See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/347441415

DevSecOps: Security Expertise a Key to Automated Testing in CI/CD Pipeline

Article · December 2020

CITATION READS

1 1,270

1 author:

Bakary Jammeh
Bournemouth University
1 PUBLICATION   1 CITATION   

SEE PROFILE

All content following this page was uploaded by Bakary Jammeh on 18 December 2020.

The user has requested enhancement of the downloaded file.

 DevSecOps: Security Expertise a Key to
Automated Testing in CI/CD Pipeline.
Bakary Jammeh
Department of Computing and
Informatics
Bournemouth University
Poole, England.
[email protected]

ABSTRACT known as Continuous integration and Delivery (CI/CD)

To keep up with the speed and agility of DevOps, Security should pipeline.
be involved throughout the development cycle from planning to
monitoring, and organization teams needs to automate some of CI/CD Pipeline
the security processes and practice to meet these demands. CI/CD is a well-known practice in DevOps to ensure fast
DevSecOps is the integrating and automating of security to help delivery of new features and it enables development teams
DevOps teams find issues earlier and mitigate them quickly while to deliver code changes constantly and consistently in
saving cost and time. We present some research questions to find production [6]. Continuous Integration (CI) enables
out if teams with less or no security expertise can successfully developers to automatically integrate new code in a shared
integrate security testing in their CI/CD pipeline. We understand
repository and check for errors at same time [2], while
that access to security knowledge and expertise is key in
DevSecOps, and every team member must understand their Continuous deployment enables frequent deployment of
security responsibilities. software in production environment when checks are
passed. Continuous Delivery (CD) helps teams to keep the
KEYWORDS software in a releasable state for customer use and reduce
DevSecOps, Secure DevOps, Continuous Security, Automated release time so as to get quick feedback from users for
software testing, CI/CD pipeline security, Secure development. improvements [1].

DevSecOps
Integrating security in DevOps practice brings about the
I. INTRODUCTION term commonly known as DevSecOps. DevSecOps is a
The way Software is develop and offer has evolved from methodology in which security is present throughout the
Software as a Product (SaaP) issued to individuals into entire life cycle of application development rather than
Software as s Service (SaaS) to many users with different being an afterthought[3]. Traditionally, security has always
needs [1]. Mainly because devices that use software been about exclusion and that means Development,
increases (IoT devices) and people are so much dependant Security, and Operations are in separated silos, and Security
on software application in our daily lives from homes, testing is done after the development is finished [7].
education, health, and financial sectors. The Security of DevSecOps promotes cultural change in teams by putting
these systems is ever increasingly becoming a major focus security at the forefront of requirements, so everyone
area for most organisations due to increase in cyber-attacks participates and ensure security is achieved in the project
[2]. Consequently, new software development [2]. It is understood that DevSecOps isn’t just about security
methodologies such as DevOps which promotes speed and automation, and there are some key principles such as
agility needs to include a practice called DevSecOps to Cultural change, Measurement and Sharing of knowledge
incorporate security testing during this rapid development [8]. We focus on automation of some security testing.
cycle rather than waiting late in the end [1] [2] [3]. But
before we go further it is important to introduce DevOps as
a prerequisite to understanding DevSecOps. II. RESEARCH METHODS
This study is conducted to get an understanding of what
DevOps DevSecOps means and to find out find if teams without
Development and Operations (DevOps) is based on security expertise can successfully adopt the practice and the
collaboration and shared responsibility between the benefits and challenges such teams might face. We use
development team and operations team to improve product journals such as Google scholar, IEEE, ResearchGate etc. to
quality by solving problems together [2]. The concept was find related literature using the above keywords listed. To
introduced in software development to extend the agile clearly identify the goal of the paper, some research
software development principles and it emerged to give question was formulated:
speed and efficiency which software and IT teams are about
[4] [5]. It promotes the merging and prioritizing of RQ1: Why automate security testing?
development and operations needs to tackle issues, agree on RQ2: What/what not to automate and the security testing
processes and products to automate during software types in DevSecOps?
development and deployment[1]. This automated process is RQ3: What are the benefits of DevSecOps?
RQ4: Can teams without security expertise implement and IV. RELATED WORK
adapt DevSecOps practice? Implanting security within the CI/CD pipeline, monitoring
RQ5: What are the challenges in adopting DevSecOps? and automated set up in production environment is very
much useful in finding bugs and vulnerabilities especially in
an inexperienced team with less or no security knowledge or
III. BACKGROUND expertise to manual find and assess vulnerabilities.
Myrbakken and Colomo-Palacios described the meaning of
The term DevOpsSec was first used in 2012 by Neil DevSecOps, its benefits and challenges for adopting the
MacDonald to integrate security within DevOps practices practice and how it has evolved since it was first introduced
without affecting speed and agility [9]. DevSecOps is a [1]. The authors understood DevSecOps is meant to shift the
methodology in which security is integrated into the entire mindset of everyone to ensure the security of the product.
life cycle of application development and rather than being
an afterthought [10]. Many organizations are introducing Ahmed and Francis discussed the importance of security in
DevOps and DevSecOps in their SDLC and there are quite DevOps processes and shared the challenges of DevOps
some astonishing figures. It is suggested that DevOps processes without security considerations. They explained
market might grow from $3.4b in 2018 to $10.3b in 2023 how to integrate security in an ongoing DevOps project and
and DevSecOps to grow from $1.5b to $5.9b in 2023 [19]. believed that missing security practice can cause the
The DevSecOps practice is based on five principles problem of insecure software at the end [13].
(CAMS) for successful implementation of security into the
development life cycle [2]. T. Rangnau, R. Buijtenen et al. presents how to implement
continuous dynamic security testing in CI/CD pipeline and
Culture: DevSecOps culture promotes shared responsibility investigates the pitfalls of such testing. The authors were
of security and promoting collaboration between the convinced that not many literature focus on dynamic
development, security, and operations team. Every Security testing (DAST) and explains how to integrate
department should integrate security in their work and that suitable tools to scan for vulnerabilities in a workflow[2]
means security people should be involve from the project
inception phase [2]. DevSecOps is about inclusion and Khan (2020) outlines the secure DevOps workflow and how
working together as a team [7] and tends to eliminate the organization can infuse continuous security testing in their
traditional practice of having separate silos. Continuous delivery pipeline. Perhaps one of the most
relevant work in terms of integrating security in DevOps
Automation: DevSecOps is focus on 100% automation of environment [12]. Khan discussed security controls, tools,
security controls and processes in a way that will not reduce automated checks/testing and best practice to make sure the
speed and agility [3]. The software testing activities are software is tested at each stage of development.
done automatically by using test tools (software) to do
whatever human tester do manually [11]. And it is not just Whilst there are several studies and publications on DevOps
about testing and deploying, it also includes release and DevSecOps, to the best of our knowledge none of these
management, configuration management, monitoring [12]. discusses or focuses on teams without security knowledge.
However, test automation cannot eliminate or entirely Our work investigates this research gap and to find out if
replace manual testing as it is not possible to automate all such teams can effectively adapt DevSecOps, the benefits
test cases [9]. Manual checks are vital in some cases as and challenges they might face.
certain errors or issues such as authentication and
authorization are impossible to be detected by automated
testing tools [3].
V. RESULTS
Measurement: DevSecOps encourage the use of monitoring RQ1: Why automate security testing?
and metrics by teams to measure vulnerabilities and threats,
which is important to keep records of performance and Application security testing should be integrated with the
improve the quality of the software [3]. Everything that is CI/CD pipeline as traditional security testing methods
relevant must be measured and teams cannot improve their cannot keep up with the speed and agility of DevOps [1]
product if measurements are left out [10]. [13]. Development and automated testing at the
infrastructure and service layer should be in the same
Sharing: DevSecOps supports sharing of knowledge continuous delivery flow (CI/CD) to tackle the problems
between all teams with the aim to integrate security into with traditional development [12]. However, according to
every process. It is the education and cross-training for each [3], 59% of organization failed to include dynamic and static
member of development, operation, and security team [8] security testing in their pipeline. Yasar and Kontostathis are
about their security duties. The security processes can only convinced that the results these tools provide are helpful and
be improved when teams constantly share challenges they should be carefully tracked and measured to better
face and how they can help each other out [3] [7]. understand issues [3], and to make sure a quality software
reaches production [7] [14]. Security expertise is needed to
correctly configure automation and according to L. Bass, R.
Holz, P. Rimba et al. securing a CI/CD pipeline is
complicated due to skills and knowledge required [2], and involved in each phase and run tests automatically to keep
the different tools involve in running the workflow [15] up with this leap of change [5], [6] [11]. Automating
security enables expanding of workload and scope, makes
RQ2: What/what not to automate and the security testing controls faster and possible for error detection and reporting
types in DevSecOps? [6].

Garousi and Mantyla [11], the decision of what and when to Shift Security to the left: The term “Shift to the left” means
automate software testing is vital as wrong decision can be security has to be considered and involved from the start of
catastrophe if automation is not applied with the right tools the product development and it also means more security
and approach. However, what and when to automate is testing by developers rather than being handled at a later
dependent on the project and technologies[7]. Garousi and stage [17]. Including security earlier will lead to less errors
Mantyla came up with five factors that influences what and and it is believed that Static analysis tools are one of the
what not to automate in software testing: things to help shift security to the left as they can be run on
i. Software Under Test (SUT) codes earlier before deploying in an environment [4].
ii. Test case related factors However, not many organizations have the expertise to
iii. Test tool related factors make the best use of these tools [7].
iv. Human and Organisational factors
v. Cross-cutting factors Cost and Value: Security from the start of the project will
enable teams find errors quicker and fixing them. Many
And according to Sabetto, below are some of the security believed that it can cost a fortune trying to fix bugs in
testing to involve in DevSecOps to help identify production [1] [3] [7]. In the case of a cyber-attack,
vulnerabilities in a software and all of these testing requires businesses can face a financial penalty due to a security hole
good security skills and knowledge [16]. being compromised or for non-compliance to some
i. Static Application Security Testing regulations such as GDPR and PCI-DSS [18].
(SAST): Scans for vulnerabilities in the
source code before integrating codes
together. RQ4: Can teams without security expertise implement and
ii. Dynamic Application Security Testing adapt DevSecOps practice effectively?
(DAST): Scan for vulnerabilities after the
Implementing secure DevOps means teams must develop
application is deployed and running, it is a
expertise and processes to discover and protect against
black box testing technique. threats and risk [2]. The authors are convinced that threat
iii. Vulnerability Scanning and Penetration modelling and risk assessments are important practice of
Testing: Automatically identify common DevSecOps which requires knowledge and skills [2][7].
vulnerabilities in the application against Threat modelling is a technique that must be employ to
some predefined rules and exploiting them secure applications and APIs as it enables teams to identify
from attacker’s perspective. and priorities possible threats malicious individuals might
iv. Configuration Management and exploit [15]. And according to Rio, applying the wrong
Compliance: Knowing how the standards and controls is a popular mistake in organizations
application is configured and following and that teams must know the language, framework and
regulation policies such as PCI-DSS. other technologies to configure security testing rules in the
right way[4]. A good collaboration and understanding of
v. Infrastructure as Code: Written scripts to
security practices should be shared amongst teams with a
be triggered automatically to run test and
complete change in peoples attitude towards security for a
deploy securely without errors in a successfully DevSecOps adaption[1].
consistent manner.
vi. Continuous Monitoring: Consistent RQ5: What are the major challenges in adapting
monitoring of production environment can DevSecOps?
help in finding issues for future
improvements. Organizational Change: Securing development is not easy
due to the complexity of software[17]. DevSecOps
implementation means organizations must adopt change and
RQ3: What are the benefits of DevSecOps? the barriers between the security teams, development and
operation team must be eliminated [2] [11].
Organizations often state “We take your security and
Privacy Seriously” but not many live by it [16]. Security Security Knowledge: Security methods in DevOps must be
must be taken seriously to avoid potential lawsuits and fines agile and these methods needs to be understood and
and according to Cope, strong security starts with software accepted by all teams [2]. Skills and staff training are
development [17]. Below are some of the benefits of required to build security in DevOps process[8].
DevSecOps Practice.
Security Automation: Manual Security testing has not kept Tools and Configurations: Getting the right tools and the
with the speed an DevOps. Security must be continuously right configurations is vital to finding bugs and other issues.
And understanding the abilities and limitations of these [9] R. Kumar and R. Goyal, “Modeling continuous
tools is a major challenge for teams[4]. security: A conceptual model for automated
DevSecOps using open-source software over cloud
Teams and Tools: Integration of all the different teams and (ADOC),” Comput. Secur., vol. 97, p. 101967, 2020,
the vast variety of tools needed in CI/CD pipeline can be doi: 10.1016/j.cose.2020.101967.
difficult. Choosing the best tool that best suites all the teams [10] J. Caraballo-vega, “Pipelines Use Case : Docker
and mutual agreement on requirements and controls can be Container Scanning BUILD CLEANUP Use Case :
ambiguous [8].
Black Box Enumeration of System,” no. August,
2019.
VI. CONCLUSION [11] V. Garousi and M. V. Mäntylä, “When and what to
In this paper, we researched what DevSecOps means, and if automate in software testing? A multi-vocal
organization teams without security knowledge or expertise literature review,” Inf. Softw. Technol., vol. 76, no.
can successfully adopt DevSecOps. We want to find out if April, pp. 92–117, 2016, doi:
the practice can be adopted without a dedicated security 10.1016/j.infsof.2016.04.015.
personnel or team. We also identified the key principles [12] M. O. Khan, “Fast Delivery, Continuously Build,
teams should adhere to, the benefits of successfully Testing and Deployment with DevOps Pipeline
implementation and some of the challenges of DevSecOps. Techniques on Cloud,” Indian J. Sci. Technol., vol.
13, no. 5, pp. 552–575, 2020, doi:
We found out that DevSecOps is understood by many as the 10.17485/ijst/2020/v13i05/148983.
integration of security testing and practice into the DevOps [13] Z. Ahmed and S. C. Francis, “Integrating Security
development Methodology and that it should be everyone’s with DevSecOps: Techniques and Challenges,”
responsibility to ensure security is achieved. After reviewing Proceeding 2019 Int. Conf. Digit. Landscaping Artif.
some of the literature, it become clear that expertise and a Intell. ICD 2019, pp. 178–182, 2019, doi:
good understanding of security needed to implement 10.1109/ICD47981.2019.9105789.
security, and that knowledge needs to be share amongst
[14] J. Wolf and S. Yoon, “Automated Testing for
teams’ members to avoid security illiterate.
Continuous Delivery Pipelines,” pp. 1–12.
[15] L. Bass, R. Holz, P. Rimba, A. B. Tran, and L. Zhu,
REFERENCES “Securing a deployment pipeline,” Proc. - 3rd Int.
Work. Release Eng. RELENG 2015, no. May, pp. 4–7,
[1] H. Myrbakken and R. Colomo-Palacios, “DevSecOps: 2015, doi: 10.1109/RELENG.2015.11.
A multivocal literature review,” Commun. Comput. [16] R. Sabetto, “DevSecOps – Security and Test
Inf. Sci., vol. 770, no. September, pp. 17–29, 2017, Automation Vibha Dhawan ▪ Clearly describe how
doi: 10.1007/978-3-319-67383-7_2. Security and Testing can be integrated into a,” no.
[2] T. Rangnau, R. v. Buijtenen, F. Fransen, and F. March, 2019.
Turkmen, “Continuous Security Testing: A Case [17] R. Cope, “Strong security starts with software
Study on Integrating Dynamic Security Testing Tools development,” Netw. Secur., vol. 2020, no. 7, pp. 6–
in CI/CD Pipelines,” pp. 145–154, 2020, doi: 9, 2020, doi: 10.1016/S1353-4858(20)30078-7.
10.1109/edoc49727.2020.00026. [18] Capita, “GDPR and data protection in the payments
[3] H. Yasar and K. Kontostathis, “Where to Integrate environment - an overview,” Pay360, 2018.
Security Practices on DevOps Platform,” Int. J. [19] Markets, 2018: DevSecOps [Online]
Secur. Softw. Eng., vol. 7, no. 4, pp. 39–50, 2017, www.marketsandmarkets.com Available From:
doi: 10.4018/ijsse.2016100103. https://www.marketsandmarkets.com/PressReleas
[4] S. Mansfield-Devine, “DevOps: finding room for es/devsecops.asp [Accessed 10 Nov 2020].
security,” Netw. Secur., vol. 2018, no. 7, pp. 15–20, [20] devsecops, 2015: devsecops [Online]
2018, doi: 10.1016/S1353-4858(18)30070-9. https://www.devsecops.org/blog/2015/2/15/what-is-
[5] C. Ebert, G. Gallardo, J. Hernantes, and N. Serrano, devsecops [Accessed 10 Nov 2020].
“DevOps,” 2016.
[6] L. Williams, “Continuously integrating security,”
Proc. - Int. Conf. Softw. Eng., pp. 1–2, 2018, doi:
10.1145/3194707.3194717.
[7] R. B. Salesforce and K. Carter, “SOFTWARE
ENGINEERING Francois Raynaud on DevSecOps,”
no. October, pp. 93–96, 2017.
[8] M. Sánchez-Gordón and R. Colomo-Palacios,
“Security as Culture: A Systematic Literature Review
of DevSecOps,” Proceedings - 2020 IEEE/ACM 42nd
International Conference on Software Engineering
Workshops, ICSEW 2020, pp. 266–269, 2020.

View publication stats