In organizations that use DevOps practices, software changes can be deployed as fast as 500 times or more per day. Without adequate involvement of the security team, rapidly deployed software changes are more likely to contain vulnerabilities due to lack of adequate reviews. The goal of this paper is to aid software practitioners in integrating security and DevOps by summarizing experiences in utilizing security practices in a DevOps environment. We analyzed a selected set of Internet artifacts and surveyed representatives of nine organizations that are using DevOps to systematically explore experiences in utilizing security practices. We observe that the majority of the software practitioners have expressed the potential of common DevOps activities, such as automated monitoring, to improve the security of a system. Furthermore, organizations that integrate DevOps and security utilize additional security activities, such as security requirements analysis and performing security configurations. Additionally, these teams also have established collaboration between the security team and the development and operations teams.
Software Security in DevOps: Synthesizing Practitioners’ Perceptions and Practices
1. 1
Software Security in DevOps:
Synthesizing Practitioners’
Perceptions and Practice
Akond Rahman(aarahman@ncsu.edu), and
Laurie Williams
Department of Computer Science,
North Carolina State University
2. 2
Why Security in DevOps?
• Ensuring quality even when software
deployment is rapid
• Adoption concerns
3. 3
Research Objective
Aid software practitioners in integrating security
and DevOps by summarizing experiences in
utilizing security practices in a DevOps
environment.
4. 4
Background
• DevSecOps is the concept of integrating security principles
through increased collaboration
• We differentiate between ‘activity’, and ‘security practice’.
– A DevOps activity focuses on achieving a small, well-
defined goal that has a tangible output.
– A security practice is a collection of activities that can be
grouped based on existing similarities within those
activities.
5. 5
Our Contributions
• A list of DevOps activities that might have a
positive and negative impact
• A list of security practices and an analysis of
how they are used in DevOps organizations
• An analysis that quantifies the levels of
collaboration
6. 6
Research Questions
• RQ1: Perception. How do software
practitioners perceive the integration of
DevOps and security? What DevOps related
activities contribute to those perceptions?
• RQ2: Security Practices. What security
practices are used by organizations that
integrate security into DevOps?
8. 8
RQ1: Identified Perceptions
• Positive Perceptions
– Use of automated monitoring
– Use of automated pipeline to deploy software
– Automatic deployment of software
– Automatic testing of software changes
– Delivering software in small increments
9. 9
RQ1: Identified Perceptions
• Negative Perceptions
– Use of immature automated deployment tools
– Use of inappropriate software metrics
– Inadequate monitoring of collaboration
10. 10
RQ2: Identified Automated Activities
• Automation of Code Review
• Automation of Monitoring
• Automation of Software defined Firewall
• Automation of Software Licensing
• Automation of Testing
16. 16
RQ1: Empirical Findings – Positive
Aspects (Survey)
0
1
2
3
4
5
6
7
8
9
Use of automated
monitoring
Use of automated pipeline to
deploy software
Automatic deployment of
software
Automatic testing of
software changes
Delivering software in small
increments
CountofOrganizations
Yes No
17. 17
0
1
2
3
4
5
6
7
8
9
Automation of monitoring Automation of testing Automation of code review Automation of software
defined firewall
Automation of software
licensing
CountofOrganizations
Yes No
RQ2: Empirical Findings – Automation
Practices (Survey)
20. 20
Summary
• Answer to RQ1:
– A certain set of DevOps activities are perceived to
be beneficial for system’s security
• Answer to RQ2:
– A certain set of DevOps specific automated and
non-automated activities are used to implement
security
– Moderate to strong collaboration exists between
teams
21. 21
Limitations
• Incomprehensive set of Internet artifacts
• Incomprehensive set of security practices
• Generalizability of empirical findings
• Impact of collaboration on practice usage
22. 22
Conclusion
• Commonly used DevOps activities can be
helpful to a system’s security.
• Security teams actively collaborate with
development and operations teams in
established DevOps organizations.
• Security awareness is prevalent amongst
established DevOps organizations
Notas del editor
Image Reference: http://www.mmatechs.com/solutions.html http://www.gartner.com/newsroom/id/2867917 Gartner: a leading software engineering research and advisory company