadmap for enacting secure DevOps alongside risk objectives, devising informed ways to improve TM and establishing effective security underpinnings in organisations focusing on software products and services. We aim to outline proven methods over the literature on the subject discussing case studies, technologies, and tools. It presents a case study for a real-world inspired organisation employing the proposed approach with a discussion. Enforcing these novel mechanisms centred on security requires investment, training, and stakeholder engagement. It requires understanding the actual benefits of automation in light of Continuous Integration/Continuous Delivery settings that improve the overall quality of software solutions reaching the market.
Paper Structure (11 sections, 1 equation, 10 figures)

This paper contains 11 sections, 1 equation, 10 figures.

Table of Contents

  1. Introduction
  2. Context: tackling risks
  3. Discussion
  4. Intermixing RM, RA, and TM in secure DevOps
  5. Case study for framing risk in a proof-of-concept: ACME Corp.
  6. Recommendations and guidance
  7. From potential features to concrete features in production
  8. Approaches: Start with Security, Shift-Left Security, or Start-Left
  9. Additional quality attributes required by software projects
  10. Technological guidance and tooling
  11. Conclusion and roadmap for integrating risk assessment in secure DevOps

Figures (10)

  • Figure 1: Overview of approaches and interplay among CIA, RM, RA, and TM.
  • Figure 2: Shared concepts and ideas of RM, RA, and TM with a summary of steps.
  • Figure 3: Approaches and guidance documents and standards for RM, RA, and TM.
  • Figure 4: Communicating risk related underpinnings with the Common Criteria -- adapted from ekstedt2011modelling.
  • Figure 5: Continuous software engineering extended with security concerns and continuous risk -- adapted from Fitzgerald and Stol (2017) fitzgerald2017continuous, by including secure DevOps and continuous RM/RA + TM practices.
  • ...and 5 more figures