Top

Software Quality Journal

Published in:

26-04-2023

From DevOps to DevSecOps is not enough. CyberDevOps: an extreme shifting-left architecture to bring cybersecurity within software security lifecycle pipeline

Authors: Federico Lombardi, Alberto Fanton

Published in: Software Quality Journal | Issue 2/2023

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Software engineering is evolving quickly leading to an urgency to discover more efficient development models. DevOps and its security-oriented extension DevSecOps promised to speed up the development process while ensuring more robust code. However, many third-party libraries and infrastructure vulnerabilities may still pose security flaws. Besides, regulatory compliance and standards go beyond secure software asking for comprehensive security and accurate infrastructure hardening. Thus, we may wonder: is DevSecOps enough? In this paper, we propose CyberDevOps, a novel architecture which integrates cybersecurity within DevSecOps. Specifically, (i) we revise software composition analysis to deal with nondeterministic environments and (ii) we incorporate vulnerability assessment and compliance within a further pipeline step. To assess the effectiveness of CyberDevOps, we conduct an experimental evaluation. Specifically, we attack a web application and we show how CyberDevOps is able to detect hidden defects while a standard DevSecOps pipeline fails. Furthermore, we assess code quality and security by comparing DevOps, DevSecOps, and CyberDevOps by monitoring two Conio code bases over a year. The results show that CyberDevOps helps to fix up to 100% of known bugs and vulnerabilities and improve significantly the code quality.

previous article Assessing the specification of modelling language semantics: a study on UML PSSM

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Available only for authorised users

After DevSecOps, SecDevOps have been proposed. Although we detail their difference in the next section, for the sake of simplicity, in this paper, we refer to them only as “DevSecOps.”

Falcon Spotlight has a 15-day free trial.

Conio OSINT-VA uses machine learning inferences inspired by the PASCAL Forecaster (Lombardi et al., 2019).

The wrapper for Pillow we implemented can be found on the pypi.org website Fanton.

VirusTotal page of the gs binary under exam: https://www.virustotal.com/gui/file/13a6540ba15c62bac6340d0e6c64e9db766502bca15194621b537c4e4f0d29e6/details

API call to the MITRE DB: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ghostscript

The available Sonarqube metrics can be found in SonarSource S.A..

AICPA. (1997). System and Organization Controls: SOC Suite of Services. https://us.aicpa.org/interestareas/frc/assuranceadvisoryservices/sorhome

Aniello, L., Baldoni, R., & Lombardi, F. (2016). A blockchain-based solution for enabling log-based resolution of disputes in multi-party transactions. In International Conference in Software Engineering for Defence Applications (pp. 53–58). Springer.

Aqua Security. (2019). Trivy. https://github.com/aquasecurity/trivy

Aqua Security. (2021). Shift left DevOps. https://www.aquasec.com/cloud-native-academy/devsecops/shift-left-devops/

Artifex. (1998). Ghostscript. https://www.ghostscript.com/

Atlassian. (2020). Atlassian survey 2020 - DevOps trends. https://www.atlassian.com/whitepapers/devops-survey-2020

AWSLabs. (2016). git-secrets. https://github.com/awslabs/git-secrets

Baldoni, R., Cerocchi, A., Ciccotelli, C., Donno, A., Lombardi, F., & Montanari, L. (2014). Towards a non-intrusive recognition of anomalous system behavior in data centers. In: International Conference on Computer Safety, Reliability, and Security (pp. 350–359). Springer.

Bass, L., Holz, R., Rimba, P., Tran, A. B., & Zhu, L. (2015) Securing a deployment pipeline. In 2015 IEEE/ACM 3rd International Workshop on Release Engineering (pp. 4–7). IEEE.

Bird, J. (2016). DevOpsSec: Delivering secure software through continuous delivery. O’Reilly Media.

Bosch, J. (2014). Continuous software engineering: An introduction. Continuous Software Engineering (pp. 3–13). Springer.

Carter, K. (2017). Francois Raynaud on DevSecOps. IEEE Software, 34(5), 93–96.CrossRef

Casey, K. (2018). How to build a strong DevSecOps culture: 5 tips. The Enterprisers Project. https://enterprisersproject.com/article/2018/6/how-build-strong-devsecops-culture-5-tips

Cash, S., Jain, V., Jiang, L., Karve, A., Kidambi, J., Lyons, M., Mathews, T., Mullen, S., Mulsow, M., & Patel, N. (2016). Managed infrastructure with IBM Cloud OpenStack Services. IBM Journal of Research and Development, 60(2–3), 6–1.

Center for Internet Security. (2017). CIS Oracle Linux 6 Benchmark. https://www.cisecurity.org/wp-content/uploads/2017/04/CIS_Oracle_Linux_6_Benchmark_v1.0.0.pdf

Chaillan, N., & Yasar, H. (2019). Waterfall to DevSecOps in DoD. Technical report, Carnegie Mellon University Software Engineering Institute Air Force.

Chen, L. (2015). Continuous delivery: Huge benefits, but challenges too. IEEE Software, 32(2), 50–54.CrossRef

Chickowski, E. (2018). Seven winning DevSecOps metrics security should track. Bitdefender. https://businessinsights.bitdefender.com/seven-winning-devsecops-metrics-security-should-track

Ciccotelli, C., Aniello, L., Lombardi, F., Montanari, L., Querzoni, L., & Baldoni, R. (2015). Nirvana: A non-intrusive black-box monitoring framework for rack-level fault detection. In: 2015 IEEE 21st Pacific Rim International Symposium on Dependable Computing (PRDC) (pp. 11–20). IEEE.

Collins, R. (2017). PEP 508 – Dependency specification for Python Software Packages. https://www.python.org/dev/peps/pep-0508/

Conio Inc. (2018). Conio git Repository. https://github.com/Conio

Crouch, A. (2018). DevSecOps: Incorporate security into DevOps to reduce software risk. Birmingham: Pack Publishing. https://www.agileconnection.com/article/devsecops-incorporate-security-devops-reduce-software-risk

Desai, R., & Nisha, T. (2021). Best practices for ensuring security in devops: A case study approach. Journal of Physics: Conference Series, 1964, 042045.

Digkas, G., Chatzigeorgiou, A. N., Ampatzoglou, A., & Avgeriou, P. C. (2020). Can clean new code reduce technical debt density. IEEE Transactions on Software Engineering.

Dimov, A., & Dimitrov, V. (2021). Classification of software security tools, In: Information Systems and Grid Technologies.

Ecik, H. (2021). Comparison of active vulnerability scanning vs. passive vulnerability detection. In 2021 International Conference on Information Security and Cryptology (ISCTURKEY) (pp. 87–92). Turkey: ISC. https://doi.org/10.1109/ISCTURKEY53027.2021.9654331

Falcon. (2023). Spotlight. https://cloudprotectionworks.com/datasheets/FalconSpotlightDatasheetv2.pdf

Fanton, A. (2022). Vulnerable pillow wrapper. https://pypi.org/project/vuln-pillow-wrapper/

Farroha, B. S., & Farroha, D. L. (2014). A framework for managing mission needs, compliance, and trust in the DevOps environment. In 2014 IEEE Military Communications Conference (pp. 288–293). IEEE. https://doi.org/10.1109/MILCOM.2014.54

Fitzgerald, B., & Stol, K. -J. (2017). Continuous software engineering: A roadmap and agenda. Journal of Systems and Software, 123, 176–189.CrossRef

Foo, D., Yeo, J., Xiao, H., & Sharma, A. (2019). The dynamics of software composition analysis. arXiv preprint arXiv:1909.00973

Fredrik, L., & Clark, A. (2016). Pillow. https://python-pillow.org/

GhostScript. (1998). Doc. https://www.ghostscript.com/doc/current/History9

Google. (2004). Virus Total. https://www.virustotal.com/

Greenbone. (2006). OpenVAS. https://www.openvas.org/

Hejase, H. J., Fayyad-Kazan, H. F., & Moukadem, I. (2020). Advanced persistent threats (APT): An awareness review. J. Econ. Econ. Educ. Res, 21, 1–8.

Hsu, T. (2018). Hands-on security in DevOps: ensure continuous security, deployment, and delivery with DevSecOps. Packt Publishing.

Hudson, M. (2012). Git Hooks. https://githooks.com/

Humphrey, A. (2018). Diving into DevSecOps: Measuring effectiveness and success. Armor. https://www.armor.com/blog/diving-devsecops-measuring-effectiveness-success/

Hutchins, E. M., Cloppert, M. J., Amin, R. M., et al. (2011). Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. Leading Issues in Information Warfare & Security Research, 1(1), 80.

Ibrahim, A., Yousef, A. H., & Medhat, W. (2022). DevSecOps: A security model for infrastructure as code over the cloud. In 2022 2nd International Mobile, Intelligent, and Ubiquitous Computing Conference (MIUCC) (pp. 284–288). MIUCC. https://doi.org/10.1109/MIUCC55081.2022.9781709

Imtiaz, N., Thorn, S., & Williams, L. (2021). A comparative study of vulnerability reporting by software composition analysis tools. In Proceedings of the 15th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM) (pp. 1–11). ACM.

ISO/IEC (2017) ISO/IEC 27001 Information Security Management. https://www.iso.org/isoiec-27001-information-security.html

Jerbi, A. (2018). KPIs for managing and optimizing DevSecOps success. InfoWorld. https://www.infoworld.com/article/3237046/kpis-for-managing-and-optimizing-devsecops-success.html

José, F. (2018). Effective DevSecOps. https://medium.com/@fabiojose/effective-devsecops-f22dd023c5cd

Kawaguchi, K. (2015). Jenkins. https://www.jenkins.io/

Leite, L., Rocha, C., Kon, F., Milojicic, D., & Meirelles, P. (2019). A survey of DevOps concepts and challenges. ACM Computing Surveys (CSUR), 52(6), 1–35.CrossRef

Leppänen, M., Mäkinen, S., Pagels, M., Eloranta, V.-P., Itkonen, J., Mäntylä, M. V., & Männistö, T. (2015). The highways and country roads to continuous deployment. IEEE Software, 32(2), 64–72.CrossRef

Leppänen, T., Honkaranta, A., & Costin, A. (2022). Trends for the DevOps security. A systematic literature review. In International Symposium on Business Modeling and Software Design (pp. 200–217). Springer.

Letouzey, J. -L., & Coq, T. (2010). The sqale models for assessing the quality of real time source code. Toulouse: ERTSS 2010.

Lombardi, F. (2022). CDO Dataset. https://github.com/FLombardi-PhD/CDO_DATASET/

Lombardi, F., Muti, A., Aniello, L., Baldoni, R., Bonomi, S., & Querzoni, L. (2019). Pascal: An architecture for proactive auto-scaling of distributed services. Future Generation Computer Systems, 98, 342–361.CrossRef

Malware Tips. (2013). MalwareHub. https://malwaretips.com/categories/malware-hub.103/

Martorella, C. (2015). theHarvester. https://github.com/laramies/theHarvester

McCabe, T. (1976). A complexity measure ieee transactions on software engineering. IEEE Transactions on software Engineering, 2(4), 308–20.MathSciNetCrossRef

MITRE. (2018). CVE-2018-16509. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16509

MITRE. (2000). CVE Vulnerability Database. https://www.cve.org/

Mohan, V., & Othmane, L. B. (2016). SecDevOps: Is it a marketing buzzword? Mapping research on security in DevOps. In 2016 11th International Conference on Availability, Reliability and Security (ARES) (pp. 542–547). IEEE.

Nath, K., Dhar, S., & Basishtha, S. (2014). Web 1.0 to web 3.0-evolution of the web and its various challenges. In 2014 International Conference on Reliability Optimization and Information Technology (ICROIT) (pp. 86–89). IEEE.

NIST. (1999). National Institute of Standards and Technology. https://www.nist.gov/

Offsec Services Ltd. (2009). ExploitDB. https://www.exploit-db.com/

OWASP. (2016). OWASP Zed Attack Proxy (ZAP). https://www.zaproxy.org/

OWASP. (2020a). OWASP Dependency Check. https://owasp.org/www-project-dependency-check/

OWASP. (2020b). OWASP ModSecurity Core Rule Set. https://owasp.org/www-project-modsecurity-core-rule-set/

Paule, C. (2018). Securing DevOps: Detection of vulnerabilities in CD pipelines.

PCI Security Standard Council. (2006). Payment Card Industry Data Security Standard. https://www.pcisecuritystandards.org

PortSwigger (2003). Burp Suite. https://portswigger.net/burp

Prates, L., Faustino, J., Silva, M., & Pereira, R. (2019). DevSecOps metrics. In EuroSymposium on Systems Analysis and Design (pp. 77–90). Springer.

PuppetLabs. (2014). State of DevOps report. technical report 2014.

PuppetLabs. (2019). State of DevOps report. technical report 2019.

PyCQA. (2018). Bandit. https://github.com/PyCQA/bandit

Pyup. (2017). Safety. https://pyup.io/safety/

Rahman, A. A. U., & Williams, L. (2016). Software security in DevOps: Synthesizing practitioners’ perceptions and practices. In 2016 IEEE/ACM International Workshop on Continuous Software Evolution and Delivery (CSED) (pp. 70–76). IEEE.

Rajapakse, R. N., Zahedi, M., Babar, M. A., & Shen, H. (2022). Challenges and solutions when adopting devsecops: A systematic review. Information and Software Technology, 141, 106700.

Rapid7. (2003). Metasploit Framework. https://www.metasploit.com/

Raynaud, F. (2017). DevSecOps whitepaper. DevSecCon. https://www.devseccon.com/pf/london-2017/

Reitz, K. (2020). Pipenv. https://pipenv.pypa.io/

Sallin, M., Kropp, M., Anslow, C., Quilty, J. W., & Meier, A. (2021). Measuring software delivery performance using the four key metrics of DevOps. In International Conference on Agile Software Development (pp. 103–119). Cham: Springer.

Schermann, G., Cito, J., Leitner, P., Zdun, U., & Gall, H. (2016). An empirical study on principles and practices of continuous delivery and deployment. PeerJ Preprints: Technical report.CrossRef

Shahin, M., Babar, M. A., & Zhu, L. (2017). Continuous integration, delivery and deployment: A systematic review on approaches, tools, challenges and practices. IEEE Access, 5, 3909–3943.CrossRef

Shahin, M., Zahedi, M., Babar, M. A., & Zhu, L. (2019). An empirical study of architecting for continuous delivery and deployment. Empirical Software Engineering, 24(3), 1061–1108.CrossRef

Shodan. (2013). Shodan Search Engine. https://www.shodan.io/

SM7 Software. (2013). Spiderfoot. https://www.spiderfoot.net/

Sojan, A., Rajan, R., & Kuvaja, P. (2021). Monitoring solution for cloud-native DevSecOps. In: 2021 IEEE 6th International Conference on Smart Cloud (SmartCloud), pp. 125–131. https://doi.org/10.1109/SmartCloud52277.2021.00029

SonarSource S. A. (2013). Sonarqube. https://www.sonarqube.org/

SonarSource S. A. (2018). Metrics Definition. https://docs.sonarqube.org/latest/user-guide/metric-definitions/

Stahl, D., Martensson, T., & Bosch, J. (2017). Continuous practices and DevOps: Beyond the buzz, what does it all mean? In 2017 43rd Euromicro Conference on Software Engineering and Advanced Applications (SEAA) (pp. 440–448). IEEE.

Synopsys Software. (2021). BSIMM12, 2021 Insights Trends Report. https://www.bsimm.com/

Sysdig. (2015). Sysdig Secure. https://sysdig.com/products/secure/

TheHive Project. (2020). Cortex. https://github.com/TheHive-Project/Cortex

Tiangolo. (2019. FastAPI. https://fastapi.tiangolo.com/

Vijayan, J. (2019). 6 DevSecOps best practices: Automate early and often. TechBeacon. https://techbeacon.com/security/6-devsecops-best-practices-automate-early-often

Wazuh. (2008). The Open Source Security Platform. https://wazuh.com/

Wazuh. (2019). Defining an alert level threshold. https://documentation.wazuh.com/current/user-manual/manager/alert-threshold.html

Woodward, S. (2018). DevSecOps metrics approaches in 2018. Cloud Perspectives. https://www.brighttalk.com/webcast/499/333412

Zahedi, M., Rajapakse, R. N., & Babar, M. A. (2020). Mining questions asked about continuous software engineering: A case study of stack overflow. In Proceedings of the Evaluation and Assessment in Software Engineering (pp. 41–50). Association for Computing Machinery.

Title: From DevOps to DevSecOps is not enough. CyberDevOps: an extreme shifting-left architecture to bring cybersecurity within software security lifecycle pipeline
Authors: Federico Lombardi
Alberto Fanton
Publication date: 26-04-2023
Publisher: Springer US
Published in: Software Quality Journal / Issue 2/2023
Print ISSN: 0963-9314
Electronic ISSN: 1573-1367
DOI: https://doi.org/10.1007/s11219-023-09619-3

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft"

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Other articles of this Issue 2/2023

Dynamic and execution views to improve validation, testing, and optimization of autonomous driving software

Formal verification process of the compliance of a multicore AUTOSAR OS

Continuous design control for machine learning in certified medical systems

Prioritization and parallel execution of test cases for certification testing of embedded systems

Ergo, SMIRK is safe: a safety case for a machine learning component in a pedestrian automatic emergency brake system

Critical scenario identification for realistic testing of autonomous driving systems

Premium Partner