From DevOps to DevSecOps is not enough. CyberDevOps: an extreme shifting-left architecture to bring cybersecurity within software security lifecycle pipeline

From DevOps to DevSecOps is not enough. CyberDevOps: an extreme shifting-left architecture to bring cybersecurity within software security lifecycle pipeline

연구 분야: Strategies

학회: Software Quality Journal

Software engineering is evolving quickly leading to an urgency to discover more efficient development models. DevOps and its security-oriented extension DevSecOps promised to speed up the development process while ensuring more robust code. However, many third-party libraries and infrastructure vulnerabilities may still pose security flaws. Besides, regulatory compliance and standards go beyond secure software asking for comprehensive security and accurate infrastructure hardening. Thus, we may wonder: is DevSecOps enough? In this paper, we propose CyberDevOps, a novel architecture which integrates cybersecurity within DevSecOps. Specifically, (i) we revise software composition analysis to deal with nondeterministic environments and (ii) we incorporate vulnerability assessment and compliance within a further pipeline step. To assess the effectiveness of CyberDevOps, we conduct an experimental evaluation. Specifically, we attack a web application and we show how CyberDevOps is able to detect hidden defects while a standard DevSecOps pipeline fails. Furthermore, we assess code quality and security by comparing DevOps, DevSecOps, and CyberDevOps by monitoring two Conio code bases over a year. The results show that CyberDevOps helps to fix up to 100% of known bugs and vulnerabilities and improve significantly the code quality.