Integration of Security Standards in DevOps Pipelines: An Industry Case Study release_4how2nrztzewdbroujai2fpmw4

by Fabiola Moyón Constante, Rafael Soares, Maria Pinto-Albuquerque, Daniel Méndez, Kristian Beckers

Released as a article .

2021  

Abstract

In the last decade, companies adopted DevOps as a fast path to deliver software products according to customer expectations, with well aligned teams and in continuous cycles. As a basic practice, DevOps relies on pipelines that simulate factory swim-lanes. The more automation in the pipeline, the shorter a lead time is supposed to be. However, applying DevOps is challenging, particularly for industrial control systems (ICS) that support critical infrastructures and that must obey to rigorous requirements from security regulations and standards. Current research on security compliant DevOps presents open gaps for this particular domain and in general for systematic application of security standards. In this paper, we present a systematic approach to integrate standard-based security activities into DevOps pipelines and highlight their automation potential. Our intention is to share our experiences and help practitioners to overcome the trade-off between adding security activities into the development process and keeping a short lead time. We conducted an evaluation of our approach at a large industrial company considering the IEC 62443-4-1 security standard that regulates ICS. The results strengthen our confidence in the usefulness of our approach and artefacts, and in that they can support practitioners to achieve security compliance while preserving agility including short lead times.
In text/plain format

Archived Files and Locations

application/pdf  535.1 kB
file_fka3uzfm3ffqpd3sl2j56ps7ai
arxiv.org (repository)
web.archive.org (webarchive)
Read Archived PDF
Preserved and Accessible
Type  article
Stage   submitted
Date   2021-05-27
Version   v1
Language   en ?
arXiv  2105.13024v1
Work Entity
access all versions, variants, and formats of this works (eg, pre-prints)
Catalog Record
Revision: 24bfe405-4dc0-41dc-bb72-7f14c2a39344
API URL: JSON