skip to main content
10.1145/3493649.3493655acmconferencesArticle/Chapter ViewAbstractPublication PagesmiddlewareConference Proceedingsconference-collections
short-paper

tapiserí: Blueprint to modernize DevSecOps for real world

Published: 06 December 2021 Publication History

Abstract

Micro-service application pattern has revolutionize the overall software delivery lifecycle. Modularization has allowed breaking monolithic application into independent components that can be developed faster and automation in CICD has enabled high velocity deployment of applications to the cloud. Such a modernization has mandated a need to put security at the center of the workflow from code to container, giving rise to the DevSecOps paradigms. Although effectiveness of the existing DevSecOps solutions is limited by lack of good development practices and narrow scope where it is applied for security analytic only around code hygiene, like vulnerability scanning, license auditing, etc. We discuss our survey on these challenges and highlight their security implications. In tapiserí we then present wider perspective to design a DevSecOps solution that addresses prevalent challenges around supply chain security, build security for micro-services, ensures integrity of the pipelines themselves and brings transparency and auditability to the process.

References

[1]
Cloud native security whitepaper. https://github.com/cncf/tag-security.
[2]
Ite-6 attestation definition. https://github.com/in-toto/attestation.
[3]
The spiffe runtime environment. https://github.com/spiffe/spire.
[4]
Static analysis for kubernetes. https://github.com/spiffe/spire.
[5]
Vulnerability scanner for containers. https://github.com/aquasecurity/trivy.
[6]
Executive order on improving the nation's cybersecurity. The White House, Briefing Rootm, https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/, 2021.
[7]
Amazon. Build and test code with continuous scaling. https://aws.amazon.com/codebuild/.
[8]
artifacthub. Find, install and publish kubernetes packages. https://artifacthub.io.
[9]
A. CD. Declarative gitops cd for kubernetes. https://argoproj.github.io/argo-cd/.
[10]
T. A. Chick. Mbse for devsecops ci/cd pipeline. Technical report, CARNEGIE-MELLON UNIV PITTSBURGH PA, 2021.
[11]
T. A. Chick, A. Reffett, N. Shevchenko, and J. Yankel. Modeling devsecops to reduce the time-to-deploy and increase resiliency. Technical report, CARNEGIE-MELLON UNIV PITTSBURGH PA, 2021.
[12]
S. T. Ficorilli, J. A. Morales, and A. Volkmann. Provisioning pipelines: a managed devsecops approach to pipeline creation. Technical report, Carnegie Mellon University Software Engineering Institute Pittsburgh United..., 2020.
[13]
GitHub. Automate workflows from idea to production. https://github.com/features/actions.
[14]
GitHub. Supply chain security in tekton pipelines. https://github.com/tektoncd/chains/.
[15]
GitHub. Code securely and faster with open source. https://github.com/dependabot, 2020.
[16]
IBM. Find source code vulnerabilities with code risk analyzer. https://www.ibm.com/cloud/blog/announcements/find-source-code-vulnerabilities-with-code-risk-analyzer, 2020.
[17]
T. Insider. What is the solarwinds hack and why is it a big deal? https://www.businessinsider.com/solarwinds-hack-explained-government-agencies-cyber-security-2020-12.
[18]
T. Lam and N. Chaillan. Dod enterprise devsecops reference design. Department of Defence, Chief Information Officer Library, https://dodcio.defense.gov/Portals/0/Documents/DoD%20Enterprise%20DevSecOps%20Reference%20Design%20v1.0_Public%20Release.pdf, 2019.
[19]
S. Nadgowda, S. Duri, C. Isci, and V. Mann. Columbus: Filesystem tree introspection for software discovery. In 2017 IEEE International Conference on Cloud Engineering (IC2E), pages 67--74. IEEE, 2017.
[20]
R. Neisse, G. Steri, and I. Nai-Fovino. A blockchain-based approach for data accountability and provenance tracking. In Proceedings of the 12th International Conference on Availability, Reliability and Security, pages 1--10, 2017.
[21]
M. Ohm, H. Plate, A. Sykosch, and M. Meier. Backstabber's knife collection: A review of open source software supply chain attacks. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pages 23--43. Springer, 2020.
[22]
Pekato. Paketo buildpacks. https://paketo.io.
[23]
A. Ramachandran, D. Kantarcioglu, et al. Using blockchain and smart contracts for secure data provenance management. arXiv preprint arXiv:1709.10000, 2017.
[24]
RedHat. Code securely and faster with open source. https://developers.redhat.com/blog/2020/08/28/vulnerability-analysis-with-red-hat-codeready-dependency-analytics-and-snyk, 2020.
[25]
. Research. Devsecops: Application security tool use between development and information security nears parity. https://451research.com/trending-topics/read-the-451-take/devsecops/.
[26]
sigstore. software signing and transparency service. https://sigstore.dev.
[27]
Snyk. Developer-first cloud native application security. https://snyk.io.
[28]
tekton. Catalog of shared tasks and pipelines. https://github.com/tektoncd/catalog.
[29]
WhiteSource. Automated dependency updates. https://www.whitesourcesoftware.com/free-developer-tools/renovate/.
[30]
WhiteSource. Code securely and faster with open source. https://www.whitesourcesoftware.com.
[31]
C. Woody, T. Chick, A. Reffett, S. PAVETTI, R. LAUGHLIN, B. FRYE, and M. BANDOR. Devsecops pipeline for complex software intensive systems: Addressing the cybersecurity challenges. Technical report, CARNEGIE-MELLON UNIV PITTSBURGH PA PITTSBURGH United States, 2020.

Cited By

View all
  • (2024)Software supply chain security: a systematic literature reviewInternational Journal of Computers and Applications10.1080/1206212X.2024.239097846:10(853-867)Online publication date: 19-Aug-2024

Index Terms

  1. tapiserí: Blueprint to modernize DevSecOps for real world

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    WoC '21: Proceedings of the Seventh International Workshop on Container Technologies and Container Clouds
    December 2021
    37 pages
    ISBN:9781450391719
    DOI:10.1145/3493649
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    In-Cooperation

    • IFIP

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 06 December 2021

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. CyberSecurity
    2. DevSecOps
    3. Software Bill-of-Material
    4. Supply Chain Security

    Qualifiers

    • Short-paper
    • Research
    • Refereed limited

    Conference

    Middleware '21
    Sponsor:

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)35
    • Downloads (Last 6 weeks)1
    Reflects downloads up to 22 Jan 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2024)Software supply chain security: a systematic literature reviewInternational Journal of Computers and Applications10.1080/1206212X.2024.239097846:10(853-867)Online publication date: 19-Aug-2024

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Media

    Figures

    Other

    Tables

    Share

    Share

    Share this Publication link

    Share on social media