Adding Security Blocks to the DevOps Lifecycle
Authors: Andrew John Zeller, Francis Pouatcha
Abstract:
Working according to the DevOps principle has gained in popularity over the past decade. While its extension DevSecOps started to include elements of cybersecurity, most real-life projects do not focus risk and security until the later phases of a project as teams are often more familiar with engineering and infrastructure services. To help bridge the gap between security and engineering, this paper will take six building blocks of cybersecurity and apply them to the DevOps approach. After giving a brief overview of the stages in the DevOps lifecycle, the main part discusses to what extent six cybersecurity blocks can be utilized in various stages of the lifecycle. The paper concludes with an outlook on how to stay up to date in the dynamic world of cybersecurity.
Keywords: Information security, data security, cybersecurity, DevOps, IT management.
Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 115References:
[1] J. Boehm, D. Dias, C. Lewis, K. Li, and D. Wallance, Cybersecurity trends: Looking over the horizon. 2022, Available at: https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/cybersecurity/cybersecurity-trends-looking-over-the-horizon (Downloaded: 04 November 2022).
[2] S. Comella-Dorda, J. Kaplan, L. Lau, and N. McNamara, N., Agile, reliable, secure, compliant IT: Fulfilling the promise of DevSecOps, 2022. Available at: https://www.mckinsey.com/capabilities/mckinsey-digital/our-insights/agile-reliable-secure-compliant-it-fulfilling-the-promise-of-devsecops (Downloaded: 19 October 2022).
[3] South Africa Government, Protection of Personal Information Act. Available at: https://popia.co.za/ (Downloaded: 19 February 2023).
[4] H. Dhaduk, DevOps Lifecycle: 7 Phases Explained in Detail with Examples. The Simform blog, 13 January 2022. Available at: https://www.simform.com/blog/devops-lifecycle/ (Accessed: 19 October 2022).
[5] J. Morales, R. Turner, S. Miller, P. Capell, P. Place, and D.J. Shepard, Guide to Implementing DevSecOps for a System of Systems in Highly Regulated Environments. 2020, Carnegie Mellon University. Available at: https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=638576 (Downloaded 19 October 2022).
[6] NIST National Institute of Standards and Technology, NIST Special Publication 800-115. 2021, Available at https://www.nist.gov/privacy-framework/nist-sp-800-115 (Downloaded 15 September 2022).
[7] C. Dotson, Practical Cloud Security. A Guide for Secure Design and Deployment. 2019, 1st edn. Sebastopol, CA: O’Reilly Media, pp. 60-65.
[8] L. Rice, Container Security. Fundamental Technology Concepts that Protect Containerized Applications. 2020 ,1st edn. Sebastopol, CA: O’Reilly Media, pp. 11-20.
[9] NIST National Institute of Standards and Technology, Transitioning the Use of Cryptographic Algorithms and Key Lengths. 2019, Available at https://csrc.nist.gov/publications/detail/sp/800-131a/rev-2/final (Downloaded 19 September 2022).
[10] J. Richer, A. Sanso, OAuth 2 in Action. 2017, 1st edn. Shelter Island, NY: Manning.
[11] M. Kleppmann, Designing Data-Intensive Applications. The Big Ideas Behind Reliable, Scalable, and Maintainable Systems. 2017, 1st edn. Sebastopol, CA: O’Reilly Media, pp. 530-545.
[12] D. Telem, K. Sadek, H. Nijjar, and D. Knott, Crisis Management & Business Continuity Guide. KPMG. 2020, Available at: https://assets.kpmg/content/dam/kpmg/ca/pdf/2020/03/cyber-resilience-crisis-business-continuity-planning-en.pdf (Downloaded: 19 October 2022).
[13] European Union Agency for Cybersecurity, ENISA Threat Landscape. 2021. Available at: https://www.enisa.europa.eu/publications/enisa-threat-landscape-2021 (Downloaded 16 August 2022).
[14] International Comparative Legal Guides, Cybersecurity Laws and Regulations Report 2022 Ireland. 2022, Available at: https://iclg.com/practice-areas/cybersecurity-laws-and-regulations/ireland (Accessed 04 November 2022).
[15] McKinsey and Company, Cybersecurity in the Digital Era. 2022, Available at: https://www.mckinsey.com/~/media/McKinsey/Business%20Functions/Risk/Our%20Insights/Cybersecurity%20in%20a%20digital%20era/Cybersecurity%20in%20a%20Digital%20Era.pdf (Downloaded 02 September 2022).
[16] PCI Penetration Test Guidance Special Interest Group Security Standards Council, Penetration Testing Guidance. 2017, Available at: https://listings.pcisecuritystandards.org/documents/Penetration-Testing-Guidance-v1_1.pdf (Downloaded 19 October 2022).
[17] J. Carroll, Cybersecurity Training and Education in Ireland – Where do I start?, Fortify Institute Blog, 12 June 2022. Available at: https://www.fortifyinstitute.com/blog/cybersecurity-training (Accessed 05 November 2022).
[18] M. Skelton, M. Pais, Team Topologies. Organizing Business and Technology Teams for Fast Growth. 2019, 1st edn. Portland, OR: IT Revolution, p. 76.