Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
129 tokens/sec
GPT-4o
28 tokens/sec
Gemini 2.5 Pro Pro
42 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Automated Security Findings Management: A Case Study in Industrial DevOps (2401.06602v1)

Published 12 Jan 2024 in cs.SE

Abstract: In recent years, DevOps, the unification of development and operation workflows, has become a trend for the industrial software development lifecycle. Security activities turned into an essential field of application for DevOps principles as they are a fundamental part of secure software development in the industry. A common practice arising from this trend is the automation of security tests that analyze a software product from several perspectives. To effectively improve the security of the analyzed product, the identified security findings must be managed and looped back to the project team for stakeholders to take action. This management must cope with several challenges ranging from low data quality to a consistent prioritization of findings while following DevOps aims. To manage security findings with the same efficiency as other activities in DevOps projects, a methodology for the management of industrial security findings minding DevOps principles is essential. In this paper, we propose a methodology for the management of security findings in industrial DevOps projects, summarizing our research in this domain and presenting the resulting artifact. As an instance of the methodology, we developed the Security Flama, a semantic knowledge base for the automated management of security findings. To analyze the impact of our methodology on industrial practice, we performed a case study on two DevOps projects of a multinational industrial enterprise. The results emphasize the importance of using such an automated methodology in industrial DevOps projects, confirm our approach's usefulness and positive impact on the studied projects, and identify the communication strategy as a crucial factor for usability in practice.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (42)
  1. 2023. DefectDojo. https://owasp.org/www-project-defectdojo/
  2. BSIMM. 2021. Building security in maturity model. https://www.bsimm.com/
  3. MITRE Corporation. 2023. Common Vulnerabilities and Exposures. https://www.cve.org/
  4. Faradaysec. 2023. Faraday Security. https://faradaysec.com/
  5. VULCON: A System for Vulnerability Prioritization, Mitigation, and Management. 21, 4, Article 16 (jun 2018), 28 pages. https://doi.org/10.1145/3196884
  6. Daniel Méndez Fernández and Jan-Hendrik Passoth. 2019. Empirical software engineering: From discipline to interdiscipline. Journal of Systems and Software 148 (feb 2019), 170–179.
  7. Brian Fitzgerald and Klaas-Jan Stol. 2017. Continuous software engineering: A roadmap and agenda. Journal of Systems and Software 123 (2017), 176–189. https://doi.org/10.1016/j.jss.2015.06.063
  8. Industrial DevOps. In 2019 IEEE International Conference on Software Architecture Companion (ICSA-C). 123–126. https://doi.org/10.1109/ICSA-C.2019.00029
  9. Jez Humble and J. Molesky. 2011. Why enterprises must adopt devops to enable continuous delivery. 24 (08 2011), 6–12.
  10. FIRST.Org Inc. 2023. Common vulnerability scoring system SIG. https://www.first.org/cvss/
  11. International Electrotechnical Commission. 2021. IEC 62443 series. International Electrotechnical Commission, Geneva, Switzerland.
  12. International Organization for Standardization. 2015. Information technology — Security techniques — Refining software vulnerability analysis under ISO/IEC 15408 and ISO/IEC 18045 (ISO/IEC TR 20004:2015 ed.). International Organization for Standardization, Vernier, Geneva, Switzerland. https://www.iso.org/obp/ui#iso:std:iso-iec:tr:20004:ed-2:v1:en
  13. International Organization for Standardization. 2022. Information technology — DevOps — Building reliable and secure systems including application build, package and deployment (ISO/IEC/IEEE 32675:2022 ed.). International Organization for Standardization, Vernier, Geneva, Switzerland. https://www.iso.org/standard/83670.html
  14. Systematic Mapping Study on Security Approaches in Secure Software Engineering. IEEE Access 9 (2021), 19139–19160. https://doi.org/10.1109/ACCESS.2021.3052311
  15. Gene Kim. 2018. Phoenix project: A novel about it, devops, and helping your business win (5 ed.). IT Revolution Press, Portland, OR.
  16. Generating Software Security Knowledge Through Empirical Methods. https://doi.org/10.1201/9781315154855-4
  17. Integration of Security Standards in DevOps Pipelines: An Industry Case Study. In Product-Focused Software Process Improvement, Maurizio Morisio, Marco Torchiano, and Andreas Jedlitschka (Eds.). Springer International Publishing, Cham, 434–452.
  18. National Institute of Standards and Technology. [n. d.]. Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities. National Institute of Standards and Technology, Gaithersburg, Maryland, United States. https://csrc.nist.gov/publications/detail/sp/800-218/final
  19. National Institute of Standards and Technology. 2022. NIST Special Publication (SP) 800 series. National Institute of Standards and Technology, Gaithersburg, Maryland, United States. https://csrc.nist.gov/publications/sp800
  20. Matunda Nyanchama. 2005. Enterprise Vulnerability Management and Its Role in Information Security Management. Information Systems Security 14, 3 (2005), 29–56. https://doi.org/10.1201/1086.1065898X/45390.14.3.20050701/89149.6
  21. Empirical research for software security. Taylor & Francis Inc.
  22. OWASP. 2020. OWASP SAMM. https://owaspsamm.org/
  23. Automated Classification of Issue Reports from a Software Issue Tracker. In Progress in Intelligent Computing Techniques: Theory, Practice, and Applications, Pankaj Kumar Sa, Manmath Narayan Sahoo, M. Murugappan, Yulei Wu, and Banshidhar Majhi (Eds.). Springer Singapore, Singapore, 423–430.
  24. How DevOps capabilities leverage firm competitive advantage: A systematic review of empirical evidence. In 2021 IEEE 23rd Conference on Business Informatics (CBI), Vol. 01. 141–150. https://doi.org/10.1109/CBI52690.2021.00025
  25. Managing Security in Software: Or: How I Learned to Stop Worrying and Manage the Security Technical Debt. In Proceedings of the 14th International Conference on Availability, Reliability and Security (Canterbury, CA, United Kingdom) (ARES ’19). Association for Computing Machinery, New York, NY, USA, Article 60, 8 pages. https://doi.org/10.1145/3339252.3340338
  26. DevOps Adoption Benefits and Challenges in Practice: A Case Study. In Product-Focused Software Process Improvement, Pekka Abrahamsson, Andreas Jedlitschka, Anh Nguyen Duc, Michael Felderer, Sousuke Amasaki, and Tommi Mikkonen (Eds.). Springer International Publishing, Cham, 590–597.
  27. The Design Science Paradigm as a Frame for Empirical Software Engineering. In Contemporary Empirical Methods in Software Engineering.
  28. Per Runeson and Martin Höst. 2009. Guidelines for Conducting and Reporting Case Study Research in Software Engineering. Empirical Softw. Engg. 14, 2 (apr 2009), 131–164.
  29. SonarSource S.A. [n. d.]. SonarQube. https://www.sonarsource.com/products/sonarqube/
  30. SAFECode. 2018. Fundamental practices for secure software development. https://safecode.org/wp-content/uploads/2018/03/SAFECode_Fundamental_Practices_for_Secure_Software_Development_March_2018.pdf
  31. Semantic Similarity-Based Clustering of Findings From Security Testing Tools. In International Conference on Natural Language and Speech Processing.
  32. Carolyn B. Seaman. 2008. Qualitative Methods. Springer London, London, 35–62.
  33. Klaas-Jan Stol and Brian Fitzgerald. 2020. Guidelines for Conducting Software Engineering Research. In Contemporary Empirical Methods in Software Engineering, Michael Felderer and Guilherme Horta Travassos (Eds.). Springer International Publishing, Cham, 27–62.
  34. Catch Me If You Can: An In-Depth Study of CVE Discovery Time and Inconsistencies for Managing Risks in Critical Infrastructures (CPSIOTSEC’20). Association for Computing Machinery, New York, NY, USA, 49–60. https://doi.org/10.1145/3411498.3419970
  35. Integrating Continuous Security Assessments in Microservices and Cloud Native Applications. In Proceedings of The10th International Conference on Utility and Cloud Computing (Austin, Texas, USA) (UCC ’17). Association for Computing Machinery, New York, NY, USA, 171–180. https://doi.org/10.1145/3147213.3147229
  36. Markus Voggenreiter. 2023. Supplementary Material. (10 2023). https://doi.org/10.6084/m9.figshare.24235147.v1
  37. Markus Voggenreiter and Ulrich Schöpp. 2022. Using a Semantic Knowledge Base to Improve the Management of Security Reports in Industrial DevOps Projects. 2022 IEEE/ACM 44th International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP) (2022), 309–310.
  38. Markus Voggenreiter and Ulrich Schöpp. 2023. Prioritizing Industrial Security Findings in Agile Software Development Projects. 375–379. https://doi.org/10.1109/ICSE-Companion58688.2023.00106
  39. Challenges in Survey Research. In Contemporary Empirical Methods in Software Engineering.
  40. Ju An Wang and Minzhe Guo. 2009. OVM: An Ontology for Vulnerability Management. In Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies (Oak Ridge, Tennessee, USA) (CSIIRW ’09). Association for Computing Machinery, New York, NY, USA, Article 34, 4 pages. https://doi.org/10.1145/1558607.1558646
  41. Integrating Development and Operations in Cross-Functional Teams - Toward a DevOps Competency Model (SIGMIS-CPR ’19). Association for Computing Machinery, New York, NY, USA, 14–19. https://doi.org/10.1145/3322385.3322400
  42. Security versus Performance Bugs: A Case Study on Firefox. In Proceedings of the 8th Working Conference on Mining Software Repositories (Waikiki, Honolulu, HI, USA) (MSR ’11). Association for Computing Machinery, New York, NY, USA, 93–102.
Citations (2)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets