1

Software Security in DevOps: Synthesizing Practitioners’ Perceptions and Practice

Akond Rahman(aarahman@ncsu.edu), and Laurie Williams

Department of Computer Science, North Carolina State University

2

Why Security in DevOps?

• Ensuring quality even when software deployment is rapid

• Adoption concerns

3

Research Objective

Aid software practitioners in integrating security and DevOps by summarizing experiences in utilizing security practices in a DevOps environment.

4

Background • DevSecOps is the concept of integrating security principles

through increased collaboration• We differentiate between ‘activity’, and ‘security practice’. – A DevOps activity focuses on achieving a small, well-

defined goal that has a tangible output. – A security practice is a collection of activities that can be

grouped based on existing similarities within those activities.

5

Our Contributions

• A list of DevOps activities that might have a positive and negative impact

• A list of security practices and an analysis of how they are used in DevOps organizations

• An analysis that quantifies the levels of collaboration

6

Research Questions

• RQ1: Perception. How do software practitioners perceive the integration of DevOps and security? What DevOps related activities contribute to those perceptions?

• RQ2: Security Practices. What security practices are used by organizations that integrate security into DevOps?

7

Methodology

Identify Perceptions

Identify Practices

Conduct Survey

Data Analysis

66 Internet artifacts66 Internet Artifacts

Nine DevOps Organizations

8

RQ1: Identified Perceptions

• Positive Perceptions – Use of automated monitoring – Use of automated pipeline to deploy software– Automatic deployment of software– Automatic testing of software changes – Delivering software in small increments

9

RQ1: Identified Perceptions

• Negative Perceptions – Use of immature automated deployment tools – Use of inappropriate software metrics– Inadequate monitoring of collaboration

10

RQ2: Identified Automated Activities

• Automation of Code Review• Automation of Monitoring• Automation of Software defined Firewall• Automation of Software Licensing• Automation of Testing

11

RQ2: Identified Non-Automated Activities

• Design Review• Input Validation• Isolation of Untrusted Inputs• Performing Compliance Requirements• Performing Security Configurations• Performing Security Policies • Security Requirements Analysis • Performing Manual Security Tests • Risk Analysis• Threat Modeling

12

RQ1: Empirical Findings – Positive Aspects (Internet Artifacts)

Automated monitoring Automated pipeline Automated deployment Automated testing Delivering software in small increments

0

1

2

3

4

5

6

7

8

9

10

Coun

t of I

nter

net A

rtifa

cts

13

RQ1: Empirical Findings – Negative Aspects (Internet Artifacts)

Use of im

mature

automate

d deploym

ent to

ols

Use of in

appropria

te so

ftware m

etrics

Inadeq

uate m

onitorin

g of co

llaborati

on0

1

2

Coun

t of I

nter

net A

rtifa

cts

14

RQ2: Empirical Findings – Automation Practices (Internet Artifacts)

Automation of monitor-ing

Automation of testing Automation of code review

Automation of software licensing

Automation of software defined firewall

0

2

4

6

8

10

12

14

16

18

20

Coun

t of I

nter

net A

rtifa

cts

15

RQ2: Empirical Findings – Non Automation Practices (Internet Artifacts)

Security

require

ments a

nalysis

Perform

ing secu

rity co

nfigurati

ons

Perform

ing secu

rity polici

es

Perform

ing man

ual secu

rity t

ests

Perform

ing complia

nce req

uiremen

ts

Design

revie

w

Input vali

dation

Isolati

on of untru

sted in

puts

Threa

t modeli

ng

Risk an

alysis

0

1

2

3

4

5

6

Coun

t of I

nter

net A

rtifa

cts

16

RQ1: Empirical Findings – Positive Aspects (Survey)

Use of automated monitor-ing

Use of automated pipeline to deploy software

Automatic deployment of software

Automatic testing of software changes

Delivering software in small increments

0

1

2

3

4

5

6

7

8

9

Yes No

Coun

t of O

rgan

izatio

ns

17

Automation of monitoring Automation of testing Automation of code review Automation of software defined firewall

Automation of software licensing

0

1

2

3

4

5

6

7

8

9

Yes No

Coun

t of O

rgan

izatio

nsRQ2: Empirical Findings – Automation

Practices (Survey)

18

Perform

ing secu

rity polici

es

Perform

ing man

ual secu

rity t

ests

Input vali

dation

Perform

ing complian

ce req

uiremen

ts

Perform

ing secu

rity co

nfigurati

ons

Risk an

alysis

Isolati

on of untru

sted in

puts

Threa

t modeli

ng

Design

revie

w

Security

require

ments a

nalysis

0

1

2

3

4

5

6

7

8

9

Yes No

Coun

t of O

rgan

izatio

nsRQ2: Empirical Findings – Non Automation

Practices (Survey)

19

Dev&Ops Dev&Sec Sec&Ops0

1

2

3

4

5

6

7

8

9

Lowest Low Moderate High Highest

Coun

t of O

rgan

izatio

nsRQ2: Empirical Findings – Collaboration

(Survey)

20

Summary

• Answer to RQ1:– A certain set of DevOps activities are perceived to

be beneficial for system’s security• Answer to RQ2: – A certain set of DevOps specific automated and

non-automated activities are used to implement security

– Moderate to strong collaboration exists between teams

21

Limitations

• Incomprehensive set of Internet artifacts • Incomprehensive set of security practices • Generalizability of empirical findings • Impact of collaboration on practice usage

22

Conclusion

• Commonly used DevOps activities can be helpful to a system’s security.

• Security teams actively collaborate with development and operations teams in established DevOps organizations.

• Security awareness is prevalent amongst established DevOps organizations