Abstract
In the last decade, companies adopted DevOps as a fast path to deliver software products according to customer expectations, with well aligned teams and in continuous cycles. As a basic practice, DevOps relies on pipelines that simulate factory swim-lanes. The more automation in the pipeline, the shorter a lead time is supposed to be. However, applying DevOps is challenging, particularly for industrial control systems (ICS) that support critical infrastructures and that must obey to rigorous requirements from security regulations and standards. Current research on security compliant DevOps presents open gaps for this particular domain and in general for systematic application of security standards. In this paper, we present a systematic approach to integrate standard-based security activities into DevOps pipelines and highlight their automation potential. Our intention is to share our experiences and help practitioners to overcome the trade-off between adding security activities into the development process and keeping a short lead time. We conducted an evaluation of our approach at a large industrial company considering the IEC 62443-4-1 security standard that regulates ICS. The results strengthen our confidence in the usefulness of our approach and artefacts, and in that they can support practitioners to achieve security compliance while preserving agility including short lead times.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Allspaw, J., Hammond, P.: 10+ deploys per day: dev and ops cooperation at Flickr. In: Velocity: Web Performance and Operations Conference. O’Reilly (2009)
Beck, K., et al.: Manifesto for agile software development (2001)
Ben Othmane, L., Jaatun, M.G., Weippl, E.: Empirical Research for Software Security: Foundations and Experience. CRC Press, Boca Raton (2017)
Bird, J.: Security as code: security tools and practices in continuous delivery, Chap. 4, pp. 32–36. O’Reilly Media, Incorporated (2016)
DORA: Accelerate: State of DevOps (2019). https://services.google.com/fh/files/misc/state-of-devops-2019.pdf
Gartner: 10 things to get right for successful DevSecOps (2017). https://www.gartner.com/en/documents/3811369/10-things-to-get-right-for-successful-devsecops
Hsu, T.H.C.: Hands-On Security in DevOps: Ensure Continuous Security, Deployment, and Delivery with DevSecOps. Packt Publishing Ltd., Birmingham (2018)
Humble, J., Farley, D.: Continuous Delivery: Reliable Software Releases through Build, Test, and Deployment Automation. Pearson Education, London (2010)
IEC: 61508 - functional safety. International Electrotechnical Commission (2010)
(IEC): IEC 62443-4-1. Security for industrial automation and control systems Part 4-1 Product security development life-cycle requirements (2018)
ISO: 26262 - road vehicles – functional safety. International Standards Organization (2011)
Jaatun, M.G., Cruzes, D.S., Luna, J.: DevOps for better software security in the cloud invited paper. In: Proceedings of the 12th ARES. ACM, New York (2017)
Jabbari, R., bin Ali, N., Petersen, K., Tanveer, B.: What is DevOps?: a systematic mapping study on definitions and practices. In: Proceedings of Workshop XP. ACM, USA (2016)
Kim, G., Behr, K., Spafford, G.: The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win. IT Revolution Press, Portland (2018)
Kim, G., Humble, J., Debois, P., Willis, J.: The DevOps Handbook: How to Create World-Class Agility, Reliability, and Security in Technology Organizations. IT Revolution Press, Portland (2016)
Laukkarinen, T., Kuusinen, K., Mikkonen, T.: Regulated software meets DevOps. Inf. Softw. Technol. 97, 176–178 (2018)
Leite, L., Rocha, C., Kon, F., Milojicic, D., Meirelles, P.: A survey of DevOps concepts and challenges, vol. 52. Association for Computing Machinery, New York (2019)
Lwakatare, L.E., Kuvaja, P., Oivo, M.: Dimensions of DevOps. In: Lassenius, C., Dingsøyr, T., Paasivaara, M. (eds.) XP 2015. LNBIP, vol. 212, pp. 212–217. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-18612-2_19
Michener, J.R., Clager, A.T.: Mitigating an oxymoron: compliance in a DevOps environments. In: 2016 IEEE 40th COMPSAC, vol. 1, pp. 396–398 (2016)
Mohan, V., Othmane, L.B.: SecDevOps: is it a marketing buzzword?-mapping research on security in DevOps. In: 11th ARES, pp. 542–547. IEEE (2016)
Morales, J., Turner, R., Miller, S., Capell, P., Place, P., Shepard, D.: Guide to implementing DevSecOps for a system of systems in highly regulated environments. Technical report, CMU/SEI-2020-TR-002. SEI, Carnegie Mellon University, Pittsburgh, PA (2020)
Moyón, F., Beckers, K., Klepper, S., Lachberger, P., Bruegge, B.: Towards continuous security compliance in agile software development at scale. In: Proceedings of RCoSE. ACM (2018)
Poppendieck, M., Poppendieck, T.: Lean Software Development: An Agile Toolkit. Agile Software Development Series. Pearson Education, London (2003)
SANS: SANS secure DevOps toolchain and securing web application technologies checklist (2018)
Shahin, M., Babar, M.A., Zhu, L.: Continuous integration, delivery and deployment: a systematic review on approaches, tools, challenges and practices. IEEE (2017)
Shull, F., Singer, J., Sjøberg, D.I.: Guide to Advanced Empirical Software Engineering. Springer, London (2007). https://doi.org/10.1007/978-1-84800-044-5
Sonatype: DevSecOps community survey 2019 (2019)
Ur Rahman, A.A., Williams, L.: Software security in DevOps: synthesizing practitioners’ perceptions and practices. In: Proceedings of International Workshop CSED. ACM, USA (2016)
Wagner, S., Fernández, D.M., Felderer, M., Graziotin, D., Kalinowski, M.: Challenges in survey research. ArXiv abs/1908.05899 (2019)
Yasar, H.: Implementing secure DevOps assessment for highly regulated environments. In: Proceedings of the 12th ARES. ACM, USA (2017)
Yasar, H., Kontostathis, K.: Where to integrate security practices on DevOps platform. Int. J. Secur. Softw. Eng. 7(4), 39–50 (2016)
Acknowledgements
This work is partially funded by Portuguese national funds through FCT - Fundação para a Ciência e Tecnologia, I.P., under the project FCT UIDB/04466/2020. Furthermore, the third author thanks the Instituto Universitário de Lisboa and ISTAR-IUL, for their support.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Moyón, F., Soares, R., Pinto-Albuquerque, M., Mendez, D., Beckers, K. (2020). Integration of Security Standards in DevOps Pipelines: An Industry Case Study. In: Morisio, M., Torchiano, M., Jedlitschka, A. (eds) Product-Focused Software Process Improvement. PROFES 2020. Lecture Notes in Computer Science(), vol 12562. Springer, Cham. https://doi.org/10.1007/978-3-030-64148-1_27
Download citation
DOI: https://doi.org/10.1007/978-3-030-64148-1_27
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-64147-4
Online ISBN: 978-3-030-64148-1
eBook Packages: Computer ScienceComputer Science (R0)