USE OF DEVSECOPS APPROACH FOR INFORMATION SECURITY THREATS ANALYSIS
DOI:
https://doi.org/10.28925/2663-4023.2021.14.2635Keywords:
DevSecOps; security; information; threats; SaaS; SAST; DASTAbstract
This article presents a study of the use of the DevSecOps approach to analyze modern threats. Defines a methodology to implement and adapt the DevSecOps approach. DevSecOps is presented in this article as an approach to the culture of developing, automating and designing an information platform that integrates security as a shared responsibility throughout the software development lifecycle. The approach described in this article helps to solve the problem of implementing security controls in the software development process. This approach allows organizations to continually integrate security into SDLC so that DevOps teams can quickly and efficiently develop secure applications. The possibility of implementing security in the early stages of software development in the workflow is being investigated, as it will allow to identify and eliminate security vulnerabilities and vulnerabilities faster. This concept is part of the "left shift" that shifts security testing to developers, allowing them to fix security issues in their code almost in real time, rather than waiting until the end of the SDLC, where security has been embedded in traditional development environments.Describes DevSecOps approach as business processes, which minimize the risks associated with modern threats and zero-day vulnerabilities. SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), SCA (Software Composition Analysis) analysis was used to assess the possibilities of using these technologies to optimize the process of secure software development. The DevSecOps process is presented for organizations that can easily integrate security into their existing practices of continuous integration and continuous delivery (CI / CD). The DevSecOps process in this article covers the entire SDLC from planning and design to coding, testing, and release, with continuous real-time feedback, and defined DevSecOps process technical controls in accordance with ISO 27001/02 and NIST standards.
Downloads
References
Mezak, S. (2018). Data Breaches Compromised 4.5 Billion Records in First Half of 2018.
Smeds, J., Nybom, K., & Porres, I. (2015). DevOps: A Definition and Perceived Adoption Impediments. У Lecture Notes in Business Information Processing (с. 166–177). Springer International Publishing. https://doi.org/10.1007/978-3-319-18612-2_14
Prates, L., Faustino, J., Silva, M., & Pereira, R. (2019). DevSecOps Metrics. У Information Systems: Research, Development, Applications, Education (с. 77–90). Springer International Publishing. https://doi.org/10.1007/978-3-030-29608-7_7
Kumar, R., & Goyal, R. (2020). Modeling continuous security: A conceptual model for automated DevSecOps using open-source software over cloud (ADOC). Computers & Security, 97, 101967. https://doi.org/10.1016/j.cose.2020.101967
Susukailo, V., Opirskyy, I., & Vasylyshyn, S. (2020). Analysis of the attack vectors used by threat actors during the pandemic. У 2020 IEEE 15th International Conference on Computer Sciences and Information Technologies (CSIT). IEEE. https://doi.org/10.1109/csit49958.2020.9321897
Susukailo, V., Vasylyshyn, S., Opirskyy, I., Buriachok, V., Riabchun, O. (2021). Cybercrimes investigation via honeypots in cloud environments. CEUR Workshop Proceedingsthis link is disabled, 2021, 2923, 91–96.
Koskinen, A. (2019). DevSecOps: building security into the core of DevOps.
12 Things to Get Right for Successful DevSecOps. (2019). Gartner. https://www.gartner.com/en/documents/3978490/12-things-to-get-right-for-successful-devsecops
What is DevSecOps and Why Is It Important? | Sumo Logic. (2019). Sumo Logic. https://www.sumologic.com/insight/devsecops-rugged-devops
What is DevSecOps? Forcepoint. https://www.forcepoint.com/cyber-edu/devsecops
DevSecOps Process and Implementation. Software Engineering Institute. https://www.sei.cmu.edu/education-outreach/courses/course.cfm?coursecode=P141
The future of DevSecOps. https://faun.pub/the-future-of-devops-15-trends-for-2021-b3b8c59444ff
What is DevSecOps? https://www.jetbrains.com/ru-ru/teamcity/ci-cd-guide/what-is-devsecops/