Automated Security Findings Management: A Case Study in Industrial DevOps
Authors: 
Markus Voggenreiter, Florian Angermeir, Fabiola Moyon, Ulrich Schöpp, Pierre BonvinAuthors Info & Claims
Pages 312 - 322
Abstract
In recent years, DevOps, the unification of development and operation workflows, has become a trend for the industrial software development lifecycle. Security activities turned into an essential field of application for DevOps principles as they are a fundamental part of secure software development in the industry. A common practice arising from this trend is the automation of security tests that analyze a software product from several perspectives. To effectively improve the security of the analyzed product, the identified security findings must be managed and looped back to the project team for stakeholders to take action. This management must cope with several challenges ranging from low data quality to a consistent prioritization of findings while following DevOps aims. To manage security findings with the same efficiency as other activities in DevOps projects, a methodology for the management of industrial security findings minding DevOps principles is essential.
In this paper, we propose a methodology for the management of security findings in industrial DevOps projects, summarizing our research in this domain and presenting the resulting artifact. As an instance of the methodology, we developed the Security Flama, a semantic knowledge base for the automated management of security findings. To analyze the impact of our methodology on industrial practice, we performed a case study on two DevOps projects of a multinational industrial enterprise. The results emphasize the importance of using such an automated methodology in industrial DevOps projects, confirm our approach's usefulness and positive impact on the studied projects, and identify the communication strategy as a crucial factor for usability in practice.
References
[1]
2023. DefectDojo. https://owasp.org/www-project-defectdojo/
[2]
BSIMM. 2021. Building security in maturity model. https://www.bsimm.com/
[3]
MITRE Corporation. 2023. Common Vulnerabilities and Exposures. https://www.cve.org/
[4]
Faradaysec. 2023. Faraday Security. https://faradaysec.com/
[5]
Katheryn A. Farris, Ankit Shah, George Cybenko, Rajesh Ganesan, and Sushil Jajodia. 2018. VULCON: A System for Vulnerability Prioritization, Mitigation, and Management. ACM Trans. Priv. Secur. 21, 4, Article 16 (jun 2018), 28 pages.
[6]
Daniel Méndez Fernández and Jan-Hendrik Passoth. 2019. Empirical software engineering: From discipline to interdiscipline. Journal of Systems and Software 148 (feb 2019), 170--179.
[7]
Brian Fitzgerald and Klaas-Jan Stol. 2017. Continuous software engineering: A roadmap and agenda. Journal of Systems and Software 123 (2017), 176--189.
[8]
Wilhelm Hasselbring, Sören Henning, Björn Latte, Armin Möbius, Thomas Richter, Stefani Schalk, and Maik Wojcieszak. 2019. Industrial DevOps. In 2019 IEEE International Conference on Software Architecture Companion (ICSA-C). 123--126.
[9]
Jez Humble and J. Molesky. 2011. Why enterprises must adopt devops to enable continuous delivery. 24 (08 2011), 6--12.
[10]
FIRST.Org Inc. 2023. Common vulnerability scoring system SIG. https://www.first.org/cvss/
[11]
International Electrotechnical Commission. 2021. IEC 62443 series. International Electrotechnical Commission, Geneva, Switzerland.
[12]
International Organization for Standardization. 2015. Information technology --- Security techniques --- Refining software vulnerability analysis under ISO/IEC 15408 and ISO/IEC 18045 (ISO/IEC TR 20004:2015 ed.). International Organization for Standardization, Vernier, Geneva, Switzerland. https://www.iso.org/obp/ui#iso:std:iso-iec:tr:20004:ed-2:v1:en
[13]
International Organization for Standardization. 2022. Information technology --- DevOps --- Building reliable and secure systems including application build, package and deployment (ISO/IEC/IEEE 32675:2022 ed.). International Organization for Standardization, Vernier, Geneva, Switzerland. https://www.iso.org/standard/83670.html
[14]
Rafiq Ahmad Khan, Siffat Ullah Khan, Habib Ullah Khan, and Muhammad Ilyas. 2021. Systematic Mapping Study on Security Approaches in Secure Software Engineering. IEEE Access 9 (2021), 19139--19160.
[15]
Gene Kim. 2018. Phoenix project: A novel about it, devops, and helping your business win (5 ed.). IT Revolution Press, Portland, OR.
[16]
Santiago Matalonga, René Nöel, Gilberto Pedraza-Garcia, Hernán Astudillo, and Eduardo Fernández. 2017. Generating Software Security Knowledge Through Empirical Methods.
[17]
Fabiola Moyón, Rafael Soares, Maria Pinto-Albuquerque, Daniel Mendez, and Kristian Beckers. 2020. Integration of Security Standards in DevOps Pipelines: An Industry Case Study. In Product-Focused Software Process Improvement, Maurizio Morisio, Marco Torchiano, and Andreas Jedlitschka (Eds.). Springer International Publishing, Cham, 434--452.
[18]
National Institute of Standards and Technology. [n. d.]. Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities. National Institute of Standards and Technology, Gaithersburg, Maryland, United States. https://csrc.nist.gov/publications/detail/sp/800-218/final
[19]
National Institute of Standards and Technology. 2022. NIST Special Publication (SP) 800 series. National Institute of Standards and Technology, Gaithersburg, Maryland, United States. https://csrc.nist.gov/publications/sp800
[20]
Matunda Nyanchama. 2005. Enterprise Vulnerability Management and Its Role in Information Security Management. Information Systems Security 14, 3 (2005), 29--56.
[21]
Lotfi ben Othmane, Martin Gilje Jaatun, and Edgar Weippl. 2017. Empirical research for software security. Taylor & Francis Inc.
[22]
OWASP. 2020. OWASP SAMM. https://owaspsamm.org/
[23]
Nitish Pandey, Abir Hudait, Debarshi Kumar Sanyal, and Amitava Sen. 2018. Automated Classification of Issue Reports from a Software Issue Tracker. In Progress in Intelligent Computing Techniques: Theory, Practice, and Applications, Pankaj Kumar Sa, Manmath Narayan Sahoo, M. Murugappan, Yulei Wu, and Banshidhar Majhi (Eds.). Springer Singapore, Singapore, 423--430.
[24]
Olivia H. Plant, Jos van Hillegersberg, and Adina Aldea. 2021. How DevOps capabilities leverage firm competitive advantage: A systematic review of empirical evidence. In 2021 IEEE 23rd Conference on Business Informatics (CBI), Vol. 01. 141--150.
[25]
Kalle Rindell, Karin Bernsmed, and Martin Gilje Jaatun. 2019. Managing Security in Software: Or: How I Learned to Stop Worrying and Manage the Security Technical Debt. In Proceedings of the 14th International Conference on Availability, Reliability and Security (Canterbury, CA, United Kingdom) (ARES '19). Association for Computing Machinery, New York, NY, USA, Article 60, 8 pages.
[26]
Leah Riungu-Kalliosaari, Simo Mäkinen, Lucy Ellen Lwakatare, Juha Tiihonen, and Tomi Männistö. 2016. DevOps Adoption Benefits and Challenges in Practice: A Case Study. In Product-Focused Software Process Improvement, Pekka Abrahamsson, Andreas Jedlitschka, Anh Nguyen Duc, Michael Felderer, Sousuke Amasaki, and Tommi Mikkonen (Eds.). Springer International Publishing, Cham, 590--597.
[27]
Per Runeson, Emelie Engström, and Margaret-Anne D. Storey. 2020. The Design Science Paradigm as a Frame for Empirical Software Engineering. In Contemporary Empirical Methods in Software Engineering.
[28]
Per Runeson and Martin Höst. 2009. Guidelines for Conducting and Reporting Case Study Research in Software Engineering. Empirical Softw. Engg. 14, 2 (apr 2009), 131--164.
[29]
SonarSource S.A. [n. d.]. SonarQube. https://www.sonarsource.com/products/sonarqube/
[30]
SAFECode. 2018. Fundamental practices for secure software development. https://safecode.org/wp-content/uploads/2018/03/SAFECode_Fundamental_Practices_for_Secure_Software_Development_March_2018.pdf
[31]
Phillip Schneider, Markus Voggenreiter, Abdullah Gulraiz, and Florian Matthes. 2022. Semantic Similarity-Based Clustering of Findings From Security Testing Tools. In International Conference on Natural Language and Speech Processing.
[32]
Carolyn B. Seaman. 2008. Qualitative Methods. Springer London, London, 35--62.
[33]
Klaas-Jan Stol and Brian Fitzgerald. 2020. Guidelines for Conducting Software Engineering Research. In Contemporary Empirical Methods in Software Engineering, Michael Felderer and Guilherme Horta Travassos (Eds.). Springer International Publishing, Cham, 27--62.
[34]
Richard J. Thomas, Joseph Gardiner, Tom Chothia, Emmanouil Samanis, Joshua Perrett, and Awais Rashid. 2020. Catch Me If You Can: An In-Depth Study of CVE Discovery Time and Inconsistencies for Managing Risks in Critical Infrastructures. In Proceedings of the 2020 Joint Workshop on CPS & IoT Security and Privacy (Virtual Event, USA) (CPSIOTSEC'20). Association for Computing Machinery, New York, NY, USA, 49--60.
[35]
Kennedy A. Torkura, Muhammad I.H. Sukmana, and Christoph Meinel. 2017. Integrating Continuous Security Assessments in Microservices and Cloud Native Applications. In Proceedings of The10th International Conference on Utility and Cloud Computing (Austin, Texas, USA) (UCC '17). Association for Computing Machinery, New York, NY, USA, 171--180.
[36]
Markus Voggenreiter. 2023. Supplementary Material. (10 2023).
[37]
Markus Voggenreiter and Ulrich Schöpp. 2022. Using a Semantic Knowledge Base to Improve the Management of Security Reports in Industrial DevOps Projects. 2022 IEEE/ACM 44th International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP) (2022), 309--310.
[38]
Markus Voggenreiter and Ulrich Schöpp. 2023. Prioritizing Industrial Security Findings in Agile Software Development Projects. 375--379.
[39]
Stefan Wagner, Daniel Méndez Fernández, Michael Felderer, Daniel Graziotin, and Marcos Kalinowski. 2020. Challenges in Survey Research. In Contemporary Empirical Methods in Software Engineering.
[40]
Ju An Wang and Minzhe Guo. 2009. OVM: An Ontology for Vulnerability Management. In Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies (Oak Ridge, Tennessee, USA) (CSIIRW '09). Association for Computing Machinery, New York, NY, USA, Article 34, 4 pages.
[41]
Anna Wiedemann, Manuel Wiesche, and Helmut Krcmar. 2019. Integrating Development and Operations in Cross-Functional Teams - Toward a DevOps Competency Model (SIGMIS-CPR '19). Association for Computing Machinery, New York, NY, USA, 14--19.
[42]
Shahed Zaman, Bram Adams, and Ahmed E. Hassan. 2011. Security versus Performance Bugs: A Case Study on Firefox. In Proceedings of the 8th Working Conference on Mining Software Repositories (Waikiki, Honolulu, HI, USA) (MSR '11). Association for Computing Machinery, New York, NY, USA, 93--102.
Index Terms
- Automated Security Findings Management: A Case Study in Industrial DevOps
Recommendations
Software security in DevOps: synthesizing practitioners' perceptions and practices
CSED '16: Proceedings of the International Workshop on Continuous Software Evolution and DeliveryIn organizations that use DevOps practices, software changes can be deployed as fast as 500 times or more per day. Without adequate involvement of the security team, rapidly deployed software changes are more likely to contain vulnerabilities due to ...
Assessing the Maturity of DevOps Practices in Software Industry: An Empirical Study of HELENA2 Dataset
EASE '22: Proceedings of the 26th International Conference on Evaluation and Assessment in Software EngineeringCurrently, the software development organizations are adopting DevOps practices in order to develop quality product. Due to the lack of definition of DevOps, the principles, practices, and methods adopted in DevOps to determine success have changed ...
Understanding devops education with grounded theory
ICSE-SEET '20: Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering: Software Engineering Education and TrainingDevOps stands for Development-Operations. It arises from the IT industry as a movement aligning development and operations teams. DevOps is broadly recognized as an IT standard, and there is high demand for DevOps practitioners in industry. Since ACM & ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
April 2024
480 pages
ISBN:9798400705014
DOI:10.1145/3639477
- Co-chairs:
- Ana Paiva,
- Rui Abreu,
- Maurício Aniche,
- Nachiappan Nagappan,
- Program Co-chairs:
- Abhik Roychoudhury,
- Margaret Storey
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
In-Cooperation
- Faculty of Engineering of University of Porto
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 31 May 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Conference
ICSE-SEIP '24
Sponsor:
ICSE-SEIP '24: 46th International Conference on Software Engineering: Software Engineering in Practice
April 14 - 20, 2024
Lisbon, Portugal
Upcoming Conference
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 194Total Downloads
- Downloads (Last 12 months)194
- Downloads (Last 6 weeks)31
Reflects downloads up to 30 Dec 2024
Other Metrics
Citations
Cited By
View allView Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in