Modeling continuous security: A conceptual model for automated DevSecOps using open-source software over cloud (ADOC)
Introduction
The accelerated velocity in delivery of time-to-market applications and services can be achieved by optimizing their time-to-development and time-to-production. The approach to applications development, deployment and their operations have evolved with evolution of cloud infrastructure and related technologies that advocate automation. Agile development approach (Alahyari, Svensson, Gorschek, 2017, Greene, Stellman, 2014, Rodr-guez, Mntyl, Oivo, Lwakatare, Seppnen, Kuvaja, 2019) evolved to address shortcomings of conventional software development models to support business agility by focusing collaboration between business experts and system developers. Agile development focused on shorter duration iterations for producing working application for end users and get immediate feedback for improvising it in next iteration with additional features. However, IT operations find challenges in deploying these working applications in shorter duration to production environment. The gain in development evaporates due to out of sync IT operations. The business experts, researchers and practitioners find the solutions by bringing business users, system developers and IT operations together and coined the term DevOps (Mezak, Paul). DevOps (Ebert, Gallardo, Hernantes, Serrano, 2016, Sharma, 2017) is primarily collaboration among business users, system developers, and IT operations to enable business agility with quality and velocity by adopting different practices. It bridges the two islands, development and operations, of IT world by adopting CALMS (Culture, Automation, Measurements, Lean, and Sharing) model (Appdynamics, Willis, Willis). Some of the worth mentioning practices adopted by DevOps are: 1) continuous planning, 2) continuous design and development, 3) continuous integration, 4) continuous testing, 5) continuous delivery, 6) continuous deployment, 7) continuous logging and monitoring, 8) collaboration, communication and feedback mechanism, etc. (AWS, Davis, Daniels, 2016, Fitzgerald, Stol, 2014, Jabbari, bin Ali, Petersen, Tanveer, 2016, Kim, Debois, Willis, Humble, 2016). As per the business context, the business experts, system developers, and IT operations can adopt and evolve relevant practices to their DevOps workflow. The cloud infrastructure, related technologies and automation are key driver for implementation of these DevOps practices. Adoption of DevOps result in multiple benefits to business, like increased speed to market, product and service quality, customer relevance and satisfaction, productivity, and innovation (Harvard Business Review, 2019).
However, most of the time, to enable velocity in business agility, security essentials get a miss in working application. Most of the time, security is considered as the last thing to check when the application is already developed (Carter, 2017). Also, in practice, with every iteration ensuring security is challenging, both in terms of time and money, unless, it is planned and designed at the early and every stage of DevOps workflow. This led to include security experts in DevOps team of business experts, system developers and IT operations to collaborate for designing and building security controls in DevOps practices, leading to DevSecOps. In simpler terms, DevSecOps is DevOps embedded with security controls providing continuous security assurance. It seems Neil MacDonald of Gartner (MacDonald, 2012) used the term DevOpsSec (more popular as DevSecOps) for the first time to infuse security within DevOps practices to balance speed, agility, and security. DevSecOps is natural extension of DevOps that advocates shift-security-left, security-by-design and continuous security testing by building automated security controls in DevOps workflow. Fig. 1 depicts DevSecOps as DevOps with continuous security assurance wherein security controls can be embedded across DevOps workflow (Bird, 2016, Crouch, Gill, Sharma, 2017, Weeks, 2019, Wikipedia).
The preconceived notion that security implementation delays the development and delivery time can be addressed through automation of security requirements fulfillment in the adopted processes and practices. DevSecOps fundamentally brings concept of continuous security that transforms security being compliance-oriented activities, generally undertaken towards end in the development life cycle, into continuous assurance-oriented activities throughout the workflow stages. DevSecOps codifies security policies into unified development, testing, deployment and operations practices through automation. In this work, we have proposed a continuous security model, the ADOC, that brings this automation through appropriate OSS tools over cloud. For driving DevSecOps adoption automation is seen as key differentiator. The OSS is successfully being used for driving this automation that capitalizes cloud infrastructure and cloud enabled technologies. The availability of OSS source code gives freedom to innovate and customize features to automate essential and advance security controls for a given business context. With more product and service providers adopting DevOps and DevSecOps methodology, security controls need to be effectively designed and implemented in a given business context to deliver security with agility and velocity with right choice of OSS tools and cloud technologies. Market reports forecast DevOps market size to grow from $3.4b in 2018 to $10.3b in 2023 (at a compound annual growth rate of 24.7%) (MarketsandMarkets, 2018a) and DevSecOps to grow from $1.5b in 2018 to $5.9b in 2023 (at a compound annual growth rate of 31.2%). The reports emphasized on cloud deployments, container services, and software automation solutions as driving factors for this accelerated growth.
Whether technology drives the business or business drives the technology, we need a security model to handle the threats and vulnerabilities due to moving perimeters and dynamics in applications, infrastructures and networks. The security model should be able to identify the flaws before any user discovers or attacker exploits it. Automated security checks and controls in the proposed workflow of the ADOC model equips us to establish such continuous security model. In this work, we have analyzed different challenges in adopting DevSecOps using OSS over the cloud and identified different requirements for a continuous security framework. Based on the requirements identified we have conceptualized a continuous security framework (see 4.1). This framework inherits fundamental principles and practices of DevOps and extends it further to build security controls in proposed workflow stages. It consists of six elements, nine principles, twelve stage workflow, seven practices, and OSS and cloud as two enablers. Together these form building blocks for the proposed ADOC continuous security model. Our proposed ADOC continuous security model for DevSecOps adoption have three components: 1) ADOC Engine, synthesizing forty security controls based on the defined conceptual framework, 2) OSS, as propellant for this ADOC Engine, and 3) Cloud, powering this ADOC Engine. In the proposed ADOC Engine different security controls are designed, based on adopted principles and practices, defined in the framework, to perform security assurance activities. These security controls are instated at different control-points in the proposed workflow. The security controls are activated when ADOC Engine executes corresponding activities of adopted practices. We further proposed and mapped the specific solutions for the reported adoption challenges with the proposed security controls. The functioning of the ADOC model has been explained through an example use case scenario.
In the rest of sections, a comparative analysis of related work is described in Section 2. Section 3 highlights different challenges in DevSecOps adoption and identifies research problems to address in this work along with different requirements for continuous security framework. Section 4 explains a conceptual framework to form the basis for a continuous security model to address the identified research problem. The proposed continuous security model, the ADOC, is described in the Section 4. Section 5 maps proposed solutions through security controls for the reported challenges. The fulfillment of identified requirements and research problems are explained in the Section 6. At the end, illustration of the usage of the ADOC model, its performance measurement approach, and pros and cons have been presented in the Section 7 followed by conclusion and further research opportunities in Section 8.
Section snippets
Related work
This work is focused on addressing the challenges in integrating security in DevOps, institutionalized as DevSecOps, using cloud and OSS as technology enabler, by proposing a conceptual model of continuous security. There are discrete studies carried out around benefits and challenges in adopting DevOps, DevSecOps, cloud and OSS, however, to the best of our knowledge a unified view of DevSecOps security model through the design of security controls using OSS over cloud has not been presented
Challenges in adoption of devsecops using OSS over cloud
DevSecOps is DevOps with security. DevSecOps is about collaborating with security team and developing a culture wherein development and operations team include security as integral component in their work products (Carter, 2017). It is to bring cultural transformation in an organization by changing the mindset of its people that building and delivering security enabled applications is everybody responsibility and not just a tick mark towards end of the completed work. Automation plays a pivotal
Conceptual model for continuous security: Simplifying devsecops adoption using OSS over cloud
We propose a conceptual model for continuous security to simplify the DevSecOps adoption using OSS over the cloud, addressing the requirements mentioned in the Table 5. The proposed model has three components: 1) ADOC Engine, an end-to-end automated workflow with set of practices and embedded security assurance controls; 2) Open-source software suite, as propellant for this ADOC Engine; and 3) The cloud infrastructure and technologies, to power this ADOC Engine. The building blocks of these
Addressing challenges using the proposed ADOC continuous security model
The proposed ADOC continuous security model defines a possible set of different security controls (Table 8) that can be used to address different challenges described in the Section 3. These security controls are based on continuous security principles (see 4.2.1) which are executed through different adopted practices (see 4.2.3). This set is indicative list of proposed security controls which can be modified and extended based on the business context. The choice of security controls is based
Mapping research problem and continuous security model requirements fulfillment in the proposed ADOC model
Table 13 provides a mapping of the addressed research problem and different requirements fulfillment for a continuous security model in the proposed security model described in previous sections.
This mapping illustrates the fulfillment of continuous security requirements through the proposed ADOC model and addressing the research problem as listed in Table 5. The identified set of principles, practices, workflow, security controls, OSS tools and metrics in the proposed ADOC continuous security
Building continuous security in charging and billing system IT application using the ADOC model
We showcase an example use case scenario to illustrate for using the proposed ADOC continuous security model. The use case outlines adoption of DevSecOps for a standalone Charging and Billing System (CBS) IT application using the ADOC model that can be extended for container-based delivery. Consider an IT company is delivering products and services for CBS to its global customers. Their product strategy team decides to implement DevSecOps practices to reduce product update cycle from nine to
Conclusion and further research opportunity
In this work, we presented a conceptual model, the ADOC model, for realizing continuous security in DevSecOps adoption. The proposed ADOC model implements security as continuous assurance activities by codifying security controls into automated delivery workflow. It enables business to deliver time-to-market security ready applications and services with accelerated velocity and sustainable agility in a cost-effective way. The continuous security requirements identified through the analysis of
CRediT authorship contribution statement
Rakesh Kumar: Conceptualization, Methodology, Software, Writing - original draft, Validation, Investigation. Rinkaj Goyal: Conceptualization, Methodology, Writing - review & editing, Visualization, Resources, Supervision.
Declaration of Competing Interest
Authors declare no conflict of interests.
Acknowledgments
The authors would like to convey their appreciation and gratitude to the anonymous reviewers. Their remarks and suggestions were extremely insightful and enabled us to improve the quality of manuscript.
Rakesh Kumar is pursuing a doctorate from Guru Gobind Singh Indraprastha University, Delhi. He holds a bachelor of engineering degree in computer science from Visvesvaraya National Institute of Technology, Nagpur, India, and a master of technology degree in computer science from USIC&T, Guru Gobind Singh Indraprastha University, New Delhi, India. His areas of work are in automation, network security, data analytics, artificial intelligence, and machine learning. He is CISM, ITIL and PMP
References (152)
- et al.
Chapter 5 - adaptive security for software systems
- et al.
A study of value in agile software development organizations
J. Syst. Softw.
(2017) - et al.
Security in cloud computing: opportunities and challenges
Inf. Sci. (Ny)
(2015) Reducing risk with end-to-end application security automation
Netw. Secur.
(2020)Continuous delivery: overcoming adoption challenges
J. Syst. Softw.
(2017)- et al.
On cloud security requirements, threats, vulnerabilities and countermeasures: a survey
Comput. Sci. Rev.
(2019) - et al.
Problems, causes and solutions when adopting continuous deliverya systematic literature review
Inf. Softw. Technol.
(2017) Building open source security into agile application builds
Netw. Secur.
(2018)- Appdynamics, 2015. Keep calm and embrace devops....
- et al.
Avoiding the top 10 software security design flaws
Technical Report
(2015)
From security to assurance in the cloud: a survey
ACM Comput. Surv.
Devops: introducing infrastructure-as-code
2017 IEEE/ACM 39th International Conference on Software Engineering Companion (ICSE-C)
Microservices architecture enables devops: migration to a cloud-native architecture
IEEE Softw.
When IoT meets devops: fostering business opportunities
KnE Soc. Sci.
DevOpsSec
Cyber threat modeling: survey, assessment, and representative framework
Technical Report
Top threats to cloud computing: egregious eleven
Technical Report
Performance-oriented DevOps: a research agenda
Technical Report
Francois raynaud on devsecops
IEEE Softw.
A novel security-by-design methodology: modeling and assessing security by slas with a quantitative approach
J. Syst. Softw.
Continuous delivery: huge benefits, but challenges too
IEEE Softw.
Towards a model-based devops for cyber-physical systems
Securing open source, Part 2: software composition analysis comes into its own
Technical Report
Security-by-design framework
Technical Report
Security for cloud computing: ten steps to ensure success
Technical Report
Foundations of Security: What Every Programmer Needs to Know
Effective DevOps: Building a Culture of Collaboration, Affinity, and Tooling at Scale
Adapting AppSec to a DevOps World
Technical Report
MYST: Automated DevOps for distributed applications across heterogeneous Cloud, Fog and Edge infrastructures
Developing a conceptual framework for cloud security assurance
2013 IEEE 5th International Conference on Cloud Computing Technology and Science
Devops
IEEE Softw.
Cloud security guide for SMEs
Technical Report
Security issues in cloud environments: a survey
Int. J. Inf. Secur.
Defining security requirements through misuse actions
Cited by (0)
Rakesh Kumar is pursuing a doctorate from Guru Gobind Singh Indraprastha University, Delhi. He holds a bachelor of engineering degree in computer science from Visvesvaraya National Institute of Technology, Nagpur, India, and a master of technology degree in computer science from USIC&T, Guru Gobind Singh Indraprastha University, New Delhi, India. His areas of work are in automation, network security, data analytics, artificial intelligence, and machine learning. He is CISM, ITIL and PMP certified professional working with Ericsson India Global Services Pvt Ltd.
Rinkaj Goyal is currently an assistant professor with the University School of Information, Communication and Technology (USIC&T), Guru Gobind Singh Indraprastha University, Delhi. His teaching and research interests include software engineering focusing on object-oriented metrics, multi-agent systems, and theoretical computer science. He maintains an informal students interest group on agent-based modelling (SIG-ABM) with USIC&T.