Industrial Challenges in Secure Continuous Development
Pages 309 - 311
Abstract
The intersection between security and continuous software engineering has been of great interest since the early years of the agile development movement, and it remains relevant as software development processes are more frequently guided by agility and the adoption of DevOps. Several authors have contributed studies about the framing of secure agile development and secure DevOps, motivating academic contributions to methods and practices, but also discussions around benefits and challenges. Especially the challenges captured also our interest since, for the last few years, we are conducting research on secure continuous software engineering from a more applied, practical perspective with the overarching aim to introduce solutions that can be adopted at scale. The short positioning at hands summarizes a relevant part of our endeavors in which we validated challenges with several practitioners of different roles. More than framing a set of challenges, we conclude by presenting four key research directions we identified for practitioners and researchers to delineate future work.
References
[1]
Florian Angermeir, Markus Voggenreiter, Fabiola Moyón, and Daniel Méndez. 2021. Enterprise-Driven Open Source Software: A Case Study on Security Automation. In 43rd IEEE/ACM International Conference on Software Engineering: Software Engineering in Practice, ICSE (SEIP). IEEE, Los Alamitos, CA, USA, 278--287.
[2]
Pranavi Bitra and Chandra Srilekha Achanta. 2021. Development and Evaluation of an Artefact Model to Support Security Compliance for DevSecOps. Master's thesis. Blekinge Institute of Technology (BTH), Karlskrona, Sweden. https://urn.kb.se/resolve?urn=urn:nbn:se:bth-21106
[3]
Gartner. 2017. 10 Things to Get Right for Successful DevSecOps. https://www.gartner.com/en/documents/3811369/10-things-to-get-right-for-successful-devsecops
[4]
Vaishnavi Mohan and Lotfi Ben Othmane. 2016. SecDevOps: Is It a Marketing Buzzword? - Mapping Research on Security in DevOps. In 2016 11th International Conference on Availability, Reliability and Security (ARES). IEEE, Los Alamitos, CA, USA, 542--547.
[5]
Fabiola Moyon, Pamela Almeida, Daniel Riofrío, Daniel Méndez, and Marcos Kalinowski. 2020. Security Compliance in Agile Software Development: A Systematic Mapping Study. In 46th Euromicro Conference on Software Engineering and Advanced Applications (SEAA). IEEE, Los Alamitos, CA, USA, 413--420.
[6]
Fabiola Moyón, Daniel Mendez, Tony Gorschek, Florian Angermeir, Pierre-Louis Bonvin, and Markus Voggenreiter. 2023. A Reference Architecture for Security Compliant DevOps. Technical Report. Blekinge Institute of Technology, Karlskrona, Sweden. https://www.diva-portal.org/smash/record.jsf?pid=diva2%3A1771068&dswid=-8823
[7]
Håvard Myrbakken and Ricardo Colomo-Palacios. 2017. DevSecOps: A Multivocal Literature Review. In Software Process Improvement and Capability Determination. Springer International Publishing, Cham, Switzerland, 17--29.
[8]
Hela Oueslati, Mohammad Masudur Rahman, and Lotfi ben Othmane. 2015. Literature Review of the Challenges of Developing Secure Software Using the Agile Approach. In Proceedings of the 2015 10th International Conference on Availability, Reliability and Security (ARES). IEEE Computer Society, USA, 540--547.
[9]
Roshan N. Rajapakse, Mansooreh Zahedi, M. Ali Babar, and Haifeng Shen. 2022. Challenges and solutions when adopting DevSecOps: A systematic review. Information and Software Technology 141 (2022), 106700.
[10]
Xhesika Ramaj, Mary Sánchez-Gordón, Vasileios Gkioulos, Sabarathinam Chockalingam, and Ricardo Colomo-Palacios. 2022. Holding on to Compliance While Adopting DevSecOps: An SLR. Electronics: Special Issue Advances in Software Engineering 11 (2022), 3707.
[11]
Sonatype. 2019. DevSecOps Community Survey, 2019. https://www.sonatype.com/hubfs/2019%20DevSecOps%20Community%20Survey.pdf
[12]
Hugo Villamizar, Marcos Kalinowski, Marx Viana, and Daniel Méndez Fernández. 2018. A Systematic Mapping Study on Security in Agile Requirements Engineering. In 2018 44th Euromicro Conference on Software Engineering and Advanced Applications (SEAA). IEEE, Los Alamitos, CA, USA, 454--461.
[13]
Markus Voggenreiter and Ulrich Schöpp. 2022. Using a Semantic Knowledge Base to Improve the Management of Security Reports in Industrial DevOps Projects. In Proceedings of the 44th International Conference on Software Engineering: Software Engineering in Practice, ICSE (SEIP). ACM, New York, NY, USA, 309--310.
Index Terms
- Industrial Challenges in Secure Continuous Development
Recommendations
Towards People Maturity for Secure Development and Operations: A vision
EASE '24: Proceedings of the 28th International Conference on Evaluation and Assessment in Software EngineeringDevOps (development and operations) is a set of collaborative practices that automate continuous delivery of new software versions with an aim to reduce the development life cycle and produce quality software products. Security is an important attribute ...
Putting the Sec in DevSecOps: Using Social Practice Theory to Improve Secure Software Development
NSPW '20: Proceedings of the New Security Paradigms Workshop 2020Practices such as open source development, agile, DevOps and DevSecOps mean that cyber security professionals need to find ways to blend cyber security with software development practices. One way of approaching this is as an awareness, education and ...
Implementing Secure DevOps assessment for highly regulated environments
ARES '17: Proceedings of the 12th International Conference on Availability, Reliability and SecuritySecure DevOps has become a standard option for entities seeking to streamline and increase comprehensive participation by all stakeholders in their secure Security Development Lifecycle (SDLC)[1]. In most case in industry, academia, and government, ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
April 2024
480 pages
ISBN:9798400705014
DOI:10.1145/3639477
- Co-chairs:
- Ana Paiva,
- Rui Abreu,
- Maurício Aniche,
- Nachiappan Nagappan,
- Program Co-chairs:
- Abhik Roychoudhury,
- Margaret Storey
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
In-Cooperation
- Faculty of Engineering of University of Porto
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 31 May 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Conference
ICSE-SEIP '24
Sponsor:
ICSE-SEIP '24: 46th International Conference on Software Engineering: Software Engineering in Practice
April 14 - 20, 2024
Lisbon, Portugal
Upcoming Conference
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 169Total Downloads
- Downloads (Last 12 months)169
- Downloads (Last 6 weeks)29
Reflects downloads up to 01 Jan 2025
Other Metrics
Citations
Cited By
View allView Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in