| 1. |
- Angermeir, Florian, et al.
(författare)
-
Enterprise-Driven Open Source Software : A Case Study on Security Automation
- 2021
-
Ingår i: 2021 IEEE/ACM 43RD INTERNATIONAL CONFERENCE ON SOFTWARE ENGINEERING: SOFTWARE ENGINEERING IN PRACTICE (ICSE-SEIP 2021). - : IEEE Computer Society. - 9780738146690 ; , s. 278-287
-
Konferensbidrag (refereegranskat)abstract
- Agile and DevOps are widely adopted by the industry. Hence, integrating security activities with industrial practices. such as continuous integration (CI) pipelines, is necessary to detect security flaws and adhere to regulators' demands early. In this paper, we analyze automated security activities in CI pipelines of enterprise-driven open source software (OSS). This shall allow us, in the long-run, to better understand the extent to which security activities are (or should be) part of automated pipelines. In particular, we mine publicly available OSS repositories and survey a sample of project maintainers to better understand the role that security activities and their related tools play in their CI pipelines. To increase transparency and allow other researchers to replicate our study (and to take different perspectives), we further disclose our research artefacts. Our results indicate that security activities in enterprise-driven OSS projects are scarce and protection coverage is rather low. Only 6.83% of the analyzed 8,243 projects apply security automation in their CI pipelines, even though maintainers consider security to be rather important. This alerts industry to keep the focus on vulnerabilities of 3rd Party software and it opens space for other improvements or practice which we outline in this manuscript.
|
|
| 2. |
- Fabiola Moyón, Constante, et al.
(författare)
-
RefA : Reference Architecture for Security-compliant DevOps
- 2023
-
Rapport (refereegranskat)abstract
- This technical report presents RefA, a reference architecture for security-compliant DevOps. RefA consists of a set of models that illustrate the artefacts and practice areas to consider when implementing secure DevOps lifecycles. In addition, RefA describes people, proceses, and technology aspects to be considered in each practice area. Practitioners can use RefA for the purposes of designing and assessing security compliance of their DevOps lifecycles, while researchers may use RefA as a reference for setting up research roadmaps. RefA models result from combining the profound analysis of the IEC 62443-4-1 standard for secure industrial products development, continuous software engineering literature review, and observations made in practice in context of a large industrial company during the past 5 years. The manuscript constitutes original, previously unpublished research.
|
|
| 3. |
- Moyón, Fabiola, et al.
(författare)
-
Industrial Challenges in Secure Continuous Development
- 2024
-
Ingår i: ACM International Conference Proceeding Series. - : Association for Computing Machinery (ACM). - 9798400705007 ; , s. 309-311
-
Konferensbidrag (refereegranskat)abstract
- The intersection between security and continuous software engineering has been of great interest since the early years of the agile development movement, and it remains relevant as software development processes are more frequently guided by agility and the adoption of DevOps. Several authors have contributed studies about the framing of secure agile development and secure DevOps, motivating academic contributions to methods and practices, but also discussions around benefits and challenges. Especially the challenges captured also our interest since, for the last few years, we are conducting research on secure continuous software engineering from a more applied, practical perspective with the overarching aim to introduce solutions that can be adopted at scale. The short positioning at hands summarizes a relevant part of our endeavors in which we validated challenges with several practitioners of different roles. More than framing a set of challenges, we conclude by presenting four key research directions we identified for practitioners and researchers to delineate future work. Copyright © 2024 held by the owner/author(s).
|
|
