DevSecOps - integração da segurança contínua em pipelines DevOps: um estudo de caso
Abstract
DevOps seeks to integrate the development and operations worlds, through strong automation in the software development and delivery phases. While DevOps does not exclude security, its adoption is seen as a bottleneck for DevOps. The present work presents itself to demonstrate, through a case study, the development of a DevOps pipeline and its integration with continuous security, thus achieving a DevSecOps pipeline. Through the comparison between the pipelines, their automation roles, however, the DevSecOps pipeline managed to prevent the delivery of a vulnerable application to production, if as an adequate solution for the use of DevOps in a safe and agile way.
References
Ahmed, A. (2019). DevSecOps: Enabling security by design in rapid software development. Master’s thesis.
Carter, K. (2017). Francois raynaud on DevSecOps. IEEE Software, 34(5):93–96.
CeArley, D., Burke, B., Searle, S., and Walker, M. J. (2016). Top 10 strategic technology trends for 2018. The Top, 10:1–246.
Danielecki, D. M. (2019). Security first approach in development of single-page application based on angular. Master’s thesis, University of Twente.
Ebert, C., Gallardo, G., Hernantes, J., and Serrano, N. (2016). DevOps. Ieee Software, 33(3):94–100.
Enterprise, H. P. (2016). Application security and DevOps. Technical report, Technical report, Hewlett Packard Enterprise.
Freitas, F. D. S. (2020). Application security in continuous delivery.
Handova, D. (2020). How does IAST fit into DevSecOps? [link]. (Accessed on 31/10/2021).
Helmet (2022). helmet - npm. https://www.npmjs.com/package/helmet. (Accessed on 05/28/2022).
Jetbrains (2021). O que é DevSecOps e qual seu papel no CD? — guia de ci/cd do teamcity. [link]. (Accessed on 04/23/2021).
Koskinen, A. (2019). DevSecOps: building security into the core of devops.
Leite, L., Rocha, C., Kon, F., Milojicic, D., and Meirelles, P. (2019). A survey of DevOps concepts and challenges. ACM Computing Surveys (CSUR), 52(6):1–35.
Microfocus (2022). What is DevSecOps? [link]. (Accessed on 05/28/2022).
Myrbakken, H. and Colomo-Palacios, R. (2017). DevSecOps: a multivocal literature review. In International Conference on Software Process Improvement and Capability Determination, pages 17–29. Springer.
Owasp (2021). Introdução ao OWASP Top 10 2021. https://owasp.org/Top10/pt_BR/. (Accessed on 10/13/2021).
Radware (2020). Radware research: The state of WEB application and API protection. Technical report.
Simpson, G. B. (2018). CI/CD software security automation. Technical report, Sandia National Lab.(SNL-NM), Albuquerque, NM (United States).
Carter, K. (2017). Francois raynaud on DevSecOps. IEEE Software, 34(5):93–96.
CeArley, D., Burke, B., Searle, S., and Walker, M. J. (2016). Top 10 strategic technology trends for 2018. The Top, 10:1–246.
Danielecki, D. M. (2019). Security first approach in development of single-page application based on angular. Master’s thesis, University of Twente.
Ebert, C., Gallardo, G., Hernantes, J., and Serrano, N. (2016). DevOps. Ieee Software, 33(3):94–100.
Enterprise, H. P. (2016). Application security and DevOps. Technical report, Technical report, Hewlett Packard Enterprise.
Freitas, F. D. S. (2020). Application security in continuous delivery.
Handova, D. (2020). How does IAST fit into DevSecOps? [link]. (Accessed on 31/10/2021).
Helmet (2022). helmet - npm. https://www.npmjs.com/package/helmet. (Accessed on 05/28/2022).
Jetbrains (2021). O que é DevSecOps e qual seu papel no CD? — guia de ci/cd do teamcity. [link]. (Accessed on 04/23/2021).
Koskinen, A. (2019). DevSecOps: building security into the core of devops.
Leite, L., Rocha, C., Kon, F., Milojicic, D., and Meirelles, P. (2019). A survey of DevOps concepts and challenges. ACM Computing Surveys (CSUR), 52(6):1–35.
Microfocus (2022). What is DevSecOps? [link]. (Accessed on 05/28/2022).
Myrbakken, H. and Colomo-Palacios, R. (2017). DevSecOps: a multivocal literature review. In International Conference on Software Process Improvement and Capability Determination, pages 17–29. Springer.
Owasp (2021). Introdução ao OWASP Top 10 2021. https://owasp.org/Top10/pt_BR/. (Accessed on 10/13/2021).
Radware (2020). Radware research: The state of WEB application and API protection. Technical report.
Simpson, G. B. (2018). CI/CD software security automation. Technical report, Sandia National Lab.(SNL-NM), Albuquerque, NM (United States).
Published
2022-09-12
How to Cite
DE FRANÇA, Rafael Pio; DA SILVA, Vinicius Barcelos.
DevSecOps - integração da segurança contínua em pipelines DevOps: um estudo de caso. In: WORKSHOP ON SCIENTIFIC INITIATION AND UNDERGRADUATE WORKS - BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 22. , 2022, Santa Maria.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2022
.
p. 272-285.
DOI: https://doi.org/10.5753/sbseg_estendido.2022.225293.
