Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Integration of Security Standards in DevOps Pipelines: An Industry Case Study
Siemens CT and Technical University of Munich, DEU.
Instituto Universitário de Lisboa (ISCTE-IUL), PRT.
Instituto Universitário de Lisboa (ISCTE-IUL), PRT.
Blekinge Institute of Technology, Faculty of Computing, Department of Software Engineering. fortiss GmbH, DEU.ORCID iD: 0000-0003-0619-6027
Show others and affiliations
2020 (English)In: Lecture Notes in Computer Science / [ed] Morisio M.,Torchiano M.,Jedlitschka A., Springer Science+Business Media B.V., 2020, Vol. 12562, p. 434-452Conference paper, Published paper (Refereed)
Abstract [en]

In the last decade, companies adopted DevOps as a fast path to deliver software products according to customer expectations, with well aligned teams and in continuous cycles. As a basic practice, DevOps relies on pipelines that simulate factory swim-lanes. The more automation in the pipeline, the shorter a lead time is supposed to be. However, applying DevOps is challenging, particularly for industrial control systems (ICS) that support critical infrastructures and that must obey to rigorous requirements from security regulations and standards. Current research on security compliant DevOps presents open gaps for this particular domain and in general for systematic application of security standards. In this paper, we present a systematic approach to integrate standard-based security activities into DevOps pipelines and highlight their automation potential. Our intention is to share our experiences and help practitioners to overcome the trade-off between adding security activities into the development process and keeping a short lead time. We conducted an evaluation of our approach at a large industrial company considering the IEC 62443-4-1 security standard that regulates ICS. The results strengthen our confidence in the usefulness of our approach and artefacts, and in that they can support practitioners to achieve security compliance while preserving agility including short lead times. © 2020, Springer Nature Switzerland AG.

Place, publisher, year, edition, pages
Springer Science+Business Media B.V., 2020. Vol. 12562, p. 434-452
Series
Lecture Notes in Computer Science , ISSN 03029743
Keywords [en]
Agile software engineering, DevOps pipeline, DevSecOps, Industrial control systems, Secure software engineering, Security standards, DevOps, Economic and social effects, Process engineering, Customer expectation, Industrial companies, Industry case studies, Integration of security, Security activities, Security compliance, Security regulations, Pipelines
National Category
Software Engineering
Identifiers
URN: urn:nbn:se:bth-20885DOI: 10.1007/978-3-030-64148-1_27ISI: 000766320200027Scopus ID: 2-s2.0-85097641509ISBN: 9783030641474 (print)OAI: oai:DiVA.org:bth-20885DiVA, id: diva2:1514423
Conference
21st International Conference on Product-Focused Software Process Improvement, PROFES 2020, Turin, Italy, 25 November 2020 through 27 November 2020
Part of project
SERT- Software Engineering ReThought, Knowledge FoundationAvailable from: 2021-01-05 Created: 2021-01-05 Last updated: 2023-01-02Bibliographically approved

Open Access in DiVA

No full text in DiVA

Other links

Publisher's full textScopus

Authority records

Mendez, Daniel

Search in DiVA

By author/editor
Mendez, Daniel
By organisation
Department of Software Engineering
Software Engineering

Search outside of DiVA

GoogleGoogle Scholar

doi
isbn
urn-nbn

Altmetric score

doi
isbn
urn-nbn
Total: 230 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf