Upload
akond-rahman
View
200
Download
0
Embed Size (px)
Citation preview
1
Software Security in DevOps: Synthesizing Practitioners’ Perceptions and Practice
Akond Rahman([email protected]), and Laurie Williams
Department of Computer Science, North Carolina State University
2
Why Security in DevOps?
• Ensuring quality even when software deployment is rapid
• Adoption concerns
3
Research Objective
Aid software practitioners in integrating security and DevOps by summarizing experiences in utilizing security practices in a DevOps environment.
4
Background • DevSecOps is the concept of integrating security principles
through increased collaboration• We differentiate between ‘activity’, and ‘security practice’. – A DevOps activity focuses on achieving a small, well-
defined goal that has a tangible output. – A security practice is a collection of activities that can be
grouped based on existing similarities within those activities.
5
Our Contributions
• A list of DevOps activities that might have a positive and negative impact
• A list of security practices and an analysis of how they are used in DevOps organizations
• An analysis that quantifies the levels of collaboration
6
Research Questions
• RQ1: Perception. How do software practitioners perceive the integration of DevOps and security? What DevOps related activities contribute to those perceptions?
• RQ2: Security Practices. What security practices are used by organizations that integrate security into DevOps?
7
Methodology
Identify Perceptions
Identify Practices
Conduct Survey
Data Analysis
66 Internet artifacts66 Internet Artifacts
Nine DevOps Organizations
8
RQ1: Identified Perceptions
• Positive Perceptions – Use of automated monitoring – Use of automated pipeline to deploy software– Automatic deployment of software– Automatic testing of software changes – Delivering software in small increments
9
RQ1: Identified Perceptions
• Negative Perceptions – Use of immature automated deployment tools – Use of inappropriate software metrics– Inadequate monitoring of collaboration
10
RQ2: Identified Automated Activities
• Automation of Code Review• Automation of Monitoring• Automation of Software defined Firewall• Automation of Software Licensing• Automation of Testing
11
RQ2: Identified Non-Automated Activities
• Design Review• Input Validation• Isolation of Untrusted Inputs• Performing Compliance Requirements• Performing Security Configurations• Performing Security Policies • Security Requirements Analysis • Performing Manual Security Tests • Risk Analysis• Threat Modeling
12
RQ1: Empirical Findings – Positive Aspects (Internet Artifacts)
Automated monitoring Automated pipeline Automated deployment Automated testing Delivering software in small increments
0
1
2
3
4
5
6
7
8
9
10
Coun
t of I
nter
net A
rtifa
cts
13
RQ1: Empirical Findings – Negative Aspects (Internet Artifacts)
Use of im
mature
automate
d deploym
ent to
ols
Use of in
appropria
te so
ftware m
etrics
Inadeq
uate m
onitorin
g of co
llaborati
on0
1
2
Coun
t of I
nter
net A
rtifa
cts
14
RQ2: Empirical Findings – Automation Practices (Internet Artifacts)
Automation of monitor-ing
Automation of testing Automation of code review
Automation of software licensing
Automation of software defined firewall
0
2
4
6
8
10
12
14
16
18
20
Coun
t of I
nter
net A
rtifa
cts
15
RQ2: Empirical Findings – Non Automation Practices (Internet Artifacts)
Security
require
ments a
nalysis
Perform
ing secu
rity co
nfigurati
ons
Perform
ing secu
rity polici
es
Perform
ing man
ual secu
rity t
ests
Perform
ing complia
nce req
uiremen
ts
Design
revie
w
Input vali
dation
Isolati
on of untru
sted in
puts
Threa
t modeli
ng
Risk an
alysis
0
1
2
3
4
5
6
Coun
t of I
nter
net A
rtifa
cts
16
RQ1: Empirical Findings – Positive Aspects (Survey)
Use of automated monitor-ing
Use of automated pipeline to deploy software
Automatic deployment of software
Automatic testing of software changes
Delivering software in small increments
0
1
2
3
4
5
6
7
8
9
Yes No
Coun
t of O
rgan
izatio
ns
17
Automation of monitoring Automation of testing Automation of code review Automation of software defined firewall
Automation of software licensing
0
1
2
3
4
5
6
7
8
9
Yes No
Coun
t of O
rgan
izatio
nsRQ2: Empirical Findings – Automation
Practices (Survey)
18
Perform
ing secu
rity polici
es
Perform
ing man
ual secu
rity t
ests
Input vali
dation
Perform
ing complian
ce req
uiremen
ts
Perform
ing secu
rity co
nfigurati
ons
Risk an
alysis
Isolati
on of untru
sted in
puts
Threa
t modeli
ng
Design
revie
w
Security
require
ments a
nalysis
0
1
2
3
4
5
6
7
8
9
Yes No
Coun
t of O
rgan
izatio
nsRQ2: Empirical Findings – Non Automation
Practices (Survey)
19
Dev&Ops Dev&Sec Sec&Ops0
1
2
3
4
5
6
7
8
9
Lowest Low Moderate High Highest
Coun
t of O
rgan
izatio
nsRQ2: Empirical Findings – Collaboration
(Survey)
20
Summary
• Answer to RQ1:– A certain set of DevOps activities are perceived to
be beneficial for system’s security• Answer to RQ2: – A certain set of DevOps specific automated and
non-automated activities are used to implement security
– Moderate to strong collaboration exists between teams
21
Limitations
• Incomprehensive set of Internet artifacts • Incomprehensive set of security practices • Generalizability of empirical findings • Impact of collaboration on practice usage
22
Conclusion
• Commonly used DevOps activities can be helpful to a system’s security.
• Security teams actively collaborate with development and operations teams in established DevOps organizations.
• Security awareness is prevalent amongst established DevOps organizations