This document presents a framework for integrating security activities into DevSecOps without increasing delays. It defines DevSecOps and identifies 33 security activities and 87 design factors relevant to DevSecOps from literature. Experts then prioritized activities based on effectiveness, delay, and financial impact. The top activities included automated security testing, threat modeling, and establishing a security mindset. The framework aims to tailor security to each organization's DevSecOps processes by focusing on automation and feedback loops to reduce delays from security.
1. Lean Security
A framework of security activities and design factors for
DevSecOps
Research performed under the guidance
of:
Dennis Verslegers
Strategic Advisor Application Security
Orange CyberDefense
3. Approaches based on iterations over small units of work
promoting fast feedback and room for experimentation is
the best approach to build complex systems
Security is too often treated as an afterthought
Which security activities are relevant to DevSecOps and
how do we approach them (differently)?
5. Integrate security
assurance in DevOps
without increasing delay
Culture
Automation
Measurement
Sharing
Increasing regulatory
compliance requirements
Potential impact of breaches on
market value and reputation
Security is seen as an obstacle for
DevOps adoption
Mohan, Othmane, 2016
Tashi, 2009
Goel, Shawky, 2009
Sinanaj, Muntermann, 2015
Relies on experts
Documentation driven
Performed on finished product
Convential sequential security
activities create detering delays
between critically short iterations
and inflate development budgets
Beznosov, Kruchten, 2004
Increased speed of response
Auditability
Repeatability
Automation improves security
Forsgren, Smith, Humble, Frazelle, 2019
Doing DevOps well enables you to do
security well
Forsgren, Smith, Humble, Frazelle, 2019
7. Integrate security
assurance in DevOps
without increasing delay
RQ1a: Definition of DevOps?
RQ1b: Definition of DevSecOps?
RQ2: Which set of security activities and
design factors relevant to DevOps
processes can be distinguished from
academic literature?
RQ3: How do the identified security
activities rank in terms of effectiveness
and delay from a practitioner point of
view?
Literature
review
Literature
review
Thematic
analysis
Expert survey
Expert survey
2 definitions
33 activities
87 design
factors
GSS session Prioritised list of
activities
Effectiveness
Delay
Financial
IQR
1
1
1
11. Automated Security Testing
Leverage SecaaS by using cloud provided self-
managed, automated and scalable security services
Integrate the security tools in an automated
deployment pipeline
Automate as many security controls and verifications
as possible
Ensure the team and management understands and
supports the security validations integrated in the
automated deployment pipeline
Added by expert
Fail fast when security validations do not pass Added by expert
Integrate the validations in the Definition of Done Added by expert
Ensure APIs (of security verifications) align with
organisational processes allowing the implementation
to remain easy to understand
Added by expert
Automated testing is geared towards finding
implementation bugs but generally not suited to spot
design flaws
Added by expert
13. Integrate security
assurance in DevOps
without increasing delay
Framework
delay
effectiveness
financial
&
Tailor Model Assess
DevSecOps
roadmap
Provides a toolbox of what
(activities) and how (design factors)
for DevSecOps
15. Integrate security
assurance in DevOps
without increasing delay
Framework
DevSecOps is not so much about doing different things as it is about
doing things differently
DEV OPS
flow
Feedback loops
Continual experimentation and learning
Share security learning experiences and create a security
engineering mindset
Shift security responsibility to the teams and create
supporting mechanisms to get the job done
Leverage security automation capabilities wherever
possible
Establish security measurements to gain insights and create
learning opportunities
Favor reducing delay over other aspects (cost, licensing, …)
18. Develop a reference implementation leveraging the existing
set of OWASP tools
Combine the results of this research with research
performed on the relationship between DevSecOps and
compliance
Develop a periodic table of the DevSecOps tooling
landscape
19. Executive Master in IT Risk & Cyber Security Management @
Antwerp Management School
https://www.lean-security.org
20.
21. Thank you
Research performed under the guidance
of:
Dennis Verslegers
Strategic Advisor Application Security
Orange CyberDefense