Integration of Security Standards in DevOps Pipelines: An Industry Case StudyShow others and affiliations
2020 (English)In: Lecture Notes in Computer Science / [ed] Morisio M.,Torchiano M.,Jedlitschka A., Springer Science+Business Media B.V., 2020, Vol. 12562, p. 434-452Conference paper, Published paper (Refereed)
Abstract [en]
In the last decade, companies adopted DevOps as a fast path to deliver software products according to customer expectations, with well aligned teams and in continuous cycles. As a basic practice, DevOps relies on pipelines that simulate factory swim-lanes. The more automation in the pipeline, the shorter a lead time is supposed to be. However, applying DevOps is challenging, particularly for industrial control systems (ICS) that support critical infrastructures and that must obey to rigorous requirements from security regulations and standards. Current research on security compliant DevOps presents open gaps for this particular domain and in general for systematic application of security standards. In this paper, we present a systematic approach to integrate standard-based security activities into DevOps pipelines and highlight their automation potential. Our intention is to share our experiences and help practitioners to overcome the trade-off between adding security activities into the development process and keeping a short lead time. We conducted an evaluation of our approach at a large industrial company considering the IEC 62443-4-1 security standard that regulates ICS. The results strengthen our confidence in the usefulness of our approach and artefacts, and in that they can support practitioners to achieve security compliance while preserving agility including short lead times. © 2020, Springer Nature Switzerland AG.
Place, publisher, year, edition, pages
Springer Science+Business Media B.V., 2020. Vol. 12562, p. 434-452
Series
Lecture Notes in Computer Science , ISSN 03029743
Keywords [en]
Agile software engineering, DevOps pipeline, DevSecOps, Industrial control systems, Secure software engineering, Security standards, DevOps, Economic and social effects, Process engineering, Customer expectation, Industrial companies, Industry case studies, Integration of security, Security activities, Security compliance, Security regulations, Pipelines
National Category
Software Engineering
Identifiers
URN: urn:nbn:se:bth-20885DOI: 10.1007/978-3-030-64148-1_27ISI: 000766320200027Scopus ID: 2-s2.0-85097641509ISBN: 9783030641474 (print)OAI: oai:DiVA.org:bth-20885DiVA, id: diva2:1514423
Conference
21st International Conference on Product-Focused Software Process Improvement, PROFES 2020, Turin, Italy, 25 November 2020 through 27 November 2020
Part of project
SERT- Software Engineering ReThought, Knowledge Foundation2021-01-052021-01-052023-01-02Bibliographically approved