research-article

Software security in DevOps: synthesizing practitioners' perceptions and practices

Authors:

Akond Ashfaque Ur Rahman,

Laurie WilliamsAuthors Info & Claims

CSED '16: Proceedings of the International Workshop on Continuous Software Evolution and Delivery

Pages 70 - 76

https://doi.org/10.1145/2896941.2896946

Published: 14 May 2016 Publication History

Abstract

In organizations that use DevOps practices, software changes can be deployed as fast as 500 times or more per day. Without adequate involvement of the security team, rapidly deployed software changes are more likely to contain vulnerabilities due to lack of adequate reviews. The goal of this paper is to aid software practitioners in integrating security and DevOps by summarizing experiences in utilizing security practices in a DevOps environment. We analyzed a selected set of Internet artifacts and surveyed representatives of nine organizations that are using DevOps to systematically explore experiences in utilizing security practices. We observe that the majority of the software practitioners have expressed the potential of common DevOps activities, such as automated monitoring, to improve the security of a system. Furthermore, organizations that integrate DevOps and security utilize additional security activities, such as security requirements analysis and performing security configurations. Additionally, these teams also have established collaboration between the security team and the development and operations teams.

References

[1]

Bartsch, S. 2011. Practitioners' Perspectives on Security in Agile Development, in Proc. of the 6th International Conference on Availability, Reliability and Security (ARES), Vienna, Austria, pages 479--484, August, 2011

Digital Library

[2]

Dyck, A., Penners, R., and Licthter, H. 2015. Towards Definitions for Release Engineering and DevOps, in Proc. of the 3rd International Workshop on Release Engineering, Florence, Italy, pages 3--3, May, 2015

Digital Library

[3]

Epstein, J., Matsumoto, S., and McGraw, G. 2006. Software Security and SOA: Danger, Will Robinson! in IEEE Security & Privacy, vol. 4, no. 1, pages 80--83, January, 2006

Digital Library

[4]

Feitelson, D., Frachtenburg, E., and Beck, K. 2013. Development and Deployment at Facebook, in IEEE Internet Computing, vol. 17, no. 4, pp. 8--17, July--August, 2013

Digital Library

[5]

Ferrante, D. 2006. Software Licensing Models: What's Out There? in IT Professional, vol. 8, no. 6, November, 2006

Digital Library

[6]

Humble, J., and Farley, D. 2011. Continuous Delivery, 1^st Ed. Addison-Wesley, Boston, MA, 2011

[7]

IEEE Standards Association. IEEE SA -- 24765 -- 2010 -- Systems and Software Engineering -- Vocabulary: 2010. https://standards.ieee.org/findstds/standard/24765-2010.html. Accessed: 2016-01-24

[8]

Innovation. S. Regulatory Compliance Demystified: An Introduction to Compliance for Developers: 2006. Available: https://msdn.microsoft.com/en-us/library/aa480484.aspx. Accessed: 2016-01-24

[9]

ISO/IEC/IEEE. ISO/IEC/IEEE 29119:2013 Software and Systems Engineering-Software Testing-Part 1: Concepts and Definitions: 2013. http://www.iso.org/iso/catalogue_detail.htm?csnumber=4514 2. Accessed: 2016-01-24

[10]

Labs, P., and Revolution, IT. 2015 State of DevOps Report | Puppet Labs: 2015. Available: https://puppetlabs.com/sites/default/files/2015-state-of-devops-report.pdf. Accessed: 2016-01-24

[11]

Likert, R. 1932. A Technique for the Measurement of Attitudes, in Archives of Psychology, vol. 22, no. 140, pages 5--55, June, 1932

[12]

McGraw, G. 2006. Software Security: Building Security In, Addison-Wesley Professional, Cambridge, MA, 2006

Digital Library

[13]

McGraw, G. 2008. Automated Code Review Tools for Security. Computer, vol. 41, no. 12, pp. 108--111, December, 2008

Digital Library

[14]

McGraw, G., Migues, S., and West J. BSIMM 6: Building Security in Maturity Model: 2015. https://www.bsimm.com/download/. Accessed: 2016-01-24

[15]

Microsoft. Microsoft Secure Development Lifecycle Guidance: 2012. https://www.microsoft.com/en-us/download/details.aspx?id=29884. Accessed: 2016-01-24

[16]

Moore, G. 2002. Crossing the Chasm: Marketing and Selling Technology Products to Mainstream Customers, Revised Ed., Collins Business Essentials, New York City, NY, 2002

[17]

Potter, B. and McGraw, G. 2004. Software Security Testing, in IEEE Security & Privacy, vol. 2, no. 5, pages 81--85, September, 2004

Digital Library

[18]

Rahman, A., Helms, E., Williams, L., and Parnin, C. 2015. Synthesizing Continuous Deployment Practices Used in Software Development, in Proceedings of the 13^th Agile Conference (AGILE 2015), Washington D.C., USA, pages 1--10, August, 2015

Digital Library

[19]

Shostack, A. 2014. Threat Modeling: Designing for Security, John Wiley & Sons Inc., Indianapolis, IN, 2014

Digital Library

[20]

Simpson, S. 2014. SAFECode Whitepaper: Fundamental Practices for Secure Software Development, in ISSE 2014 Securing Electronic Business Processes, vol. 1, no. 1, pages 1--32, October, 2014

[21]

Smeds, J., Nybom, K., and Porres, I. 2015. DevOps: A Definition and Perceived Adoption Impediments, in Proceedings of 16^th International Conference on Agile Processes in Software Engineering, and Extreme Programming, Helsinki, Finland, pages 166--177, May, 2015

[22]

Technologies, CA. DevOps: The Worst Kept Secret to Winning in the Application Economy: 2014. http://www.ca.com/us/~/media/Files/whitepapers/devops-the-worst-kept-secret-to-winning-in-the-application-economy.pdf. Accessed: 2016-01-24

[23]

Turnbull, J. DevOps & Security: 2012. http://www.slideshare.net/jamtur01/security-loves-devops-devops-days-austin-2012. Accessed: 2016-01-24

[24]

Velasquez, N., Kim, G., Kersten, N., and Humble, J. 2014 State of DevOps Report: 2014. https://puppetlabs.com/sites/default/files/2014-state-of-devops-report.pdf. Accessed: 2016-01-24

Cited By

Ramaj XSánchez-Gordón MGkioulos VColomo-Palacios R(2024)On DevSecOps and Risk Management in Critical Infrastructures: Practitioners' Insights on Needs and GoalsProceedings of the 2024 ACM/IEEE 4th International Workshop on Engineering and Cybersecurity of Critical Systems (EnCyCriS) and 2024 IEEE/ACM Second International Workshop on Software Vulnerability10.1145/3643662.3643954(45-52)Online publication date: 15-Apr-2024
https://dl.acm.org/doi/10.1145/3643662.3643954
Zhao XClear TLal R(2024)Identifying the primary dimensions of DevSecOpsJournal of Systems and Software10.1016/j.jss.2024.112063214:COnline publication date: 1-Aug-2024
https://dl.acm.org/doi/10.1016/j.jss.2024.112063
Prates LPereira R(2024)DevSecOps practices and toolsInternational Journal of Information Security10.1007/s10207-024-00914-z24:1Online publication date: 5-Nov-2024
https://dl.acm.org/doi/10.1007/s10207-024-00914-z
Show More Cited By

Index Terms

Software security in DevOps: synthesizing practitioners' perceptions and practices
1. Software and its engineering

Recommendations

Security practices in DevOps
HotSos '16: Proceedings of the Symposium and Bootcamp on the Science of Security

DevOps focuses on collaboration between different teams in an organization to achieve rapid deployment of software and services to end-users by automating the software delivery infrastructure. According to Dyck et al. [1] DevOps is a software process ...
Assessing the Maturity of DevOps Practices in Software Industry: An Empirical Study of HELENA2 Dataset
EASE '22: Proceedings of the 26th International Conference on Evaluation and Assessment in Software Engineering

Currently, the software development organizations are adopting DevOps practices in order to develop quality product. Due to the lack of definition of DevOps, the principles, practices, and methods adopted in DevOps to determine success have changed ...
CMMI guided process improvement for DevOps projects: an exploratory case study
ICSSP '16: Proceedings of the International Conference on Software and Systems Process

Very recently, an increasing number of software companies adopted DevOps to adapt themselves to the ever-changing business environment. While it is important to mature adoption of the DevOps for these companies, no dedicated maturity models for DevOps ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CSED '16: Proceedings of the International Workshop on Continuous Software Evolution and Delivery

May 2016

98 pages

ISBN:9781450341578

DOI:10.1145/2896941

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

ACM: Association for Computing Machinery
SIGSOFT: ACM Special Interest Group on Software Engineering
IEEE-CS\DATC: IEEE Computer Society
TCSE: IEEE Computer Society's Tech. Council on Software Engin.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 May 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Security Agency

Conference

ICSE '16

Sponsor:

ACM
SIGSOFT
IEEE-CS\DATC
TCSE

ICSE '16: 38th International Conference on Software Engineering

May 14 - 22, 2016

Texas, Austin

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

50
Total Citations
View Citations
1,321
Total Downloads

Downloads (Last 12 months)75
Downloads (Last 6 weeks)7

Reflects downloads up to 03 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Ramaj XSánchez-Gordón MGkioulos VColomo-Palacios R(2024)On DevSecOps and Risk Management in Critical Infrastructures: Practitioners' Insights on Needs and GoalsProceedings of the 2024 ACM/IEEE 4th International Workshop on Engineering and Cybersecurity of Critical Systems (EnCyCriS) and 2024 IEEE/ACM Second International Workshop on Software Vulnerability10.1145/3643662.3643954(45-52)Online publication date: 15-Apr-2024
https://dl.acm.org/doi/10.1145/3643662.3643954
Zhao XClear TLal R(2024)Identifying the primary dimensions of DevSecOpsJournal of Systems and Software10.1016/j.jss.2024.112063214:COnline publication date: 1-Aug-2024
https://dl.acm.org/doi/10.1016/j.jss.2024.112063
Prates LPereira R(2024)DevSecOps practices and toolsInternational Journal of Information Security10.1007/s10207-024-00914-z24:1Online publication date: 5-Nov-2024
https://dl.acm.org/doi/10.1007/s10207-024-00914-z
Kavita Dhakad (2023)Adopting Continuous Integration Practices to Achieve Quality in DevOpsInternational Journal of Advanced Research in Science, Communication and Technology10.48175/IJARSCT-8368(101-119)Online publication date: 16-Feb-2023
https://doi.org/10.48175/IJARSCT-8368
Rahman ABose DBarsha FPandita R(2023)Defect Categorization in Compilers: A Multi-vocal Literature ReviewACM Computing Surveys10.1145/362631356:4(1-42)Online publication date: 10-Nov-2023
https://dl.acm.org/doi/10.1145/3626313
Ryan IStol KRoedig U(2023)The State of Secure Coding Practice: Small Organisations and “Lone, Rogue Coders”2023 IEEE/ACM 4th International Workshop on Engineering and Cybersecurity of Critical Systems (EnCyCriS)10.1109/EnCyCriS59249.2023.00010(37-44)Online publication date: May-2023
https://doi.org/10.1109/EnCyCriS59249.2023.00010
Zhou XMao RZhang HDai QHuang HShen HLi JRong G(2023)Revisit security in the era of DevOpsIET Software10.1049/sfw2.1213217:4(435-454)Online publication date: 26-Jul-2023
https://dl.acm.org/doi/10.1049/sfw2.12132
Lombardi FFanton A(2023)From DevOps to DevSecOps is not enough. CyberDevOps: an extreme shifting-left architecture to bring cybersecurity within software security lifecycle pipelineSoftware Quality Journal10.1007/s11219-023-09619-331:2(619-654)Online publication date: 26-Apr-2023
https://doi.org/10.1007/s11219-023-09619-3
Bankar SShah D(2023)Decentralized Framework to Strengthen DevOps Using BlockchainComputational Intelligence10.1007/978-981-19-7346-8_44(517-525)Online publication date: 16-Feb-2023
https://doi.org/10.1007/978-981-19-7346-8_44
Shahin MRezaei Nasab AAli Babar M(2023)A qualitative study of architectural design issues in DevOpsJournal of Software: Evolution and Process10.1002/smr.237935:5Online publication date: 25-Apr-2023
https://dl.acm.org/doi/10.1002/smr.2379
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten