Global ETD Search

1	Development and Evaluation of an Artefact Model to Support Security Compliance for DevSecOps Bitra, Pranavi, Achanta, Chandra Srilekha January 2021 (has links) Background. DevOps represents a set of principles and practices of the software development (Dev) and information technology operations (Ops) of the product lifecycle requirements. DevOps has become a buzzword in organizations because it is an agile software development offspring. Now-a-days, there is a shift in organizations from DevOps to DevSecOps, which is bringing in a higher level of security built into software delivery pipelines. DevSecOps ensures security is a core component in the workflow to implement secure development and operations processes of automating every aspect. Security inevitably includes issues like compliance in terms of security standards that are concerning with looming cybersecurity threats. There is little known about different concepts of assessing security compliance in terms of security standards in DevOps pipelines. Understanding the artefacts and their dependencies requirements in the software workflow are fundamental to demonstrate compliance. The thesis study proposes to ensure the IEC 62443-4-1 standard for secure product development in industrial systems is incorporated into the artefact model to capture the information related to security compliance. Objectives. The thesis aims to investigate the artefacts and identify its dependencies to develop and design an artefact model for DevSecOps. This artefact model has the possibility to measure security compliance with the IEC 62443-4-1 standard to ensure traceability in DevOps pipeline and evaluate the usability of it. Methods. In this qualitative research, we have conducted a literature review with snowballing to gather information on artefacts that undergo synthesis to develop and design the artefact model. We have conducted interviews with practitioners to collect the data on the usability of the artefact model. Results. The literature review with snowballing is done to identify ten papers in the final data set. We have identified 100 artefacts from the papers. The artefacts are categorized and matched according to practices and activities descriptions. The synthesis of the literature review artefacts provides the basis for designing the artefact model and its dependencies for DevSecOps workflow. The interview results are thematically coded and we have obtained a list of benefits, challenges, and security compliance barriers with DevOps pipelines. This process evaluates the practitioners’ understanding of the designed artefact model usability in the industry to assess the standard’s security compliance. Conclusions. The research study identifies the artefacts that help with developing the artefact model. It provides the practitioners’ understanding of the usability of the artefact model in the industry to meet the secure software development product life-cycle requirements according to the IEC 62443-4-1 standard. The results demonstrated the evidence of assessing the security compliance for DevSecOps workflow in DevOps pipeline. DevOps DevSecOps Security Compliance Standard Artefacts Software Engineering Programvaruteknik
2	Security als komplexe Anforderung an agile Softwareentwicklung: Erarbeitung eines Anwendungsmusters zur Betrachtung der IT-Security in agilen Entwickungszyklen anhand eines metadatengestützen Testing-Verfahrens Matkowitz, Max 26 April 2022 (has links) Agile Softwareentwicklung steht mit seinen Prinzipien für offene Kollaboration, leichtgewichtige Rahmenwerke und schnelle Anpassung an Änderungen. Mit diesen Charakteristika konnte sich Problemen und Unzufriedenheit in der traditionellen Software-Entwicklung gewidmet werden. Auf der Seite der IT-Sicherheit haben sich allerdings vielfältige Herausforderungen offenbart. Mit Static Application Security Testing (SAST) und Dynamic Application Security Testing (DAST) wurden erste Lösungsansätze dafür geliefert. Eine zufriedenstellende Möglichkeit zur Integration von Security-Testing in agile Softwareentwicklung, insbesondere im Cloud-Kontext, stellen diese allerdings nicht dar. Die vorliegende Arbeit soll unter folgender Fragestellung bearbeitet werden: Wie kann ein praktisches Konzept zur Betrachtung der Sicherheit von Anwendungs-Code, Container und Cluster innerhalb von agilen Entwicklungszyklen realisiert werden, wenn ein metadatenbasiertes Testverfahren verwendet werden soll? Das Ziel teilt sich damit in die Konzeption und Realisierung von zwei Aspekten: das metadatenbasierte Security-Testing von Code/Container/Cluster und den Entwicklungsablauf zur Anwendung des Testing-Verfahrens. Ein Fallbeispiel der Webentwicklung wurde zur qualitativen Evaluation eines Prototypen herangezogen, welcher mittels Python und GitLab umgesetzt wurde. Nach Erläuterung der Rahmenbedingungen, konnten konkrete Szenarien eines Entwicklungsprozesses durchlaufen werden. Die qualitative Untersuchung zeigte eine erfolgreiche Erkennung von Schwachstellen unterschiedlicher Kategorien (z.B. Broken Access Control). Insgesamt konnte eine gute Einbettung in den beispielhaften Entwicklungsablauf beobachtet werden. Der Aufwand für die Pflege der Metadaten ist nicht zu vernachlässigen, jedoch sollte dieser aufgrund der Orientierung am etablierten OpenAPI Schema nicht zu stark gewichtet werden. Dies gilt insbesondere dann, wenn durch den Einfluss von Metadaten Mehrwerte (Durchführbarkeit, Schnelligkeit, Komfortabilität) generiert werden können.:1 Einleitung 1.1 Problembeschreibung 1.2 Zielstellung 1.3 Stand der Technik und Entwicklungsmethoden 1.4 Methodik 2 Theoretische und Technische Grundlagen 2.1 Grundlagen der agilen Software-Entwicklung 2.2 GitLab 2.3 Grundlagen zum metadatengestützten Security-Testing 3 Konzeption 3.1 Low-Level Modell (Testablauf) 3.2 Synthese der beispielhaften Testfälle 3.3 Beschreibungsdatei 3.4 High-Level Modell (Entwicklungsablauf) 4 Implementation 4.1 Testablauf 4.2 CI/CD Pipeline 4.3 Fallbeispiel der agilen Softwareentwicklung 5 Auswertung und Ausblick
3	Implementering DevSecOps metodik vid systemutveckling för hälso och sjukvård / Implementing DevSecOps methodology for healthcare system development Abd Alwaheb, Sofia January 2023 (has links) Inom hälso- och sjukvården är IT-säkerhet avgörande för att skydda både personlig information och patientsäkerheten. För närvarande genomförs implementering av säkerhetsåtgärder och tester efter mjukvaruutvecklingen, vilket kan minska effektiviteten och utgöra en potentiell risk för patienternas integritet. Detta arbete undersökte implementeringen av DevSecOps-metodiken inom hälso- och sjukvården med fokus på utvecklingsfasen. Genom att intervjua anställda och använda säkerhetsverktyg som SAST, kodgranskning, penetrationstestning och DAST identifierades fördelar och utmaningar. Utmaningarna inkluderade brist på säkerhetskunskap och svårighet att integrera verktyg kostnadsfritt. Trots detta visade resultatet på möjligheten att förbättra säkerheten, effektivisera arbetet och spara pengar genom att använda gratis verktyg och implementera säkerhet redan i utvecklingsfasen. Utbildning och anställning av säkerhetskompetent personal betonades också som viktigt för att upprätthålla höga säkerhetsstandarder / In healthcare, IT security is crucial for protecting both personal information and patient safety. Currently, the implementation of security measures and testing is done after software development, which can reduce efficiency, and pose a potential risk to patient privacy. This study examined the implementation of the DevSecOps methodology in healthcare, focusing on the development phase. By interviewing employees and using security tools such as SAST, code review, penetration testing, and DAST, benefits and challenges were identified. The challenges included a lack of security knowledge and difficulty integrating tools for free. Despite this, the results demonstrated the potential to enhance security, streamline operations, and save money by utilizing free tools and implementing security during the development phase. Training and hiring security-competent personnel were also emphasized as important for maintaining high security standards. DevSecOps healthcare security tools implementation security development phase automated tests DevSecOps hälso- och sjukvård säkerhetsverktyg implementering säkerhet utvecklingsfas automatiserade tester Computer Engineering Datorteknik
4	Performance of DevOps compared to DevSecOps : DevSecOps pipelines benchmarked! Björnholm, Jimmy January 2020 (has links) This paper examines how adding security tools to a software pipeline affect the build time. Software development is an ever-changing field in a world where computers are trusted with almost everything society does. Meanwhile keeping build time low is crucial, and some aspects of quality assurance have therefore been left on the cutting room floor, security being one of the most vital and time-consuming. The time taken to scan for vulnerabilities has been suggested as a reason for the absence of security tests. By implementing nine different security tools into a generic DevOps pipeline, this paper aimed to examine the build times quantitatively. The tools were selected using the OWASP Top Ten, coupled with an ISO standard, as a guideline. OWASP Juice Shop was used as the testing environment, and the scans managed to find most of the vulnerabilities in the Vulnerable Web Application. The pipeline was set up in Microsoft Azure and was configured in .yaml files. The resulting scan durations show that adding security measures to a build pipeline can add as little as 1/3 of the original build time. Software Engineering Programvaruteknik Computer Engineering Datorteknik
5	RAPIDLY SCALING DIGITAL TRANSFORMATIONS OF HEALTHCARE SYSTEMS / LEVERAGING CLOUD-BASED LOW-CODE DEVELOPMENT PLATFORMS WITH DEVSECOPS GUIDELINES TO RAPIDLY SCALE THE DIGITAL TRANSFORMATION OF HEALTHCARE SYSTEMS Olatunji, Ekene Titilope 06 1900 (has links) The job of healthcare professionals in the healthcare sector has never been more critical than now due to the current unprecedented rate of long-term IT infrastructural changes and digital transformation. The 2019/2020 COVID-19 pandemic has been a major driver of these changes. Cultivating a culture of digital innovation and transformation is now at the forefront of the healthcare value-chain. There is an increased need to optimize the operations of the healthcare system, improve collaboration among Health Teams and deliver more agile and secure applications to support both clinical and administrative processes in healthcare institutions. These driving forces require a vision and strategy for digital transformation in the healthcare system, involving a closer look at modern DevSecOps best practices in the application development process. The fast-growing popularity of Cloud Computing has driven the consideration of Low-Code Development Platforms (LCDP), built securely in the cloud infrastructure, to support the transformation of the healthcare system. Low-Code Development Platforms are being considered by enterprises around the world to deliver rapid software development, continuous delivery, and continuous integration of their application systems. The William Osler Health System is recognized for its adoption of technological innovations for improved patient experience and satisfaction. Its innovations include the use of the Microsoft Cloud for Healthcare platforms; and Microsoft 365 and Power Platform services with embedded Low-Code technology to automate and optimize internal operational processes. The aim of this master’s thesis is to demystify the concept of cloud-based Low-Code Application Development approaches to healthcare software development by using a case study of a healthcare application within the systems being built to support operational processes in the William Osler Health System. This study contrasts challenges of current internal tools and methods of operations, communication, and application development in the organization, with the potential benefits of using cloud-based Low-Code platforms to drive digital transformation. / Thesis / Master of Science (MSc) Cloud-based Healthcare Digital Transformation Application Development Low-Code Application Development (LCDP) DevSecOps Software Development Methodology
6	SAFe and DevSecOps in Governmental Organizations : A case study for benefits and challenges Bikis, Tilemachos January 2022 (has links) This thesis conducted a case study in order to identify and analyze the benefits andthe challenges of SAFe and DevSecOps adoption in governmental organizations. Ithas been identified that governmental organizations are falling behind the market inrespects of SAFe and DevSecOps adoption while in the same time not much researchhas been done in the specific market area, aim of this study is to provide moreinsights in the subject. In particular this research is trying to answer the followingquestions, how are the Governmental Organizations benefit from the DevSecOps andSAFe adoption and why is the adoption of DevSecOps and SAFe challenging forGovernmental Organizations.From the conducted case study identified clear benefits on the SAFe and DevSecOpsadoption for Governmental Organizations which are summed up to the bettermanagement of existing demand, increased transparency and compliance, bettersecurity assurance. At the same time challenges also surfaced in the scope of thestudy related with organization’s culture, administrative challenges related withorganization processes and security ones. Most of the results are in line with previousresearch on the broader market though specific challenges observed in correlationwith governmental organizations in particular. SAFe DevSecOps governmental organization benefits challenges adoption Information Systems
7	Security Tools in DevSecOps : A Systematic Literature Review / Säkerhetsverktyg i DevSecOps : En systematisk litteraturöversikt Martelleur, Joel, Hamza, Amina January 2022 (has links) DevSecOps emerged to mitigate the challenges of integrating security into DevOps. DevOps have grown tremendously, leading to difficulties in integrating security tools in its development process while maintaining speed and agility. This study aims to investigate the security tools in DevSecOps and how they have been reported in previous literature. The main objective of this study is to provide a knowledge base concerning security tools in DevSecOps that can be used to mitigate challenges regarding the selection and use of security tools in the context of DevSecOps. A systematic literature review was adopted for the research. The study collected a total of 228 studies published between 2015 and 2022; fourteen of these papers were selected to be used for data extraction after conducting a thorough review protocol. This study has identified thirteen security tool categories used or recommended to be used in DevSecOps. These tools have been structured into seven phases of the development process and five security practices. Additionally, this study has identified twelve drawbacks and sixteen recommendations concerning the use of these security tools in DevSecOps. The security tools categories, recommendations, and drawbacks identified in this study could potentially be used to facilitate the challenges of selecting and using security tools in DevSecOps and similar methodologies that rely on automation and delivering software frequently. DevSecOps DevOps Security Tools SDLC phases Shift Security to the Left Continuous Security Automation Systematic Literature Review DevSecOps DevOps Säkerhetsverktyg SDLC-faser Skift säkerhet till vänster Kontinuerlig säkerhet Automation Systematisk litteraturgranskning Övrig annan teknik
8	Application Security Review Criteria for DevSecOps Processes Heilmann, Jonas January 2020 (has links) For several years a trend in agile software development methodologies that connect the development with operations is transforming business activities in the industry. This methodology, that breaks down the formerly separated silos of development and operations is commonly referred to as DevOps. From a security point of view, however, the DevOps methodology lacks a fundamental integration of security in any of its phases. As a result of that, the DevSecOps practice, that intertwines the disciplines of security, development and operations is more and more gaining popularity. The biggest challenge in this shift of practice is the flawless introduction of security methods into existing DevOps processes without disturbing the fast pace and responsiveness of those. Whereas the security integration and processes on how to make DevOps secure are discussed in various preceding studies, this research focuses on an investigation of criteria that can be used to measure application security in DevSecOps integration. Given the lack of a fundamental base of academic literature on the topic, a Multivocal Literature Review (MLR) was conducted. For the study, not only academic research but also gray literature such as blogs and articles from industry practitioners were investigated to extract meaningful review criteria. As applicable, high-level criteria, agreed-upon best-practices and descriptions of security controls were thereby examined and compiled out of the studied literature. The criteria resulting from the conducted MLR process were further analyzed with each criterion's coverage in existing security standards in mind. Additionally, an investigation of a criterion's connection to the fundamental principles of the DevOps methodology was performed. The resulting list of criteria as well as additional, partially classified sub-criteria are presented as the primary contribution of the thesis. Further, a discussion of the results and evaluation of the criteria for measurability and applicability with the help of an expert group from the cooperating company Veriscan Security AB was performed. Lastly, the conducted study highlights the current state of research on the topic, discusses the lack of knowledge for particular areas as well as serves as a foundation and suggestion for several fields of future research. The criteria could, for instance, enable future design science research on DevSecOps security measurement. DevSecOps DevOps Security Measurement Security Review Criteria Computer and Information Sciences Data- och informationsvetenskap Information Systems

Search results