Weaving Security into DevOps Practices in Highly Regulated Environments

2022 ◽  
pp. 1177-1201
Author(s):  
Jose Andre Morales ◽  
Hasan Yasar ◽  
Aaron Volkmann
Keyword(s):  
Intellectual Property ◽  
Software Development ◽  
Security Policies ◽  
Extensive Experience ◽  
Development Lifecycle ◽  
Methods And Techniques ◽  
Software Development Lifecycle ◽  
Forward Process

In this article, the authors discuss enhancing a DevOps implementation in a highly regulated environment (HRE) with security principles. DevOps has become a standard option for entities seeking to streamline and increase participation by all stakeholders in their Software Development Lifecycle (SDLC). For a large portion of industry, academia, and government, applying DevOps is a straight forward process. There is, however, a subset of entities in these three sectors where applying DevOps can be very challenging. These are entities mandated by security policies to conduct all, or a portion, of their SDLC activities in an HRE. Often, the reason for an HRE is protection of intellectual property and proprietary tools, methods, and techniques. Even if an entity is functioning in a highly regulated environment, its SDLC can still benefit from implementing DevOps as long as the implementation conforms to all imposed policies. A benefit of an HRE is the existence of security policies that belong in a secure DevOps implementation. Layering an existing DevOps implementation with security will benefit the HRE as a whole. This work is based on the authors extensive experience in assessing and implementing DevOps across a diverse set of HREs. First, they extensively discuss the process of performing a DevOps assessment and implementation in an HRE. They follow this with a discussion of the needed security principles a DevOps enhanced SDLC should include. For each security principle, the authors discuss their importance to the SDLC and their appropriate placement within a DevOps implementation. They refer to a security enhanced DevOps implementation in an HRE as HRE-DevSecOps.

Weaving Security into DevOps Practices in Highly Regulated Environments

2018 ◽  
Vol 9 (1) ◽  
pp. 18-46
Author(s):  
Jose Andre Morales ◽  
Hasan Yasar ◽  
Aaron Volkmann
Keyword(s):  
Intellectual Property ◽  
Software Development ◽  
Security Policies ◽  
Extensive Experience ◽  
Development Lifecycle ◽  
Methods And Techniques ◽  
Software Development Lifecycle ◽  
Forward Process

In this article, the authors discuss enhancing a DevOps implementation in a highly regulated environment (HRE) with security principles. DevOps has become a standard option for entities seeking to streamline and increase participation by all stakeholders in their Software Development Lifecycle (SDLC). For a large portion of industry, academia, and government, applying DevOps is a straight forward process. There is, however, a subset of entities in these three sectors where applying DevOps can be very challenging. These are entities mandated by security policies to conduct all, or a portion, of their SDLC activities in an HRE. Often, the reason for an HRE is protection of intellectual property and proprietary tools, methods, and techniques. Even if an entity is functioning in a highly regulated environment, its SDLC can still benefit from implementing DevOps as long as the implementation conforms to all imposed policies. A benefit of an HRE is the existence of security policies that belong in a secure DevOps implementation. Layering an existing DevOps implementation with security will benefit the HRE as a whole. This work is based on the authors extensive experience in assessing and implementing DevOps across a diverse set of HREs. First, they extensively discuss the process of performing a DevOps assessment and implementation in an HRE. They follow this with a discussion of the needed security principles a DevOps enhanced SDLC should include. For each security principle, the authors discuss their importance to the SDLC and their appropriate placement within a DevOps implementation. They refer to a security enhanced DevOps implementation in an HRE as HRE-DevSecOps.

scholarly journals SOLF - A SOFTWARE DEVELOPMENT LIFECYCLE BASED ON GOLF

2020 ◽  
Author(s):  
CRS Kumar
Keyword(s):  
Software Development ◽  
Development Project ◽  
Difficulty Level ◽  
Golf Course ◽  
Skill Levels ◽  
Development Lifecycle ◽  
Proposed Model ◽  
Development Life Cycle ◽  
Software Development Lifecycle ◽  
Engineering Models

In the game of Golf, a player is challenged to take the minimum strokes to complete a round of 18 holes under varying playing conditions. Players use different clubs depending on their skill levels to achieve the desired distance while taking shots at the golf ball from the start (tee off) to the hole (pin). Unlike other games which have a standardized playing area, the terrain in a golf course comprises of various natural and manmade features viz. fairways, bunkers, trees, water bodies etc, which increase the difficulty level of the game and keep the players challenged.The game of golf has a fascinating similarity to a software development life cycle. If the holes on a golf course are considered akin to milestones in a development project then most of the Software Engineering models focus on software development in groups. Thus, we propose SOLF i.e Software Development Lifecycle model based on Golf, as a SDLC ideal for individuals or a small group of 2-3 developers. The proposed model is easy to comprehend, flexible and optimally adjustable in a dynamic environment.SOLF divides the project into 18 stages wherein each stage of the project will have 3 to 6 tasks which are required to be completed within a fixed timeline. The stages are managed by creating checklists at the start akin to the pre-shot routines in golf and the customer feedback is received on reaching each of the milestones similar to applause in the game of golf. Terrain of the golf course is reflected as risk list which are varying for each of the stages.SOLF achieves 10x speedup in software development and research projects as it creates an environment of challenges and drives the developer towards self excellence. It also inculcates a spirit of competition and sportsmanship by challenging the developers on various 'terrains' of development.

scholarly journals DevOps phases across Software Development Lifecycle

2021 ◽  
Author(s):  
Mayank Gokarna
Keyword(s):  
Life Cycle ◽  
Software Development ◽  
Implementation Strategy ◽  
Quality Of Services ◽  
Comprehensive Collection ◽  
Development Lifecycle ◽  
Development Life Cycle ◽  
Software Development Lifecycle ◽  
Software Development Life Cycle

DevOps is the combination of cultural mindset, practices, and tools that increases a team's ability to release applications and services at high velocity. The development and operations teams always have a conflict around the scope of responsibility. With these differences the quality and speed of delivery across software Development Life Cycle is negatively impacted. DevOps is about removing the barriers between two traditionally delimited teams, development and operations. With DevOps, these two teams work together to optimize both the productivity of developers and the reliability of operations. They strive to communicate frequently, increase efficiencies, and improve the quality of services they provide. They take full ownership for their services, often beyond where their stated roles or titles have traditionally been scoped. Transitioning to DevOps requires a change in culture and mindset first. It is quite difficult to persuade a whole company to change its culture at once. This paper aims to bring different phases of software development lifecycle into DevOps implementation strategy and presents a comprehensive collection of leading tools used across Software Development life Cycle to automate and integrate different stages of software delivery. This paper also highlights on DevOps practices which span across different phases of the Software Development Lifecycle and how those can be implemented with different tools available.

Creating and Applying Security Goal Indicator Trees in an Industrial Environment

2014 ◽  
pp. 999-1013
Author(s):  
Alessandra Bagnato ◽  
Fabio Raiteri ◽  
Christian Jung ◽  
Frank Elberzhager
Keyword(s):  
Software Development ◽  
Software Systems ◽  
Full Potential ◽  
Security Vulnerabilities ◽  
Industrial Project ◽  
Project Environment ◽  
Development Tools ◽  
Development Lifecycle ◽  
Software Development Lifecycle

Security inspections are increasingly important for bringing security-relevant aspects into software systems, particularly during the early stages of development. Nowadays, such inspections often do not focus specifically on security. With regard to security, the well-known and approved benefits of inspections are not exploited to their full potential. This book chapter focuses on the Security Goal Indicator Tree application for eliminating existing shortcomings, the training that led to their creation in an industrial project environment, their usage, and their reuse by a team in industry. SGITs are a new approach for modeling and checking security-relevant aspects throughout the entire software development lifecycle. This book chapter describes the modeling of such security goal based trees as part of requirements engineering using the GOAT tool dedicated plug-in and the retrieval of these models during the various phases of the software development lifecycle in a project by means of Software Vulnerability Repository Services (SVRS) created in the European project SHIELDS (SHIELDS - Detecting known security vulnerabilities from within design and development tools).

Assimilating and Optimizing Software Assurance in the SDLC

2012 ◽  
pp. 16-34
Author(s):  
Aderemi O. Adeniji ◽  
Seok-Won Lee
Keyword(s):  
Software Development ◽  
Development Lifecycle ◽  
Secure Software ◽  
Software Development Lifecycle ◽  
Software Processes ◽  
Software Lifecycle ◽  
Software Assurance

Software Assurance is the planned and systematic set of activities that ensures software processes and products conform to requirements while standards and procedures in a manner that builds trusted systems and secure software. While absolute security may not yet be possible, procedures and practices exist to promote assurance in the software lifecycle. In this paper, the authors present a framework and step-wise approach towards achieving and optimizing assurance by infusing security knowledge, techniques, and methodologies into each phase of the Software Development Lifecycle (SDLC).

Agile Software Development

2012 ◽  
pp. 1-15
Author(s):  
Torstein Nicolaysen ◽  
Richard Sassoon ◽  
Maria B. Line ◽  
Martin Gilje Jaatun
Keyword(s):  
Software Development ◽  
Agile Software Development ◽  
Agile Development ◽  
Implementation Team ◽  
Agile Methodologies ◽  
Development Organizations ◽  
Development Lifecycle ◽  
Software Development Lifecycle ◽  
Agile Software

In this article, the authors contrast the results of a series of interviews with agile software development organizations with a case study of a distributed agile development effort, focusing on how information security is taken care of in an agile context. The interviews indicate that small and medium-sized agile software development organizations do not use any particular methodology to achieve security goals, even when their software is web-facing and potential targets of attack. This case study confirms that even in cases where security is an articulated requirement, and where security design is fed as input to the implementation team, there is no guarantee that the end result meets the security objectives. The authors contend that security must be built as an intrinsic software property and emphasize the need for security awareness throughout the whole software development lifecycle. This paper suggests two extensions to agile methodologies that may contribute to ensuring focus on security during the complete lifecycle.

Sign in / Sign up

Export Citation Format

Share Document