ANALYSIS OF DEVSECOPS METHODOLOGY IN SOFTWARE DEVELOPMENT PROCESSES

Authors

DOI:

https://doi.org/10.20998/2079-0023.2020.01.12

Keywords:

DevSecOps, Application security, Infrastructure security, SDLC, BSIMM, OpenSAMM

Abstract

The subject of this research is the software development and protection methodology within DevSecOps. This methodology has changed the approach to ensuring security from reactive to proactive, and also emphasizes the importance of security at all levels of the organization. DevSecOps means providing security in application development from the earliest stages to the very end, and also includes automating some security gateways to prevent DevOps from slowing down the workflow. It is necessary to maintain short and frequently repeated cycles of software product development, as well as integrate security measures. Choosing the right tools for continuous security integration can help achieve these goals. Modern automation tools have helped organizations implement more flexible development methods, and also played a role in the development of new security measures. Effective protection of DevOps requires not only new tools, but also changes in the organization of DevOps processes in order to quickly integrate the work of security teams with other specialists, which will improve the quality of the product. The article is devoted to a detailed analysis of modern approaches and methodologies for systematizing software development and protection, including SDLC, BSIMM and OpenSAMM. The purpose of the work is the classification of approaches to the construction of DevSecOps processes, as well as the consideration of systematization methodologies for existing software protection tools that ensure the interaction of a development team and information protection specialists within one development life cycle. The following tasks are solved in the article: consideration and analysis of DevSecOps process construction approaches and consideration of systematization methodologies for software protection tools. The following results were obtained: the necessary components for the construction of DevSecOps processes are analyzed. Conclusions: the analysis allows us to classify the process of developing and protecting software using the DevSecOps methodology.

Author Biographies

Andrii Oleksandrovich Hapon, Kharkiv National University of Radio Electronics

Kharkiv National University of Radio Electronics, Postgraduate of Department of Information Technology Security; Kharkiv, Ukraine

Volodymyr Mykolayovych Fedorchenko, Kharkiv National University of Radio Electronics

Candidate of Engineering Sciences, Docent, Kharkiv National University of Radio Electronics, Associate Professor of the Department of Information Technology Security; Kharkiv, Ukraine

Andrii Oleksandrovich Polyakov, Docent, Semen Kuznets Kharkiv National Economic University

Candidate of Engineering Sciences, Docent, Semen Kuznets Kharkiv National Economic University, Associate Professor of the Department of Information Systems; Kharkiv, Ukraine

Valeriy Yuriyovich Volovshchykov, National Technical University "Kharkiv Polytechnic Institute"

Candidate of Technical Sciences, Docent, National Technical University "Kharkiv Polytechnic Institute", Associate Professor of the Department of Software Engineering and Management Information Technologies; Kharkiv, Ukraine

Viktor Alexeevich Guzhva, National Technical University "Kharkiv Polytechnic Institute"

Candidate of Technical Sciences, Docent, National Technical University "Kharkiv Polytechnic Institute", Professor of the Department of Software Engineering and Management Information Technologies; Kharkiv, Ukraine

References

ITFB. URL: https://itfb.com.ua/chto-takoe-devsecops (access date: 2.11.2019).

System-Admins. URL: https://system-admins.ru/razrabotkazashhishhennyx-prilozhenij-s-pomoshhyu-devsecops (access date: 4.11.2019).

Antimalware. URL: https://www.antimalware.ru/analytics/Technology_Analysis/what-is-devsecopsdeveloping-more-secure-applications#part5 (access date: 2.11.2019).

Newcontext. URL: https://www.newcontext.com/what-is-devsecops (access date: 2.11.2019).

Forcepoint. URL: https://www.forcepoint.com/cyber-edu/endpointsecurity (access date: 10.11.2019).

Habr. URL: https://habr.com/ru/company/nix/blog/271575 (access date: 12.11.2019).

IGI-Global. URL: https://www.igi-global.com/chapter/managingcompliance-with-an-information-security-managementstandard/112547 (access date: 15.11.2019).

Secureworks. URL: https://www.secureworks.com/blog/cybersecurity-vs-network-security-vs-information-security (access date: 4.11.2019).

Microsoft. URL: https://docs.microsoft.com/en-us/previousversions/ms995349(v=msdn.10)?redirectedfrom=MSDN (access date: 20.11.2019).

BSIMM. URL: https://www.bsimm.com/about.html (access date: 23.11.2019).

Synopsys. URL: https://www.synopsys.com/software-integrity/resources/knowledge-database/what-is-bsimm.html (access date: (20.11.2019).

Habr. URL: https://habr.com/ru/company/oleg-bunin/blog/448488 (access date: 20.11.2019).

OpenSAMM. URL: https://opensamm.org/downloads/SAMM-1.0- en_US.pdf (access date: 20.11.2019).

Hack2Secure. URL: https://www.hack2secure.com/blogs/summarizing-open-software-assurance-maturity-model-opensammrequirements (access date: 21.11.2019).

DevSecOps Whitepaper. URL: https://www.devseccon.com/wpcontent/uploads/2017/07/DevSecOps-whitepaper.pdf (access date: 23.11.2019).

Downloads

How to Cite

Hapon, A. O., Fedorchenko, V. M., Polyakov, A. O., Volovshchykov, V. Y., & Guzhva, V. A. (2020). ANALYSIS OF DEVSECOPS METHODOLOGY IN SOFTWARE DEVELOPMENT PROCESSES. Bulletin of National Technical University "KhPI". Series: System Analysis, Control and Information Technologies, (1 (3), 68–73. https://doi.org/10.20998/2079-0023.2020.01.12

Issue

No. 1 (3) (2020)

Section

MANAGEMENT IN ORGANIZATIONAL SYSTEMS

License

Copyright (c) 2020 Bulletin of National Technical University "KhPI". Series: System Analysis, Control and Information Technologies

Authors who publish with this journal agree to the following terms:

  • Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
  • Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
  • Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).