DevSecOps: Securing Infrastructure in the Age of Automation
Main Article Content
Abstract
Cloud Native Infrastructure, Infrastructure as Code (IaC), containers, and CI/CD pipelines were used by organizations for better scalability and deployment times. This article explores how DevSecOps can enable security in automated infrastructure environments, and the ways that it integrates security in a continuous manner. DevSecOps adoption was evaluated and its effects on the performance of security using a quantitative research approach. The results indicated that 82% are conducting IaC security scanning, 76% have security part of their CI/CD pipelines and 71% are doing container vulnerability scanning. The research also revealed that vulnerability detection was up to 73% faster, configuration error incident avoidance was up to 67% and deployment reliability increased by up to 72% post adoption of the DevSecOps initiative. The results have revealed that DevSecOps as a key set of principles is to ensure that infrastructure configuration is secure and scalable
Article Details
Section
How to Cite
References
[1] A. Rahman, “Characteristics of defective infrastructure as code scripts in DevOps,” 2018 IEEE/ACM 40th International Conference on Software Engineering: Companion (ICSE-Companion), pp. 476–479, May 2018, doi: 10.1145/3183440.3183452. Available: https://doi.org/10.1145/3183440.3183452
[2] W. Chen, G. Wu, and J. Wei, “An Approach to Identifying Error Patterns for Infrastructure as Code,” 2018 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW), pp. 124–129, Oct. 2018, doi: 10.1109/issrew.2018.00-19. Available: https://doi.org/10.1109/issrew.2018.00-19
[3] M. Artac, T. Borovsak, E. Di Nitto, M. Guerriero, D. Perez-Palacin, and D. A. Tamburri, “Infrastructure-as-Code for Data-Intensive Architectures: A Model-Driven Development Approach,” 2018 IEEE International Conference on Software Architecture (ICSA), Apr. 2018, doi: 10.1109/icsa.2018.00025. Available: https://doi.org/10.1109/icsa.2018.00025
[4] A. Rahman, “Anti-Patterns in Infrastructure as Code,” Proceedings - 2018 IEEE 11th International Conference on Software Testing, Verification and Validation, ICST 2018: 434-435, pp. 434–435, Apr. 2018, doi: 10.1109/icst.2018.00057. Available: https://doi.org/10.1109/icst.2018.00057
[5] M. Shahin, M. A. Babar, and L. Zhu, “Continuous Integration, Delivery and Deployment: A systematic review on approaches, tools, challenges and practices,” arXiv (Cornell University), Mar. 2017, doi: 10.48550/arxiv.1703.07019. Available: https://doi.org/10.48550/arxiv.1703.07019
[6] A. Rahman, S. Elder, F. H. Shezan, V. Frost, J. Stallings, and L. Williams, “Bugs in infrastructure as code,” arXiv (Cornell University), Sep. 2018, doi: 10.48550/arxiv.1809.07937. Available: http://arxiv.org/abs/1809.07937
[7] A. Rahman and L. Williams, “Source code properties of defective infrastructure as code scripts,” arXiv (Cornell University), Oct. 2018, doi: 10.48550/arxiv.1810.09605. Available: https://doi.org/10.48550/arxiv.1810.09605
[8] M. Artac, T. Borovssak, E. Di Nitto, M. Guerriero, and D. A. Tamburri, “DevOps: Introducing Infrastructure-as-Code,” 2017 IEEE/ACM 39th International Conference on Software Engineering Companion (ICSE-C), pp. 497–498, May 2017, doi: 10.1109/icse-c.2017.162. Available: https://doi.org/10.1109/icse-c.2017.162
[9] M. Shahin, M. A. Babar, and L. Zhu, “The Intersection of Continuous Deployment and Architecting Process,” ESEM ’16: Proceedings of the 10th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement, pp. 1–10, Sep. 2016, doi: 10.1145/2961111.2962587. Available: https://doi.org/10.1145/2961111.2962587
[10] H. Yasar and K. Kontostathis, “Where to integrate security practices on DevOps Platform,” International Journal of Secure Software Engineering, vol. 7, no. 4, pp. 39–50, Oct. 2016, doi: 10.4018/ijsse.2016100103. Available: https://doi.org/10.4018/ijsse.201610010