Skip to main content
Springer Nature Link
Log in

Product Incremental Security Risk Assessment Using DevSecOps Practices

  • Conference paper
  • First Online:
Computer Security. ESORICS 2022 International Workshops (ESORICS 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13785))

Included in the following conference series:

Abstract

Security risk assessment is often a heavy manual process, making it expensive to perform. DevOps, that aims at improving software quality and speed of delivery, as well as DevSecOps that augments DevOps with the automation of security activities, provide tools and procedures to automate the risk assessment. We propose a solution to integrate risk assessment with DevSecOps activities and processes in order to make the risk assessment more continuous and automated. The solution is illustrated on a use case where the firewall of a robot vehicles is updated while risk assessment is done in an iterative manner. This approach aims at facilitating assessment (and certification such as EUCC) processes.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM:2020:823:FIN.

  2. 2.

    https://eur-lex.europa.eu/eli/reg/2019/881/oj.

  3. 3.

    https://www.enisa.europa.eu/publications/cybersecurity-certification-eucc-candidate-scheme-v1-1.1.

  4. 4.

    https://docs.microsoft.com/en-us/previous-versions/commerce-server/ee823878(v=cs.20).

  5. 5.

    https://satra.iit.cnr.it/.

  6. 6.

    https://github.com/cetic/vacsine.

  7. 7.

    https://www.first.org/cvss/.

  8. 8.

    In this paper we use the following notation. Capital letters (e.g., TF) denote sets and lowercase letters denote single values (e.g., oc). The same lowercase letters as the set name with indexes denote specific element of this set (e.g., \(tf_i\)). Bold capital letters denote a set of variables which is more convenient to represent as a matrix (e.g., \(\boldsymbol{AM}\)), and their elements require two indexes (e.g., \(am_{i,j}\)). n always denotes size of a set.

  9. 9.

    In fact, for a control m only a few \(sc_{m,l}\ne 0\), i.e., only a limited amount of security features contributes to a security control. Moreover, in most cases, for a security feature l, there is only one \(sc_{m,l}\ne 0\).

References

  1. Dupont, S., et al.: Incremental common criteria certification processes using devsecops practices. p. 12 (2021). https://ieeexplore.ieee.org/abstract/document/9583720

  2. ISO. ISO/IEC 27000 Family - Information Security Management Systems. https://www.iso.org/isoiec-27001-information-security.html (2013)

  3. Boehm, B.: Software risk management: principles and practices. IEEE Softw. 8(1), 32–41 (1991)

    Article  Google Scholar 

  4. Verdon, D., McGraw, G.: Risk analysis in software design. IEEE Secur. Priv. 2(4), 79–84 (2004)

    Google Scholar 

  5. Baca, D., Petersen, K.: Countermeasure graphs for software security risk assessment. J. Syst. Softw. 86(9), 2411–2428 (2013)

    Google Scholar 

  6. Sahinoglu, M.: An input-output measurable design for the security meter model to quantify and manage software security risk. IEEE Trans. Instrum. Meas. 57(6), 1251–1260 (2008)

    Article  Google Scholar 

  7. ISO/IEC. Common Criteria for Information Technology Security Evaluation, version 3.1 revision 5 ed

    Google Scholar 

  8. Edwards, D.: What is devops. Retrieved 3, 2014 (2010)

    Google Scholar 

  9. Myrbakken, H., Colomo-Palacios, R.: DevSecOps: a multivocal literature review. In: Mas, A., Mesquida, A., O’Connor, R.V., Rout, T., Dorling, A. (eds.) SPICE 2017. CCIS, vol. 770, pp. 17–29. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-67383-7_2

    Chapter  Google Scholar 

  10. Rajapakse, R.N., Zahedi, M., Babar, M.A., Shen, H.: Challenges and solutions when adopting devsecops: a systematic review. Inf. Softw. Technol. 141, 106700 (2022)

    Article  Google Scholar 

  11. Díaz, J., Pérez, J.E., Lopez-Peña, M.A., Mena, G.A., Yagüe, A.: Self-service cybersecurity monitoring as enabler for devsecops. IEEE Access 7, 100283–100295 (2019)

    Google Scholar 

  12. Hsu, T.H.-C.: Hands-On Security in DevOps: Ensure Continuous Security, Deployment, and Delivery with DevSecOps. Packt Publishing Ltd, Birmingham (2018)

    Google Scholar 

  13. Mohan, V., Othmane, L.: Secdevops: Is it a Marketing Buzzword. Department of Computer Science, Technische Universität Darmstadt, Darmstadt (2016)

    Google Scholar 

  14. ISO/IEC. ISO/IEC 27005:2008 Information technology - Security techniques - Information security risk management (2008)

    Google Scholar 

  15. NIST. Risk management framework for information systems and organizations. a system life cycle approach for security and privacy. NIST, Tech. Rep., (2018). https://csrc.nist.gov/projects/risk-management/about-rmf on 09/05/2022

  16. Sadiq, M., Rahmani, M.K.I., Ahmad, M.W., Jung, S.: Software risk assessment and evaluation process (sraep) using model based approach. In: International Conference on Networking and Information Technology 2010, 171–177 (2010)

    Google Scholar 

  17. Khan, M.A., Khan, S., Sadiq, M.: Systematic review of software risk assessment and estimation models. Int. J. Eng. Adv. Technol. 1(4) (2012)

    Google Scholar 

  18. Zhang, Y., Jiang, S., Cui, Y., Zhang, B., Xia, H.: A qualitative and quantitative risk assessment method in software security. In: 2010 3rd International Conference on Advanced Computer Theory and Engineering(ICACTE). vol. 1, pp. V1–534-V1-539 (2010)

    Google Scholar 

  19. Das, R., Sarkani, S., Mazzuchi, T.A.: Software selection based on quantitative security risk assessment. In: 2012 IEEE 14th International Symposium on High-Assurance Systems Engineering, pp. 171–172 (2012)

    Google Scholar 

  20. Mkpong-Ruffin, I., Umphress, D., Hamilton, J., Gilbert, J.: Quantitative software security risk assessment model. In: Proceedings of the 2007 ACM Workshop on Quality of Protection, ser. QoP 2007. New York, USA: Association for Computing Machinery, pp. 31–33 (2007)

    Google Scholar 

  21. Kumar, R., Goyal, R.: Modeling continuous security: a conceptual model for automated DevSecOps using open-source software over cloud (ADOC). Comput. Secu. 97, 101967 (2020)

    Google Scholar 

Download references

Acknowledgment

This paper was supported in part by European Union’s Horizon 2020 research and innovation programme under Grant Agreement No. 830892, project “Strategic programs for advanced research and technology in Europe” (SPARTA).

Author information

Authors and Affiliations

  1. CETIC, Charleroi, Belgium

    Sébastien Dupont, Guillaume Ginis, Christophe Ponsard & Philippe Massonet

  2. CNR, Rome, Italy

    Artsiom Yautsiukhin, Giacomo Iadarola, Stefano Fagnano & Fabio Martinelli

  3. UCLouvain, Louvain-la-Neuve, Belgium

    Axel Legay

Authors
  1. Sébastien Dupont
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Artsiom Yautsiukhin
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Guillaume Ginis
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Giacomo Iadarola
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Stefano Fagnano
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Fabio Martinelli
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Christophe Ponsard
    View author publications

    You can also search for this author in PubMed Google Scholar

  8. Axel Legay
    View author publications

    You can also search for this author in PubMed Google Scholar

  9. Philippe Massonet
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Sébastien Dupont .

Editor information

Editors and Affiliations

  1. Norwegian University of Science and Technology, Gjøvik, Norway

    Sokratis Katsikas

  2. Polytechnique Montréal, Montreal, Canada

    Frédéric Cuppens

  3. University of the Aegean, Mytilene, Greece

    Christos Kalloniatis

  4. University of Toronto, Toronto, ON, Canada

    John Mylopoulos

  5. Technical University of Berlin, Berlin, Germany

    Frank Pallas

  6. Alexander von Humboldt Institute for Internet and Society, Berlin, Germany

    Jörg Pohle

  7. Ruhr University Bochum, Bochum, Germany

    M. Angela Sasse

  8. Norwegian Computing Center, Oslo, Norway

    Habtamu Abie

  9. University of Trento, Trento, Italy

    Silvio Ranise

  10. University of Genoa, Genoa, Italy

    Luca Verderame

  11. Consiglio Nazionale delle Ricerche (CNR), Genoa, Italy

    Enrico Cambiaso

  12. Indra, Alcobendas, Spain

    Jorge Maestre Vidal

  13. Indra, Alcobendas, Spain

    Marco Antonio Sotelo Monge

  14. George Mason University, Fairfax, VA, USA

    Massimiliano Albanese

  15. Norwegian University of Science and Technology, Gjøvik, Norway

    Basel Katt

  16. Norwegian Computing Center, Oslo, Norway

    Sandeep Pirbhulal

  17. Institute for Energy Technology, Halden, Norway

    Ankur Shukla

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Dupont, S. et al. (2023). Product Incremental Security Risk Assessment Using DevSecOps Practices. In: Katsikas, S., et al. Computer Security. ESORICS 2022 International Workshops. ESORICS 2022. Lecture Notes in Computer Science, vol 13785. Springer, Cham. https://doi.org/10.1007/978-3-031-25460-4_38

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-25460-4_38

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-25459-8

  • Online ISBN: 978-3-031-25460-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation