Unveiling the Safety Aspects of DevSecOps: Evolution, Gaps and Trends

Xhesika      Ramaj; Mary      Sánchez-Gordón; Sabarathinam      Chockalingam; Ricardo      Colomo-Palacios

doi:10.2174/2666255816666220804143918

Abstract

Background: The popularity of DevSecOps is on the rise because it promises to integrate a greater degree of security into software delivery pipelines. However, there is also an unacceptable risk related to safety that cannot be overlooked, given the importance of this aspect in many industries.

Objective: The objective of this study is to provide an overview of the safety aspects reported in the literature on DevSecOps. This study also characterizes such aspects and identifies the gaps that may lead to future research work.

Methods: A systematic literature review was conducted using five well-known academic databases. The search was executed in September 2021 and March 2022 to identify relevant studies.

Results: The search returned 114 academic studies. After the screening process, five primary studies published between 2019 and 2021 were selected. These studies were analyzed thoroughly to identify the safety aspects. Then, we categorized them into three main groups: (i) risk-related safety aspects, (ii) human-related aspects, and (iii) management aspects.

Conclusion: Safety is an important characteristic that is becoming more critical as the number of critical systems grows. This review reveals that only a scarce number of studies are focusing on safety in DevSecOps. However, those studies gave us some insights into this topic. Therefore, our main observation is that this topic has not yet been completely explored in the academic literature. This review can encourage reflection and discussion between the safety and security communities.

Keywords: DevSecOps, Safety, Security, Risk, Human factors, Systematic literature review

Graphical Abstract

[1]
A.B. Bujok, S.T. MacMahon, P. Grant, D. Whelan, W.J. Rickard,  and F. McCaffery, "Approach to the development of a Unified Framework for Safety Critical Software Development", Comput. Stand. Interfaces, vol. 54, pp. 152-161, 2017.
 [http://dx.doi.org/10.1016/j.csi.2016.11.013]
[2]
M.F. Lie, M.S. Gordón,  and R.C. Palacios, DevOps in an ISO 13485 Regulated Environment: A Multivocal Literature Review. Proceedings of the 14th ACM / IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM), New York, NY, USA, 2020, p. 1-11.
 [http://dx.doi.org/10.1145/3382494.3410679]
[3]
L.T. Heeager,  and P.A. Nielsen, "A conceptual model of agile software development in a safety-critical context: A systematic literature review", Inf. Softw. Technol., vol. 103, pp. 22-39, 2018.
 [http://dx.doi.org/10.1016/j.infsof.2018.06.004]
[4]
P.A. McQuaid, "Software disasters-understanding the past, to improve the future", J. Softw., vol. 24, no. 5, pp. 459-470, 2012.
 [http://dx.doi.org/10.1002/smr.500]
[5]
 U.S. FDA, FDA Agents - FDA Registration and U.S. Agent Representation. Available from: https://www.fdaagents.com/ (accessed Sep. 24, 2021)
[6]
"EN 50128 Railway applications-Communication, signalling and
processing systems", Euro. Committee for Electro-tech Standard, 2012.
[7]
R. Kasauli, E. Knauss, B. Kanagwa, A. Nilsson,  and G. Calikli, Safety-critical systems and agile development: A mapping study. 2018 44th Euromicro Conference on Software Engineering and Advanced Applications (SEAA), Prague, 2018, p. 470-477.
 [http://dx.doi.org/10.1109/SEAA.2018.00082]
[8]
M.S. Gordón,  and R.C. Palacios, "Characterizing DevOps Culture: A Systematic Literature Review", In: Software Process Improve. Capab. Determin., Cham, 2018, p. 3-15.
 [http://dx.doi.org/10.1007/978-3-030-00623-5_1]
[9]
H. Myrbakken,  and R.C. Palacios, DevSecOps: A Multivocal Literature Review. International Conference on Software Process Improvement and Capability Determination, Springer, Cham, 2017, pp. 17-29.
 [http://dx.doi.org/10.1007/978-3-319-67383-7_2]
[10]
T. Laukkarinen, K. Kuusinen,  and T. Mikkonen, "Regulated software meets DevOps", Inf. Softw. Technol., vol. 97, pp. 176-178, 2018.
 [http://dx.doi.org/10.1016/j.infsof.2018.01.011]
[11]
M. Olszewska,  and M. Waldén, "DevOps meets formal modelling in high-criticality complex systems. ", In: Proc. 1st Int Workshop Quality-Aware DevOps, 01 Sept, 2015, Bergamo, Italy, 2015, pp. 7-12.
 [http://dx.doi.org/10.1145/2804371.2804373]
[12]
X. Larrucea, A. Berreteaga,  and I. Santamaria, "Dealing with security in a real devops environment", In: Sys. Software Ser. Process Improve., Cham, 2019, pp. 453-464.
 [http://dx.doi.org/10.1007/978-3-030-28005-5_35]
[13]
M.S. Gordón,  and R.C. Palacios, "Security as culture: A systematic literature review of DevSecOps", In: Proc.IEEE/ACM 42nd Int. Conf. Software Eng. Workshops, Seoul Republic of Korea, 2020, p. 266-269.
 [http://dx.doi.org/10.1145/3387940.3392233]
[14]
E. Lisova, I. Šljivo,  and A. Čaušević, "Safety and security coanalyses: a systematic literature review", IEEE Syst. J., vol. 13, no. 3, pp. 2189-2200, 2019.
 [http://dx.doi.org/10.1109/JSYST.2018.2881017]
[15]
"State of DevOps Report 2021", http://puppet.com/resources/report/2021-state-of-devops-report
[16]
B. Kitchenham,  and S. Charters, "Guidelines for performing systematic literature reviews in Software Engineering",  http://www.researchgate.net/publication/302924724 Guidelines for performing Systematic Literature Reviews in Software Engineering
[17]
S. Kriaa, L. Pietre-Cambacedes, M. Bouissou,  and Y. Halgand, "A survey of approaches combining safety and security for industrial control systems", Reliab. Eng. Syst. Saf., vol. 139, pp. 156-178, 2015.
 [http://dx.doi.org/10.1016/j.ress.2015.02.008]
[18]
 ISO/IEC 23643:2020(en), Software and systems engineering - Capabilities of software safety and security verification tools’, Available from: https://www.iso.org/obp/ui/fr/#iso:std:iso-iec:23643.
[19]
C. Paulsen,  and R. Byers, Glossary of Key Information Security TermsNISTIR., vol. 2. 2019no. 1, .
 [http://dx.doi.org/10.6028/NIST.IR.7298r3]
[20]
A.J. Kornecki,  and M. Liu, "Fault tree analysis for safety/security verification in aviation software", Electronics (Basel), vol. 2, no. 1, p. 1, 2013.
 [http://dx.doi.org/10.3390/electronics2010041]
[21]
L. Piètre-Cambacédès,  and M. Bouissou, "Cross-fertilization between safety and security engineering", Reliab. Eng. Syst. Saf., vol. 110, pp. 110-126, 2013.
 [http://dx.doi.org/10.1016/j.ress.2012.09.011]
[22]
L.P. Cambacédès,  and C. Chaudet, "The SEMA referential framework: Avoiding ambiguities in the terms “security” and “safety”", Int. J. Crit. Infrastruct. Prot., vol. 3, no. 2, pp. 55-66, 2010.
 [http://dx.doi.org/10.1016/j.ijcip.2010.06.003]
[23]
D.P. Eames,  and J. Moffett, The integration of safety and security requirements. Computer Safety, Reliability and Security., vol. Vol. 1698. Springer Berlin Heidelberg: Berlin, Heidelberg, 1999, pp. 468-480.
 [http://dx.doi.org/10.1007/3-540-48249-0_40]
[24]
C. Fayollas, H. Bonnin,  and O. Flebus, SafeOps: A concept of continuous safety. 16th Euro. Depend. Comput. Conf. (EDCC), Munich, Germany, 2020, pp. 65-68.
 [http://dx.doi.org/10.1109/EDCC51268.2020.00020]
[25]
R. Mao, Preliminary findings about devsecops from grey literature. 2020 IEEE 20th Int. Conf. Software Quality, Reliab.Security (QRS)., Macau, China, 2020, p. 450-457.
 [http://dx.doi.org/10.1109/QRS51102.2020.00064]
[26]
K. Carter, "Francois Raynaud on DevSecOps", IEEE Softw., vol. 34, no. 5, pp. 93-96, 2017.
 [http://dx.doi.org/10.1109/MS.2017.3571578]
[27]
R.N. Rajapakse, M. Zahedi, M.A. Babar,  and H. Shen, "Challenges and solutions when adopting DevSecOps: A systematic review", Inf. Softw. Technol., vol. 141, p. 106700, 2022.
 [http://dx.doi.org/10.1016/j.infsof.2021.106700]
[28]
V. Mohan,  and L.B. Othmane, SecDevOps: Is it a marketing buzzword? - Mapping research on security in devOps. 2016 11th Int. Conf. Avail. Reliab. Security (ARES), 31Aug-02 Sept, 2016, Salzburg, Austria, 2016, p. 542-547.
 [http://dx.doi.org/10.1109/ARES.2016.92]
[29]
L. Prates, J. Faustino, M. Silva,  and R. Pereira, DevSecOps Metrics.Information systems: research, development, applications., Education: Cham, 2019, pp. 77-90.
 [http://dx.doi.org/10.1007/978-3-030-29608-7_7]
[30]
S. Rafi, W. Yu, M.A. Akbar, A. Alsanad,  and A. Gumaei, "Prioritization based taxonomy of devops security challenges using PROMETHEE", IEEE Access, vol. 8, pp. 105426-105446, 2020.
 [http://dx.doi.org/10.1109/ACCESS.2020.2998819]
[31]
A.A.U. Rahman,  and L. Williams, Software security in DevOps: Synthesizing practitioners’ perceptions and practices. IEEE/ACM International Workshop on Continuous Software Evolution and Delivery (CSED), 2016, pp. 70-76.
 [http://dx.doi.org/10.1145/2896941.2896946]
[32]
R. Chatterjee, Security in devops and automation.Red Hat and IT Security: With Red Hat Ansible, Red Hat OpenShift, and Red Hat Security Auditing., Apress: Berkeley, CA, 2021, pp. 65-104.
 [http://dx.doi.org/10.1007/978-1-4842-6434-8_3]
[33]
A.D. Tran, M.Q. Nguyen, G.H. Phan,  and M.T. Tran, "Security issues in android application development and plug-in for android studio to support secure programming", In: Future Data and Security Engineering. Big Data, Security and Privacy, Smart City and Industry 4.0 Applications., 2021, p. 105-122.
 [http://dx.doi.org/10.1007/978-981-16-8062-5_7]
[34]
S.B.O.G. Carturan,  and D.H. Goya, "A systems-of-systems security framework for requirements definition in cloud environment. ", In: Proceedings of the 13th Euro. Conf. Software Archit. ECSA ’19, vol. 2. Paris, France, 2019, pp. 235-240.
 [http://dx.doi.org/10.1145/3344948.3344977]
[35]
B. Somoskői, Airline application security in the digital economy: Tackling security challenges for distributed applications in lufthansa systems.Digitalization Cases: How Organizations Rethink Their Business for the Digital Age., Springer International Publishing: Cham, 2019, pp. 35-58.
 [http://dx.doi.org/10.1007/978-3-319-95273-4_3]
[36]
E.C. Burkard, "Usability testing within a devsecops environment", In: Integrated Communications Navigation and Surveillance Conference (ICNS). 08-10 Sept, 2020, Herndon, VA, USA, 2020, p. 1C1-1-1C1-7.
 [http://dx.doi.org/10.1109/ICNS50378.2020.9222919]
[37]
R.A. Martin, Assurance for CyberPhysical Systems: Adressing supply chain challenges to trustworthy software enabled-things. 2020 IEEE Systems Security Symposium (SSS), 01 Jul- 01 Aug 2020, Crystal City, VA, USA, 2020.
 [http://dx.doi.org/10.1109/SSS47320.2020.9174201]
[38]
"Assurance and Sustainability", In: Security Engineering, John Wiley & Sons, Ltd, 2020, p. 1015-1058.
 [http://dx.doi.org/10.1002/9781119644682.ch28]
[39]
T. Limba, T. Plėta, K. Agafonov, and M. Damkus,, "Cyber security management model for critical infrastructure", Entrep. Sustain. Issues, vol. 4, no. 4, pp. 559-573, 2017.
 [http://dx.doi.org/10.9770/jesi.2017.4.4(12)]
[40]
J.A. Kupsch, B.P. Miller, V. Basupalli,  and J. Burger, From continuous integration to continuous assurance. 2017 IEEE 28th Annual Software Technology Conference (STC), 25-28 Sept, Gaithersburg, MD, USA, 2017, p. 1-8.
 [http://dx.doi.org/10.1109/STC.2017.8234450]

Rights & Permissions Print Cite

Journal Information

For Authors

For Editors

For Reviewers

Explore Articles

Open Access

Open Access Articles

For Visitors

DOI https://dx.doi.org/10.2174/2666255816666220804143918	Print ISSN 2666-2558
Publisher Name Bentham Science Publisher	Online ISSN 2666-2566

Recent Advances in Computer Science and Communications

Unveiling the Safety Aspects of DevSecOps: Evolution, Gaps and Trends

Abstract Play Pause

Graphical Abstract

Related Journals

Related Books

Abstract