A Continuous Certification Methodology for DevOps

Anisetti, Marco; Ardagna, Claudio Agostino; Gaudenzi, Filippo; Damiani, Ernesto

doi:10.1145/3297662.3365827

Cited by 7 publications

(12 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, the majority of the selected publications provide no in-depth security analysis of any of the two development approaches, but rather indicate the inclusion of generic security measures in the steps of the development method. Only three works, namely Mansfield-Devine (2018) , Anisetti et al (2019) and Kumar & Goyal (2020) , propose concrete and specific variants of the DevOps methodology that tackle security issues—in particular Mansfield-Devine (2018) explicitly cites the guidelines of DevSecOps Hsu (2018) .…”

Section: Review Resultsmentioning

confidence: 99%

Microservice security: a systematic literature review

Berardi

Giallorenzo

Mauro

et al. 2022

PeerJ Computer Science

View full text Add to dashboard Cite

Microservices is an emerging paradigm for developing distributed systems. With their widespread adoption, more and more work investigated the relation between microservices and security. Alas, the literature on this subject does not form a well-defined corpus: it is spread over many venues and composed of contributions mainly addressing specific scenarios or needs. In this work, we conduct a systematic review of the field, gathering 290 relevant publications—at the time of writing, the largest curated dataset on the topic. We analyse our dataset along two lines: (a) quantitatively, through publication metadata, which allows us to chart publication outlets, communities, approaches, and tackled issues; (b) qualitatively, through 20 research questions used to provide an aggregated overview of the literature and to spot gaps left open. We summarise our analyses in the conclusion in the form of a call for action to address the main open challenges.

show abstract

Section: Review Resultsmentioning

confidence: 99%

Microservice security: a systematic literature review

Berardi

Giallorenzo

Mauro

et al. 2022

PeerJ Computer Science

View full text Add to dashboard Cite

show abstract

“…For instance, our experiments uncovered several relevant issues without stressing the system execution. In this context, DevSecOps stands out as a cornerstone, to the point that assurance evaluations can become a part of a DevSecOps pipeline [22]. At the same time, the system must be evaluated at all layers, possibly exploiting the edge layer to (indirectly) assess IoT nodes without impacting on their resources.…”

Section: Methodsmentioning

confidence: 99%

“…These development artifacts describe the complete system deployment, and therefore become relevant for assurance, in terms of requirements to verify at run time, and of targets of evaluation. For instance, an assurance evaluation for availability can be executed against the manifest looking for High-Availability policies, in addition or in replacement of being executed against the system [22]. This brings crucial advantages when the system cannot be assessed directly (e.g., because of resource constraints), and constitutes a complementary and less-invasive means of evaluation.…”

Section: B Multi-phase Evaluationmentioning

confidence: 99%

Security Assurance in Modern IoT Systems

Bena

Bondaruc

Polimeno

2022

2022 IEEE 95th Vehicular Technology Conference: (VTC2022-Spring)

View full text Add to dashboard Cite

Modern distributed systems consist of a multilayer architecture of IoT, edge, and cloud nodes. Together, they are revolutionizing our lives, bringing intelligence to existing processes (e.g., smart grids) and enabling novel, efficient and effective processes (e.g., remote surgery). This transition however does not come without drawbacks, due to the ever-increasing reliance on devices whose security and safety are, at least, questionable. In this context, research is in its infancy, struggling to adapt successful practices applied, for instance, in cloud systems. Security of modern IoT systems still relies on oldfashioned approaches, mostly static assessments considering only very specific parts of the target system, rather than assessing the system as a whole. In this paper, we put forward the idea of security assurance for IoT, as a higher-level assurance process evaluating the target system at different layers and different moments of its lifecycle, then implemented by a flexible assurance framework. The quality of our approach is evaluated in a realworld smart lighting system.

show abstract

“…Non-functional properties mimics Protection Profiles of CC [25]. They have been mostly considered in the context of service certification [2] and later enhanced in the context of cloud certification [3,34,43], cloud plan adaption [6], DevOps pipelines [4], and to complement and validate risk management [1].…”

Section: Motivation and Reference Scenario 21 Motivation And State Of...mentioning

confidence: 99%

Bridging the Gap Between Certification and Software Development

Ardagna

Bena

Pozuelo

2022

Proceedings of the 17th International Conference on Availability, Reliability and Security

Self Cite

View full text Add to dashboard Cite

While certification is widely recognized as a means to increase system trustworthiness and reduce uncertainty in decision making, it faces severe challenges preventing a wider adoption thereof. Certification is not adequately planned and integrated within the development process, leading to suboptimal scenarios where certification introduces the need to further modify the developed system with high costs. We propose a methodology that bridges the gap between software development and certification processes. Our methodology automatically produces the certification requirements driving all steps of the development process, and maximizes the strength of certificates while taking costs under control. We formalize the above problem as a multi-objective mathematical program and solve it through a genetic algorithm. The proposed approach is tested in a real-world, cloud-based financial scenario at Caixa-Bank and its performance and quality is evaluated in a simulated scenario. CCS CONCEPTS• Security and privacy → Security requirements; Software security engineering; • Software and its engineering → Software design techniques; Software design tradeoffs; Software design engineering; Empirical software validation.

show abstract

A Continuous Certification Methodology for DevOps

Cited by 7 publications

References 22 publications

Microservice security: a systematic literature review

Microservice security: a systematic literature review

Security Assurance in Modern IoT Systems

Bridging the Gap Between Certification and Software Development

Contact Info

Product

Resources

About