Abstract
DevOps is becoming one of the most popular software development methodologies, especially for cloud-based applications. In spite of its popularity, it is still difficult to integrate non-functional requirements, such as security, in the full application development life-cycle. In some recent works, security DevOps (or SecDevOps) has been introduced, in order to enable the adoption of Security-by-Design principles in DevOps processes. In [4], a novel SecDevOps methodology was proposed to exploit such integration, but the security assessment and testing were performed with a static approach. In this paper, we propose to extend the SecDevOps methodology with the adoption of a novel security testing technique in order to dynamically test security properties in the operational phase, too. In order to validate the proposed approach, a cloud application case study involving the WordPress software module is presented and analyzed.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
References
Anderson, R.: Security Engineering: A Guide to Building Dependable Distributed Systems, 2nd edn (2008). http://www.cl.cam.ac.uk/~rja14/book.html
Casola, V., De Benedictis, A., Erascu, M., Modic, J., Rak, M.: Automatically enforcing security SLAs in the cloud. IEEE Trans. Serv. Comput. 10(5), 741–755 (2017)
Casola, V., De Benedictis, A., Rak, M., Villano, U.: A methodology for automated penetration testing of cloud applications. Int. J. Grid Util. Comput. 11(2), 267–277 (2020)
Casola, V., De Benedictis, A., Rak, M., Villano, U.: A novel security-by-design methodology: modeling and assessing security by SLAs with a quantitative approach. J. Syst. Softw. 163, 110537 (2020)
Cavoukian, A., Chanliau, M.: Privacy and security by design: an enterprise architecture approach (2013). https://www.ipc.on.ca/wp-content/uploads/Resources/pbd-privacy-and-security-by-design-oracle.pdf
Common Criteria: CCMB-2017-04-001: Common Criteria for Information Technology Security Evaluation v3.1 rev5 (2017). https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf
Dejon, N., Caputo, D., Verderame, L., Armando, A., Merlo, A.: Automated security analysis of IoT software updates. In: Laurent, M., Giannetsos, T. (eds.) WISTP 2019. LNCS, vol. 12024, pp. 223–239. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-41702-4_14
Geer, D.: Are companies actually using secure development life cycles? Computer 43(6), 12–16 (2010)
Herzog, P.: OSSTMM 3: the open source security testing methodology manual-contemporary security testing and analysis (2010). http://www.isecom.org/
Jayaram, K., Mathur, A.P.: Software engineering for secure software-state of the art: a survey. Purdue University (2005)
Scarfone, K., Souppaya, M., Cody, A., Orebaugh, A.: Technical guide to information security testing and assessment. NIST Special Publication 800–115 (2008)
Knowles, W., Baron, A., McGarr, T.: The simulated security assessment ecosystem: does penetration testing need standardisation? Comput. Secur. 62, 296–316 (2016). https://doi.org/10.1016/j.cose.2016.08.002
National Institute of Standards and Technology: SP 800–53 Rev 4: Recommended Security and Privacy Controls for Federal Information Systems and Organizations. Technical report (2013). http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
Rak, M.: Security assurance of (multi-)cloud application with security SLA composition. In: Au, M.H.A., Castiglione, A., Choo, K.-K.R., Palmieri, F., Li, K.-C. (eds.) GPC 2017. LNCS, vol. 10232, pp. 786–799. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-57186-7_57
Ross, R., McEvilley, M., Oren, J.C.: NIST SP 800–160: systems security engineering: considerations for a multidisciplinary approach in the engineering of trustworthy secure systems (2016). https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-160v1.pdf
Santos, J.C.S., Tarrit, K., Mirakhorli, M.: A catalog of security architecture weaknesses. In: 2017 IEEE International Conference on Software Architecture Workshops (ICSAW), pp. 220–223 (2017)
The Software Assurance Forum for Excellence in Code (SAFECode): Fundamental Practices for Secure Software Development Essential Elements of a Secure Development Lifecycle Program - Third Edition (2018)
Verderame, L., Caputo, D., Migliardi, M., Merlo, A.: AppIoTTE: an architecture for the security assessment of mobile-IoT ecosystems. In: Barolli, L., Amato, F., Moscato, F., Enokido, T., Takizawa, M. (eds.) WAINA 2020. AISC, vol. 1150, pp. 867–876. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-44038-1_79
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Casola, V., De Benedictis, A., Rak, M., Salzillo, G. (2020). A Cloud SecDevOps Methodology: From Design to Testing. In: Shepperd, M., Brito e Abreu, F., Rodrigues da Silva, A., Pérez-Castillo, R. (eds) Quality of Information and Communications Technology. QUATIC 2020. Communications in Computer and Information Science, vol 1266. Springer, Cham. https://doi.org/10.1007/978-3-030-58793-2_26
Download citation
DOI: https://doi.org/10.1007/978-3-030-58793-2_26
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-58792-5
Online ISBN: 978-3-030-58793-2
eBook Packages: Computer ScienceComputer Science (R0)