Skip to main content
SpringerLink
Log in

Dealing with Security in a Real DevOps Environment

  • Conference paper
  • First Online:
Systems, Software and Services Process Improvement (EuroSPI 2019)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 1060))

Included in the following conference series:

Abstract

Security is a hot topic in several domains especially in critical infrastructures such as the national health systems. Security practices, methods and tools enhance the resulting final products and services offered to citizens. There is no consensus on how security measures must be included within the DevOps pipeline. This paper provides a DevOps approach for managing security measures along the DevOps pipeline. This approach is based on source code analysis at the integration phase, and it is an initial step for injecting security along the DevOps process. This approach has been developed for a real scenario related to the health sector.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Bass, L., Weber, I., Zhu, L.: DevOps: A Software Architect’s Perspective. Addison-Wesley Educational Publishers Inc., Boston (2015)

    Google Scholar 

  2. Wettinger, J., Breitenbücher, U., Kopp, O., Leymann, F.: Streamlining DevOps automation for cloud applications using TOSCA as standardized metamodel. Future Gener. Comput. Syst. 56, 317–332 (2016). https://doi.org/10.1016/j.future.2015.07.017

    Article  Google Scholar 

  3. Sturm, R., Pollard, C., Craig, J.: DevOps and continuous delivery. In: Application Performance Management (APM) in the Digital Enterprise, pp. 121–135. Elsevier (2017). https://doi.org/10.1016/B978-0-12-804018-8.00010-3

    Chapter  Google Scholar 

  4. Mohan, V., Othmane, L.B.: SecDevOps: is it a marketing Buzzword? - Mapping research on security in DevOps. In: 2016 11th International Conference on Availability, Reliability and Security (ARES), pp. 542–547. IEEE, Salzburg (2016). https://doi.org/10.1109/ARES.2016.92

  5. Donaldson, S.E., Siegel, S.G., Williams, C.K., Aslam, A.: Enterprise cybersecurity and the cloud. In: Enterprise Cybersecurity, pp. 105–117. Apress, Berkeley (2015). https://doi.org/10.1007/978-1-4302-6083-7_6

    Chapter  Google Scholar 

  6. Myrbakken, H., Colomo-Palacios, R.: DevSecOps: a multivocal literature review. In: Mas, A., Mesquida, A., O’Connor, R.V., Rout, T., Dorling, A. (eds.) SPICE 2017. CCIS, vol. 770, pp. 17–29. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-67383-7_2

    Chapter  Google Scholar 

  7. European Commission: eHealth DSI Operations. https://ec.europa.eu/cefdigital/wiki/display/EHOPERATIONS/eHealth+DSI+Operations+Home

  8. Bourquard, K., Le Gall, F., Cousin, P.: Standards for interoperability in digital health: selection and implementation in an eHealth project. In: Fricker, S.A., Thümmler, C., Gavras, A. (eds.) Requirements Engineering for Digital Health, pp. 95–115. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-09798-5_5

    Chapter  Google Scholar 

  9. European Commission: OpenNCP. https://ec.europa.eu/cefdigital/wiki/display/EHNCP

  10. Larrucea, X., Santamaria, I., Palacios, R.C.: Assessing source code vulnerabilities in a cloud-based system for health systems: OpenNCP. IET Softw. (2019). https://doi.org/10.1049/iet-sen.2018.5294

    Article  Google Scholar 

  11. Staffa, M., et al.: An OpenNCP-based solution for secure eHealth data exchange. J. Netw. Comput. Appl. 116, 65–85 (2018). https://doi.org/10.1016/j.jnca.2018.05.012

    Article  Google Scholar 

  12. Staffa, M., et al.: KONFIDO: an OpenNCP-based secure eHealth data exchange system. In: Gelenbe, E., et al. (eds.) Euro-CYBERSEC 2018. CCIS, vol. 821, pp. 11–27. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-95189-8_2

    Chapter  Google Scholar 

  13. Martino, R., D’Antonio, S., Coppolino, L., Romano, L.: Security in cross - border medical data interchange: a technical analysis and a discussion of possible improvements, July (2017). https://doi.org/10.1109/COMPSAC.2017.209

  14. Khan, M.A.: A survey of security issues for cloud computing. J. Netw. Comput. Appl. 71, 11–29 (2016). https://doi.org/10.1016/j.jnca.2016.05.010

    Article  Google Scholar 

  15. Fitzgerald, B., Stol, K.-J.: Continuous software engineering: a roadmap and agenda. J. Syst. Softw. 123, 176–189 (2017). https://doi.org/10.1016/j.jss.2015.06.063

    Article  Google Scholar 

  16. Mohan, V., ben Othmane, L., Kres, A.: BP: security concerns and best practices for automation of software deployment processes: an industrial case study. In: 2018 IEEE Cybersecurity Development (SecDev), pp. 21–28. IEEE, Cambridge (2018). https://doi.org/10.1109/SecDev.2018.00011

  17. Carter, K.: Francois Raynaud on DevSecOps. IEEE Softw. 34, 93–96 (2017). https://doi.org/10.1109/MS.2017.3571578

    Article  Google Scholar 

  18. Mansfield-Devine, S.: DevOps: finding room for security. Netw. Secur. 2018, 15–20 (2018). https://doi.org/10.1016/S1353-4858(18)30070-9

    Article  Google Scholar 

  19. Diaz, O., Munoz, M.: Reinforcing DevOps approach with security and risk management: an experience of implementing it in a data center of a mexican organization. In: 2017 6th International Conference on Software Process Improvement (CIMPS), pp. 1–7. IEEE, Zacatecas (2017). https://doi.org/10.1109/CIMPS.2017.8169957

  20. Williams, L.: Continuously integrating security. In: Proceedings of the 1st International Workshop on Security Awareness from Design to Deployment - SEAD 2018, pp. 1–2. ACM Press, Gothenburg (2018). https://doi.org/10.1145/3194707.3194717

  21. de Kort, W.: Implementing Continuous Delivery with Release Management. In: DevOps on the Microsoft Stack, pp. 231–259. Apress, Berkeley (2016). https://doi.org/10.1007/978-1-4842-1446-6_12

    Chapter  Google Scholar 

  22. Yasar, H.: Experiment: sizing exposed credentials in GitHub public repositories for CI/CD. In: 2018 IEEE Cybersecurity Development (SecDev), p. 143. IEEE, Cambridge (2018). https://doi.org/10.1109/SecDev.2018.00039

  23. Opara-Martins, J., Sahandi, R., Tian, F.: Critical analysis of vendor lock-in and its impact on cloud computing migration: a business perspective. J. Cloud Comput. 5 (2016). https://doi.org/10.1186/s13677-016-0054-z

  24. Schaefer, A., Reichenbach, M., Fey, D.: Continuous integration and automation for DevOps. In: Kim, H., Ao, S.-I., Rieger, B. (eds.) IAENG Transactions on Engineering Technologies. LNCS, vol. 170, pp. 345–358. Springer, Dordrecht (2013). https://doi.org/10.1007/978-94-007-4786-9_28

    Chapter  Google Scholar 

  25. Ravichandran, A., Taylor, K., Waterhouse, P.: Practical DevOps. In: DevOps for Digital Leaders, pp. 125–137. Apress, Berkeley (2016). https://doi.org/10.1007/978-1-4842-1842-6_8

    Chapter  Google Scholar 

  26. Menzies, T., Nichols, W., Shull, F., Layman, L.: Are delayed issues harder to resolve? Revisiting cost-to-fix of defects throughout the lifecycle. Empir. Softw. Eng. 22, 1903–1935 (2017). https://doi.org/10.1007/s10664-016-9469-x

    Article  Google Scholar 

  27. Krishnan, S.P.T., Gonzalez, J.L.U.: Cloud platform DevOps toolbox. In: Building Your Next Big Thing with Google Cloud Platform, pp. 333–348. Apress, Berkeley (2015). https://doi.org/10.1007/978-1-4842-1004-8_15

    Chapter  Google Scholar 

  28. Shahin, M., Zahedi, M., Babar, M.A., Zhu, L.: An empirical study of architecting for continuous delivery and deployment. Empir. Softw. Eng. (2018). https://doi.org/10.1007/s10664-018-9651-4

    Article  Google Scholar 

  29. Larrucea, X., Combelles, A., Favaro, J.: Safety-critical software [guest editors’ introduction]. IEEE Softw. 30, 25–27 (2013). https://doi.org/10.1109/MS.2013.55

    Article  Google Scholar 

  30. Larrucea, X., Gonzalez-Perez, C., McBride, T., Henderson-Sellers, B.: Standards-based metamodel for the management of goals, risks and evidences in critical systems development. Comput. Stand. Interfaces 48, 71–79 (2016). https://doi.org/10.1016/j.csi.2016.04.004

    Article  Google Scholar 

  31. Larrucea, X., Walker, A., Colomo-Palacios, R.: Supporting the management of reusable automotive software. IEEE Softw. 34, 40–47 (2017). https://doi.org/10.1109/MS.2017.68

    Article  Google Scholar 

  32. Sanchez-Gordon, M.-L., de Amescua, A., O’Connor, R.V., Larrucea, X.: A standard-based framework to integrate software work in small settings. Comput. Standards Interfaces 54, 162–175 (2017). https://doi.org/10.1016/j.csi.2016.11.009

    Article  Google Scholar 

  33. National Institute of Standards and Technology: Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 (2017). https://csrc.nist.gov/publications/detail/white-paper/2017/12/05/cybersecurity-framework-v11/draft

Download references

Acknowledgements

The projects leading to this paper have received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreements No. 727301.

Author information

Authors and Affiliations

  1. TECNALIA, Derio, Bizkaia, Spain

    Xabier Larrucea, Alberto Berreteaga & Izaskun Santamaria

Authors
  1. Xabier Larrucea
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Alberto Berreteaga
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Izaskun Santamaria
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Xabier Larrucea .

Editor information

Editors and Affiliations

  1. Lorit Consultancy, Edinburgh, UK

    Alastair Walker

  2. School of Computing, Dublin City University, Dublin, Ireland

    Rory V. O'Connor

  3. I.S.C.N. GesmbH, Graz, Austria

    Richard Messnarz

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Larrucea, X., Berreteaga, A., Santamaria, I. (2019). Dealing with Security in a Real DevOps Environment. In: Walker, A., O'Connor, R., Messnarz, R. (eds) Systems, Software and Services Process Improvement. EuroSPI 2019. Communications in Computer and Information Science, vol 1060. Springer, Cham. https://doi.org/10.1007/978-3-030-28005-5_35

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-28005-5_35

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-28004-8

  • Online ISBN: 978-3-030-28005-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation