Incremental Common Criteria Certification Processes using DevSecOps Practices

Dupont, Sébastien; Ginis, Guillaume; Malacario, Mirko; Porretti, Claudio; Maunero, Nicolò; Ponsard, Christophe; Massonet, Philippe

doi:10.1109/eurospw54576.2021.00009

Cited by 7 publications

(5 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Developers will be empowered with tools and automation capabilities to identify and remediate security issues during the development phase, reducing the likelihood of vulnerabilities making their way into production environments. DevSecOps practices will evolve to automate compliance management and reporting, addressing the challenges associated with maintaining regulatory compliance in dynamic and fast-paced development environments (Dupont et al, 2021). Automation tools will streamline compliance assessments, audits, and reporting processes, enabling organizations to demonstrate adherence to regulatory standards more efficiently.…”

Section: Future Directions and Trendsmentioning

confidence: 99%

The emergence and importance of DevSecOps: Integrating and reviewing security practices within the DevOps pipeline

Oluwatosin Oluwatimileyin Abiona,

Oluwatayo Jacob Oladapo,

Oluwole Temidayo Modupe

et al. 2024

World J. Adv. Eng. Technol. Sci.

View full text Add to dashboard Cite

The emergence of DevSecOps marks a significant paradigm shift in software development, focusing on integrating security practices seamlessly into the DevOps pipeline. This paper explores the evolution, principles, and importance of DevSecOps in contemporary software engineering. DevSecOps arises from the recognition that traditional security measures often lag behind the rapid pace of DevOps development cycles, leading to vulnerabilities and breaches. By integrating security early and continuously throughout the software development lifecycle, DevSecOps aims to proactively identify and mitigate risks without impeding the agility and speed of DevOps practices. This paper delves into the core principles of DevSecOps, emphasizing automation, collaboration, and cultural transformation. Automation streamlines security processes, enabling the automated testing and validation of code for vulnerabilities. Collaboration fosters communication and shared responsibility among developers, operations, and security teams, breaking down silos and promoting a collective approach to security. Cultural transformation involves cultivating a security-first mindset across the organization, where security is not an afterthought but an inherent part of the development process. The importance of DevSecOps cannot be overstated in today's digital landscape, where cyber threats are omnipresent and the cost of security breaches is staggering. By integrating security into every stage of the DevOps pipeline, organizations can enhance their resilience to cyber attacks, comply with regulatory requirements, and build trust with customers. DevSecOps represents a holistic approach to software development that prioritizes security without compromising speed or innovation. Embracing DevSecOps principles is imperative for organizations seeking to stay ahead in an increasingly complex and hostile digital environment.

show abstract

Section: Future Directions and Trendsmentioning

confidence: 99%

The emergence and importance of DevSecOps: Integrating and reviewing security practices within the DevOps pipeline

Oluwatosin Oluwatimileyin Abiona,

Oluwatayo Jacob Oladapo,

Oluwole Temidayo Modupe

et al. 2024

World J. Adv. Eng. Technol. Sci.

View full text Add to dashboard Cite

show abstract

“…However, auditing and compliance activities could be automated to facilitate the compliance process. Their automation supports the integration into the DevSecOps pipelines and continuous performance throughout the whole software development life cycle (SDLC) [32]. Not only will the automated procedures decrease human interaction and the possibility of errors from manual work, but they will also impact the time and costs as well, driving processes towards efficiency [21].…”

Section: Compliancementioning

confidence: 99%

“…Following the DAST approach, OpenSCAP [76] is an initiative focused on Security Content Automation Protocol (SCAP). It provides multiple tools in support of compliance and vulnerability assessment, e.g., OpenSCAP Base, OpenVAS, and OWASP ZAP [32]. In addition to the internal assessment using different available tools, auditing and governance services can be purchased by third parties, such as AWS.…”

Section: Managementmentioning

confidence: 99%

Holding on to Compliance While Adopting DevSecOps: An SLR

et al. 2022

View full text Add to dashboard Cite

The software industry has witnessed a growing interest in DevSecOps due to the premises of integrating security in the software development lifecycle. However, security compliance cannot be disregarded, given the importance of adherence to regulations, laws, industry standards, and frameworks. This study aims to provide an overview of compliance aspects in the context of DevSecOps and explore how compliance is ensured. Furthermore, this study reveals the trends of compliance according to the extant literature and identifies potential directions for further research in this context. Therefore, we carried out a systematic literature review on the integration of compliance aspects in DevSecOps, which rigorously followed the guidelines proposed by Kitchenham and Charters. We found 934 articles related to the topic by searching five bibliographic databases (163) and Google Scholar (771). Through a rigorous selection process, we selected 15 papers as primary studies. Then, we identified the compliance aspects of DevSecOps and grouped them into three main categories: compliance initiation, compliance management, and compliance technicalities. We observed a low number of studies; therefore, we encourage further efforts into the exploration of compliance aspects, their automated integration, and the development of metrics to evaluate such a process in the context of DevSecOps.

show abstract

“…For instance, certain attribute claims may be verifiable for, and should thus be attached to, a higher level in a software identity hierarchy rather than being verified repeatedly for derived binary releases. Determining when such overarching attributes need to be re-evaluated due to significant changes to the common code base is a challenge currently being tackled [48]. Extending and adapting software identity management solutions to support such attribution and certification processes could be an interesting avenue for future work.…”

Section: Limitations and Open Issuesmentioning

confidence: 99%

Decentralized Review and Attestation of Software Attribute Claims

2022

View full text Add to dashboard Cite

Software can be described, like human users and other objects, through attributes. For this work, we define software attributes as humanly verifiable, falsifiable, or judgeable statements regarding characteristics of said software. Much like attributes in general, software attributes require robust identities for their source but also for their target, meaning a software in general or a binary in particular. As software can be of critical importance, performing an independent review of attribute claims appears beneficial. We posit that decentralized platforms that were developed and refined over the past decade can bridge the gap between existing tools and methods for software review and their open, transparent, and accountable use for the benefit of users. In this work, we explore the feasibility and implications of decentralizing an independent review of software attribute claims. We envision the decentralization of a review process from initialization and execution to the persistent recording of results. We sketch the available design space by decomposing the overall process into a modular design and describe how each component covers overarching objectives. To illustrate practical implications and trade-offs, we present ETHDPR, a proof of concept implementation based on Ethereum and IPFS. Through a quantitative and qualitative evaluation, we show that a decentralized software review is practically feasible. We illustrate the flexibility of the proposed approach using a toy example of a software component in automotive systems. Lastly, we provide a discussion on fundamental limits and open issues of facilitating independent reviews via technological means.

show abstract

Incremental Common Criteria Certification Processes using DevSecOps Practices

Cited by 7 publications

References 8 publications

The emergence and importance of DevSecOps: Integrating and reviewing security practices within the DevOps pipeline

The emergence and importance of DevSecOps: Integrating and reviewing security practices within the DevOps pipeline

Holding on to Compliance While Adopting DevSecOps: An SLR

Decentralized Review and Attestation of Software Attribute Claims

Contact Info

Product

Resources

About