Journal of the Korea Convergence Society (한국융합학회논문지)

Korea Convergence Society (한국융합학회)
권호 표지
DOI QR코드

DOI QR Code

Component Analysis of DevOps and DevSecOps

DevOps와 DevSecOps의 컴포넌트 분석

  • Hong, Jin-Keun (Division of Information Communication Technology, Baekseok University)
  • Received : 2019.08.06
  • Accepted : 2019.09.28
  • Published : 2019.09.28
Download PDF
⟨ Previous Next ⟩

Abstract

This paper is analyzed of the characteristics of development operations and development security operations of the software and product, and the use analysis tools from a software code perspective. Also, it is emphasized the importance of human factors and the need to strengthen them, when considering security design rules. In this paper, we consider a secure process for managing change, focusing on fast and accurate decision-making in terms of procedural factors, when considering development security operations. In addition, the paper discussed the need for maturity model analysis in relation to the development security operating characteristics, and analyzed the meaning of the analysis elements through detailed procedures for the strength and integration elements of the dynamic and static elements accordingly. The paper also analyzed factors such as scanning activity and code analysis for threat modeling and compliance and control.

본 논문은 소프트웨어 및 제품의 개발운영 및 개발보안운영에 대한 특성을 검토하고 소프트웨어 코드 관점에서 사용 분석도구를 고찰하였다. 또한 보안 설계규칙을 고려할 때 인적인 요소의 중요성과 이를 강화해야 할 필요성이 강조되었다. 본 논문에서는 개발보안운영을 고려할 때 절차적인 요소의 관점에서 신속하고 정확한 의사결정에 중점을 두고 변화를 관리하는 안전한 프로세스에 대해 분석하였다. 또한 본 논문에서는 개발보안운영 특성과 관련하여 성숙도 모델 분석의 필요성을 논의하였고, 이에 따른 동적인 요소와 정적인 요소의 강도 및 통합 요소에 대한 세부 절차를 통해 분석요소의 의미를 분석하였다. 본 논문에서는 위협모델링 및 컴플라이언스 그리고 통제를 위한 스캔 활동이나 코드 분석과 같은 요소에 대해서도 분석하였다.

Keywords

References

  1. H. Yasa. (2018). Experiment Exposed Credentials in GitHub Public Repositories for CI/CD. In 2018 IEEE Cybersecurity Development (SecDev) (pp. 143-143). Cambridge : IEEE. DOI : 10.1109/ SecDev.2018.00039
  2. V. Mohan, L. Othmane & A. Kres. (2018). BP: Security Concerns and Best Practices for Automation of Software Deployment Processes: An Industrial Case Study. In 2018 IEEE Cybersecurity Development (SecDev) (pp. 21-28). Cambridge : IEEE. DOI : 10.1109/SecDev.2018.00011
  3. L. Williams. (2018). CContinuously integrating security. In Proceedings of the 1st International Workshop on Security Awareness from Design to Deployment. (pp. 1-2). New York : ACM. DOI : 10.23919/SEAD.2018.8472846
  4. O. Diaz & M. Munoz (2017). Reinforcing DevOps approach with security and Risk Management: an experience of implementing it in a Data Center of a Mexican Organization. In 2017 6th International Conference on Software Process Improvement (CIMPS). (pp. 1-7). Zacatecas : IEEE. DOI : 10.1109/CIMPS. 2017.8169957
  5. J. S. Lee. (2018). The DevSecOps and agency theory. In 2018 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW). (pp. 243-244). Memphis : IEEE. DOI : 10.1109/ISSREW.2018.00013
  6. K. Carter. (2017). Francois Raynaud on DevSecOps. IEEE Software. 34(5). 93-96. DOI : 10.1109/MS.2017.3571578
  7. V. Mohan & L. B. Othmane (2016). SecDevOps Is It a marketing buzzword? - mapping research on security in DevOps. In 2016 11th International Conference on Availability, Reliability and Security (ARES). (pp. 542-547). Salzburg : IEEE. DOI : 10.1109/ARES.2016.92
  8. H. Assal &. Chiasson (2018). Security in the Software Development Lifecycle. In Fourteenth Symposium on Usable Privacy and Security ({SOUPS} 2018). (pp. 281-296).
  9. F. Lim. (2016). DevSecOps is the Krav Maga of Security. Devsecops. [Online]. www.devsecops.org
  10. J. Morales. (2019). Establishing the preassessment DevOps Posture of an SDLC in a highly regulated environment: Third in a Series. Carnegie Mellon University Software Engineering Institute. [Online]. insights.sei.cmu.edu/devops
  11. J. Corman, D. Rice & J. Williams. (2012). The Rugged Implementation Guide. Ruggedsoftware [Online]. www.ruggedsoftware.org
  12. GitHub. (2019). A secure DevOps Pipeline Example via laC. GitHub. [Online]. github.com/SLS-ALL /devopsmicrocosm
  13. H. Yasar, E. Wrubel & J. Boieng. (2019). DevSecOps Implementation in the DoD: Barriers and Enablers. Carnegie Mellon University Software Engineering Institute. [Online]. www.sei.cmu.edu/publications/webinars
  14. Cyber Security Agency of Singapore. (2017). CSA Singapore: Security by Design Framework v1.0. CSA [Online]. www.csa.gov.sg/-/media/ csa/ documents/legislation_supplementary_references/security_by_design_framework.pdf
  15. A. Kumar. (2019). DevOps Trends 2019: DevSecOps, Automation, and More To Attract All The Attention. Dzone [Online]. www.spec-india.com/blog/devops-trends-2019-devsecops-to-attract-all-the-attention/.
  16. J. Won, J. Hong & Y. You. (2018). A study on the improvement of security threat analysis and response technology by IoT layer. Journal of Convergence for Information Technology. 8(6). 149-15. DOI: 10.22156/CS4SMB.2018.8.6.149.
  17. M. Kim, J. Kang & M. Jun. (2017). A study on the security threat and security requirements for multi unmanned aerial vehicles. Journal of Digital Convergence. 15(8), 195-202. DOI: 10.14400/JDC.2017.15.8.195.