Elsevier

Computers & Security

Volume 97, October 2020, 101967
Computers & Security

Modeling continuous security: A conceptual model for automated DevSecOps using open-source software over cloud (ADOC)

https://doi.org/10.1016/j.cose.2020.101967Get rights and content

Abstract

Agile software development methodology and DevOps, together, have helped the business to achieve agility and velocity in delivering time-to-market applications and services. Open-source software (OSS) and cloud technologies are taking up business innovation and DevOps at new heights. However, in the quest of agility and velocity, user data security and privacy assurance often get lower priority as they are perceived as a time-consuming activity requiring specialized people, process, and technology. We see this problem being addressed by integrating security in DevOps processes. Security for DevOps has been institutionalized as DevSecOps with practical considerations for a given business context. In this work, we proposed a conceptual security model, ADOC, to facilitate adopting DevSecOps for the business processes capitalizing OSS over the cloud. This work contributes towards the following to integrate continuous security in application and service delivery: (i) A continuous security conceptual framework proposal based on the requirements elicited from the analysis of challenges in adopting DevSecOps using OSS over the cloud. (ii) An integrationist security model, ADOC, based on the proposed continuous security conceptual framework, integrating development, security, and operation activities through automation of security controls using OSS over the cloud. (iii) A set of inter-working OSS tools for automation of the proposed security controls in ADOC workflow and practices. (iv) A set of metrics for performance measurement of the ADOC model. (v) Mapping of the solutions for the analyzed challenges using the proposed security controls, followed by a use case scenario to adopt the ADOC workflow and continuous practices. The ADOC transforms security being adhoc compliance-oriented activities into continuous assurance-oriented activities by codifying security controls into an automated delivery workflow. Its practical adoption enables businesses to deliver time-to-market security ready applications and services with accelerated velocity and sustainable agility in a cost-effective way.

Introduction

The accelerated velocity in delivery of time-to-market applications and services can be achieved by optimizing their time-to-development and time-to-production. The approach to applications development, deployment and their operations have evolved with evolution of cloud infrastructure and related technologies that advocate automation. Agile development approach (Alahyari, Svensson, Gorschek, 2017, Greene, Stellman, 2014, Rodr-guez, Mntyl, Oivo, Lwakatare, Seppnen, Kuvaja, 2019) evolved to address shortcomings of conventional software development models to support business agility by focusing collaboration between business experts and system developers. Agile development focused on shorter duration iterations for producing working application for end users and get immediate feedback for improvising it in next iteration with additional features. However, IT operations find challenges in deploying these working applications in shorter duration to production environment. The gain in development evaporates due to out of sync IT operations. The business experts, researchers and practitioners find the solutions by bringing business users, system developers and IT operations together and coined the term DevOps (Mezak, Paul). DevOps (Ebert, Gallardo, Hernantes, Serrano, 2016, Sharma, 2017) is primarily collaboration among business users, system developers, and IT operations to enable business agility with quality and velocity by adopting different practices. It bridges the two islands, development and operations, of IT world by adopting CALMS (Culture, Automation, Measurements, Lean, and Sharing) model (Appdynamics, Willis, Willis). Some of the worth mentioning practices adopted by DevOps are: 1) continuous planning, 2) continuous design and development, 3) continuous integration, 4) continuous testing, 5) continuous delivery, 6) continuous deployment, 7) continuous logging and monitoring, 8) collaboration, communication and feedback mechanism, etc. (AWS, Davis, Daniels, 2016, Fitzgerald, Stol, 2014, Jabbari, bin Ali, Petersen, Tanveer, 2016, Kim, Debois, Willis, Humble, 2016). As per the business context, the business experts, system developers, and IT operations can adopt and evolve relevant practices to their DevOps workflow. The cloud infrastructure, related technologies and automation are key driver for implementation of these DevOps practices. Adoption of DevOps result in multiple benefits to business, like increased speed to market, product and service quality, customer relevance and satisfaction, productivity, and innovation (Harvard Business Review, 2019).

However, most of the time, to enable velocity in business agility, security essentials get a miss in working application. Most of the time, security is considered as the last thing to check when the application is already developed (Carter, 2017). Also, in practice, with every iteration ensuring security is challenging, both in terms of time and money, unless, it is planned and designed at the early and every stage of DevOps workflow. This led to include security experts in DevOps team of business experts, system developers and IT operations to collaborate for designing and building security controls in DevOps practices, leading to DevSecOps. In simpler terms, DevSecOps is DevOps embedded with security controls providing continuous security assurance. It seems Neil MacDonald of Gartner (MacDonald, 2012) used the term DevOpsSec (more popular as DevSecOps) for the first time to infuse security within DevOps practices to balance speed, agility, and security. DevSecOps is natural extension of DevOps that advocates shift-security-left, security-by-design and continuous security testing by building automated security controls in DevOps workflow. Fig. 1 depicts DevSecOps as DevOps with continuous security assurance wherein security controls can be embedded across DevOps workflow (Bird, 2016, Crouch, Gill, Sharma, 2017, Weeks, 2019, Wikipedia).

The preconceived notion that security implementation delays the development and delivery time can be addressed through automation of security requirements fulfillment in the adopted processes and practices. DevSecOps fundamentally brings concept of continuous security that transforms security being compliance-oriented activities, generally undertaken towards end in the development life cycle, into continuous assurance-oriented activities throughout the workflow stages. DevSecOps codifies security policies into unified development, testing, deployment and operations practices through automation. In this work, we have proposed a continuous security model, the ADOC, that brings this automation through appropriate OSS tools over cloud. For driving DevSecOps adoption automation is seen as key differentiator. The OSS is successfully being used for driving this automation that capitalizes cloud infrastructure and cloud enabled technologies. The availability of OSS source code gives freedom to innovate and customize features to automate essential and advance security controls for a given business context. With more product and service providers adopting DevOps and DevSecOps methodology, security controls need to be effectively designed and implemented in a given business context to deliver security with agility and velocity with right choice of OSS tools and cloud technologies. Market reports forecast DevOps market size to grow from $3.4b in 2018 to $10.3b in 2023 (at a compound annual growth rate of 24.7%) (MarketsandMarkets, 2018a) and DevSecOps to grow from $1.5b in 2018 to $5.9b in 2023 (at a compound annual growth rate of 31.2%). The reports emphasized on cloud deployments, container services, and software automation solutions as driving factors for this accelerated growth.

Whether technology drives the business or business drives the technology, we need a security model to handle the threats and vulnerabilities due to moving perimeters and dynamics in applications, infrastructures and networks. The security model should be able to identify the flaws before any user discovers or attacker exploits it. Automated security checks and controls in the proposed workflow of the ADOC model equips us to establish such continuous security model. In this work, we have analyzed different challenges in adopting DevSecOps using OSS over the cloud and identified different requirements for a continuous security framework. Based on the requirements identified we have conceptualized a continuous security framework (see 4.1). This framework inherits fundamental principles and practices of DevOps and extends it further to build security controls in proposed workflow stages. It consists of six elements, nine principles, twelve stage workflow, seven practices, and OSS and cloud as two enablers. Together these form building blocks for the proposed ADOC continuous security model. Our proposed ADOC continuous security model for DevSecOps adoption have three components: 1) ADOC Engine, synthesizing forty security controls based on the defined conceptual framework, 2) OSS, as propellant for this ADOC Engine, and 3) Cloud, powering this ADOC Engine. In the proposed ADOC Engine different security controls are designed, based on adopted principles and practices, defined in the framework, to perform security assurance activities. These security controls are instated at different control-points in the proposed workflow. The security controls are activated when ADOC Engine executes corresponding activities of adopted practices. We further proposed and mapped the specific solutions for the reported adoption challenges with the proposed security controls. The functioning of the ADOC model has been explained through an example use case scenario.

In the rest of sections, a comparative analysis of related work is described in Section 2. Section 3 highlights different challenges in DevSecOps adoption and identifies research problems to address in this work along with different requirements for continuous security framework. Section 4 explains a conceptual framework to form the basis for a continuous security model to address the identified research problem. The proposed continuous security model, the ADOC, is described in the Section 4. Section 5 maps proposed solutions through security controls for the reported challenges. The fulfillment of identified requirements and research problems are explained in the Section 6. At the end, illustration of the usage of the ADOC model, its performance measurement approach, and pros and cons have been presented in the Section 7 followed by conclusion and further research opportunities in Section 8.

Section snippets

Related work

This work is focused on addressing the challenges in integrating security in DevOps, institutionalized as DevSecOps, using cloud and OSS as technology enabler, by proposing a conceptual model of continuous security. There are discrete studies carried out around benefits and challenges in adopting DevOps, DevSecOps, cloud and OSS, however, to the best of our knowledge a unified view of DevSecOps security model through the design of security controls using OSS over cloud has not been presented

Challenges in adoption of devsecops using OSS over cloud

DevSecOps is DevOps with security. DevSecOps is about collaborating with security team and developing a culture wherein development and operations team include security as integral component in their work products (Carter, 2017). It is to bring cultural transformation in an organization by changing the mindset of its people that building and delivering security enabled applications is everybody responsibility and not just a tick mark towards end of the completed work. Automation plays a pivotal

Conceptual model for continuous security: Simplifying devsecops adoption using OSS over cloud

We propose a conceptual model for continuous security to simplify the DevSecOps adoption using OSS over the cloud, addressing the requirements mentioned in the Table 5. The proposed model has three components: 1) ADOC Engine, an end-to-end automated workflow with set of practices and embedded security assurance controls; 2) Open-source software suite, as propellant for this ADOC Engine; and 3) The cloud infrastructure and technologies, to power this ADOC Engine. The building blocks of these

Addressing challenges using the proposed ADOC continuous security model

The proposed ADOC continuous security model defines a possible set of different security controls (Table 8) that can be used to address different challenges described in the Section 3. These security controls are based on continuous security principles (see 4.2.1) which are executed through different adopted practices (see 4.2.3). This set is indicative list of proposed security controls which can be modified and extended based on the business context. The choice of security controls is based

Mapping research problem and continuous security model requirements fulfillment in the proposed ADOC model

Table 13 provides a mapping of the addressed research problem and different requirements fulfillment for a continuous security model in the proposed security model described in previous sections.

This mapping illustrates the fulfillment of continuous security requirements through the proposed ADOC model and addressing the research problem as listed in Table 5. The identified set of principles, practices, workflow, security controls, OSS tools and metrics in the proposed ADOC continuous security

Building continuous security in charging and billing system IT application using the ADOC model

We showcase an example use case scenario to illustrate for using the proposed ADOC continuous security model. The use case outlines adoption of DevSecOps for a standalone Charging and Billing System (CBS) IT application using the ADOC model that can be extended for container-based delivery. Consider an IT company is delivering products and services for CBS to its global customers. Their product strategy team decides to implement DevSecOps practices to reduce product update cycle from nine to

Conclusion and further research opportunity

In this work, we presented a conceptual model, the ADOC model, for realizing continuous security in DevSecOps adoption. The proposed ADOC model implements security as continuous assurance activities by codifying security controls into automated delivery workflow. It enables business to deliver time-to-market security ready applications and services with accelerated velocity and sustainable agility in a cost-effective way. The continuous security requirements identified through the analysis of

CRediT authorship contribution statement

Rakesh Kumar: Conceptualization, Methodology, Software, Writing - original draft, Validation, Investigation. Rinkaj Goyal: Conceptualization, Methodology, Writing - review & editing, Visualization, Resources, Supervision.

Declaration of Competing Interest

Authors declare no conflict of interests.

Acknowledgments

The authors would like to convey their appreciation and gratitude to the anonymous reviewers. Their remarks and suggestions were extremely insightful and enabled us to improve the quality of manuscript.

Rakesh Kumar is pursuing a doctorate from Guru Gobind Singh Indraprastha University, Delhi. He holds a bachelor of engineering degree in computer science from Visvesvaraya National Institute of Technology, Nagpur, India, and a master of technology degree in computer science from USIC&T, Guru Gobind Singh Indraprastha University, New Delhi, India. His areas of work are in automation, network security, data analytics, artificial intelligence, and machine learning. He is CISM, ITIL and PMP

References (152)

  • C.A. Ardagna et al.

    From security to assurance in the cloud: a survey

    ACM Comput. Surv.

    (2015)
  • M. Artac et al.

    Devops: introducing infrastructure-as-code

    2017 IEEE/ACM 39th International Conference on Software Engineering Companion (ICSE-C)

    (2017)
  • AWS, 2019. What is...
  • A. Balalaie et al.

    Microservices architecture enables devops: migration to a cloud-native architecture

    IEEE Softw.

    (2016)
  • Bals, F., 2018. The appsec alphabet soup: a guide to sast, dast, iast, and rasp....
  • L. Banica et al.

    When IoT meets devops: fostering business opportunities

    KnE Soc. Sci.

    (2018)
  • Betts, D., Bhat, M., Little, C., 2019. Four steps to adopt open-source software as part of the devops toolchain....
  • J. Bird

    DevOpsSec

    (2016)
  • D.J. Bodeau et al.

    Cyber threat modeling: survey, assessment, and representative framework

    Technical Report

    (2018)
  • Boersma, E., 2019. Infrastructure as code: what is it, and why should my engineers...
  • J.-M. Brook et al.

    Top threats to cloud computing: egregious eleven

    Technical Report

    (2019)
  • A. Brunnert et al.

    Performance-oriented DevOps: a research agenda

    Technical Report

    (2015)
  • K. Carter

    Francois raynaud on devsecops

    IEEE Softw.

    (2017)
  • V. Casola et al.

    A novel security-by-design methodology: modeling and assessing security by slas with a quantitative approach

    J. Syst. Softw.

    (2020)
  • Chandrasekaran, A., 2019. Best practices for running containers and kubernetes in production....
  • Chandrasekaran, R., Rajamani, R., 2017. Using devops intelligent insights to deliver greater business value....
  • Chef, 2015. Automation and the devops workflow....
  • L. Chen

    Continuous delivery: huge benefits, but challenges too

    IEEE Softw.

    (2015)
  • 451 Research, 2018. Devsecops realities and opportunities....
  • Chick, T. A., 2018. Integrating the risk management framework (rmf) with devops....
  • Chun Wei (Johnny), S., 2005. Misuse cases and abuse cases in eliciting security requirements....
  • Cloud Security Alliance, 2019. Cloud control matrix v3.0.1–080319....
  • CNCF, 2019. Cloud native computing foundation....
  • B. Combemale et al.

    Towards a model-based devops for cyber-physical systems

  • S. Crawford et al.

    Securing open source, Part 2: software composition analysis comes into its own

    Technical Report

    (2018)
  • Crouch, A., 2017. Devsecops: incorporate security into devops to reduce software risk....
  • CSA

    Security-by-design framework

    Technical Report

    (2017)
  • CSCC

    Security for cloud computing: ten steps to ensure success

    Technical Report

    (2017)
  • N. Daswani et al.

    Foundations of Security: What Every Programmer Needs to Know

    (2007)
  • J. Davis et al.

    Effective DevOps: Building a Culture of Collaboration, Affinity, and Tooling at Scale

    (2016)
  • S. Deck

    Adapting AppSec to a DevOps World

    Technical Report

    (2018)
  • DevOps.com, 2019. The state of devops tools 2019....
  • P. Donkers

    MYST: Automated DevOps for distributed applications across heterogeneous Cloud, Fog and Edge infrastructures

    (2019)
  • B. Duncan et al.

    Developing a conceptual framework for cloud security assurance

    2013 IEEE 5th International Conference on Cloud Computing Technology and Science

    (2013)
  • Duvall, G. E., 2019. Devsecops: injecting security into devops....
  • C. Ebert et al.

    Devops

    IEEE Softw.

    (2016)
  • ENISA

    Cloud security guide for SMEs

    Technical Report

    (2015)
  • Erich, F., Amrit, C., Daneva, M., 2014. Report: devops literature review....
  • D.A.B. Fernandes et al.

    Security issues in cloud environments: a survey

    Int. J. Inf. Secur.

    (2014)
  • E.B. Fernandez et al.

    Defining security requirements through misuse actions

  • Cited by (0)

    Rakesh Kumar is pursuing a doctorate from Guru Gobind Singh Indraprastha University, Delhi. He holds a bachelor of engineering degree in computer science from Visvesvaraya National Institute of Technology, Nagpur, India, and a master of technology degree in computer science from USIC&T, Guru Gobind Singh Indraprastha University, New Delhi, India. His areas of work are in automation, network security, data analytics, artificial intelligence, and machine learning. He is CISM, ITIL and PMP certified professional working with Ericsson India Global Services Pvt Ltd.

    Rinkaj Goyal is currently an assistant professor with the University School of Information, Communication and Technology (USIC&T), Guru Gobind Singh Indraprastha University, Delhi. His teaching and research interests include software engineering focusing on object-oriented metrics, multi-agent systems, and theoretical computer science. He maintains an informal students interest group on agent-based modelling (SIG-ABM) with USIC&T.

    View full text