Integration of Security Standards in DevOps Pipelines: An Industry Case Study
release_4how2nrztzewdbroujai2fpmw4
by
Fabiola Moyón Constante, Rafael Soares, Maria Pinto-Albuquerque, Daniel Méndez, Kristian Beckers
2021
Abstract
In the last decade, companies adopted DevOps as a fast path to deliver
software products according to customer expectations, with well aligned teams
and in continuous cycles. As a basic practice, DevOps relies on pipelines that
simulate factory swim-lanes. The more automation in the pipeline, the shorter a
lead time is supposed to be. However, applying DevOps is challenging,
particularly for industrial control systems (ICS) that support critical
infrastructures and that must obey to rigorous requirements from security
regulations and standards. Current research on security compliant DevOps
presents open gaps for this particular domain and in general for systematic
application of security standards. In this paper, we present a systematic
approach to integrate standard-based security activities into DevOps pipelines
and highlight their automation potential. Our intention is to share our
experiences and help practitioners to overcome the trade-off between adding
security activities into the development process and keeping a short lead time.
We conducted an evaluation of our approach at a large industrial company
considering the IEC 62443-4-1 security standard that regulates ICS. The results
strengthen our confidence in the usefulness of our approach and artefacts, and
in that they can support practitioners to achieve security compliance while
preserving agility including short lead times.
In text/plain
format
Archived Files and Locations
application/pdf 535.1 kB
file_fka3uzfm3ffqpd3sl2j56ps7ai
|
arxiv.org (repository) web.archive.org (webarchive) |
2105.13024v1
access all versions, variants, and formats of this works (eg, pre-prints)