DevSecOps : building security into the core of DevOps

DevSecOps building security into the core of DevOps

Hienostuneiden ja nopeatahtisten kyberhyökkäysten jatkuvasti lisääntyvä määrä aiheuttaa haasteita tietoturvallisuuden parissa työskenteleville. Miten uudistuvassa toimintaympäristössä pystytään ehkäisemään haavoittuvuuksia, havaitsemaan hyökkäyksiä ja reagoimaan tietoturvaongelmiin tehokkaasti? Sama...

Full description

Bibliographic Details
Main Author: Koskinen, Anna
Other Authors: Informaatioteknologian tiedekunta, Faculty of Information Technology, Informaatioteknologia, Information Technology, Jyväskylän yliopisto, University of Jyväskylä
Format: Master's thesis
Language:eng
Published: 2019
Subjects:
devops
devsecops
turvallinen ohjelmistokehitys
tietoturvallinen kehittäminen
BSIMM
Tietojärjestelmätiede
Information Systems Science
601
ohjelmistokehitys
tietoturva
software development
data security
Online Access: https://jyx.jyu.fi/handle/123456789/67345
_version_ 1826225752129929216
author Koskinen, Anna
author2 Informaatioteknologian tiedekunta Faculty of Information Technology Informaatioteknologia Information Technology Jyväskylän yliopisto University of Jyväskylä
author_facet Koskinen, Anna Informaatioteknologian tiedekunta Faculty of Information Technology Informaatioteknologia Information Technology Jyväskylän yliopisto University of Jyväskylä Koskinen, Anna Informaatioteknologian tiedekunta Faculty of Information Technology Informaatioteknologia Information Technology Jyväskylän yliopisto University of Jyväskylä
author_sort Koskinen, Anna
datasource_str_mv jyx
description Hienostuneiden ja nopeatahtisten kyberhyökkäysten jatkuvasti lisääntyvä määrä aiheuttaa haasteita tietoturvallisuuden parissa työskenteleville. Miten uudistuvassa toimintaympäristössä pystytään ehkäisemään haavoittuvuuksia, havaitsemaan hyökkäyksiä ja reagoimaan tietoturvaongelmiin tehokkaasti? Samaan aikaan toisenlainen aikapaine vaivaa ohjelmistojen kehittäjiä: liiketoimintavaatimusten vuoksi ohjelmistoja halutaan julkaista yhä nopeammalla tahdilla. Miten tietoturva varmistetaan kiivaassa kehityssyklissä? DevOps on viime vuosina saavuttanut vankan aseman ohjelmistojen kehittämismetodina ja sen mahdollistama jatkuva integrointi saa yritykset työntämään uusia järjestelmäversioita tuotantoon jopa satoja kertoja päivässä. Nopeassa kehityssyklissä tärkeäksi kysymykseksi nousee, miten voidaan varmistaa ohjelmistojen tietoturva yhtä nopealla tahdilla. Tässä työssä tarkasteltiin systemaattisen kirjallisuuskatsauksen kautta, miten tietoturvaa parantavia aktiviteetteja voidaan lisätä DevOps-kehittämisprosesseihin, jotta kehittämismenetelmässä päästäisiin todelliseen DevSecOps-malliin  malliin, johon kehittämisen (Dev) ja ylläpidon (Ops) olisi integroitu myös tietoturva (Sec). Työssä tutkittiin 18 eri akateemisen artikkelin näkemystä siitä, mitä tietoturva-aktiviteetteja DevOps-prosessissa voidaan käyttää sekä mitä haasteita DevOps asettaa tietoturvalle. Viitekehyksenä työssä käytettiin BSIMM-mallia (Building Security In Maturity Model), jonka avulla kartoitettiin turvallisuusaktiviteettien esiintymistä tutkimuksessa. Tutkimuskirjallisuutta tarkasteltiin myös DevOpsin neljän periaatteen (kulttuurin, automaation, mittaamisen ja jakamisen) kautta. Tuloksena huomattiin, että nykytutkimus keskittyy pitkälti DevOps-infrastuktuurissa käytettyjen teknologioiden (esim. konttitekniikat, kehitysputki ja pilvi-infrastruktuuri) turvaamiseen. DevOpsin turvallisuushaasteista tutkimus havaitsi suurimmiksi kehitysympäristön turvaamisen, turvallisuuden ja nopeiden toimitusten tasapainottamisen sekä niin sanotun sisäisen uhan (eli työntekijäväärinkäytösten) lisääntymisen mahdollisuuden. Lisäksi tutkimus havaitsi, että tutkijoiden kesken vallitsee edelleen erilaisia näkemyksiä siitä, mitä DevOps on, sillä DevOpsin perusperiaatteet ilmenevät heikosti nykytutkimuksesta. Tutkimus antaa yleiskuvan turvallisen DevOps-kehittämisen nykytutkimuksesta, edesauttaa DevSecOps-tyylistä kehittämistä sekä tuo esiin tutkimusaukkoja tulevien tutkijoiden tutkittaviksi. The constantly growing rate of sophisticated, high-speed cyber-attacks brings new challenges to the people working in cyber defense. How can security prevent vulnerabilities, detect attacks in real time and respond to security incidents effectively? At the same time further down the development pipeline, another kind of time pressure is felt by software developers: business needs are constantly pressing for faster software release cycles. How can security be properly addressed in the ever-increasing pace of modern software development? In the last decade, DevOps has grown steadily as a software development method and its ability to deploy products constantly has made organizations deploy applications up to hundreds of times per day. In the rapid-fire development life cycles, the question becomes, how can security be ensured at the same pace? This Thesis used a Systematic Literature Review to discover how security activities can be added into the core of DevOps development process in order to evolve the development methodology into DevSecOps, i.e., a development methodology that encompasses not only Development (Dev) and Operations (Ops) but also Security (Sec). The research looked at 18 different articles to understand how security activities can be used in DevOps processes as well as what challenges DevOps brings to security. The Building Security In Maturity Model (BSIMM) was used as a framework to chart the activities described in the academic research. The research literature was also reviewed through the four principles of DevOps: Culture, Automation, Measurement and Sharing (CAMS). As a result, it was found that the available research focuses heavily on securing the technologies frequently used in DevOps infrastructures (e.g., containers, development pipelines and cloud infrastructures). Looking at the challenges of security in DevOps, the research found the biggest challenges to be securing the deployment pipeline, balancing security with fast deliveries, as well as combating insider threat. The research also concluded that there are still many conflicting views on what DevOps is, which is shown by the DevOps principles not being reflected in the current research. The research gives an overview of the current state of research of security activities in DevOps, paves the way for DevSecOps style software development and brings forth research gaps for further researchers to explore.
first_indexed 2020-01-17T21:01:33Z
format Pro gradu
free_online_boolean 1
fullrecord [{"key": "dc.contributor.advisor", "value": "Costin, Andrei", "language": "", "element": "contributor", "qualifier": "advisor", "schema": "dc"}, {"key": "dc.contributor.author", "value": "Koskinen, Anna", "language": "", "element": "contributor", "qualifier": "author", "schema": "dc"}, {"key": "dc.date.accessioned", "value": "2020-01-17T05:39:41Z", "language": null, "element": "date", "qualifier": "accessioned", "schema": "dc"}, {"key": "dc.date.available", "value": "2020-01-17T05:39:41Z", "language": null, "element": "date", "qualifier": "available", "schema": "dc"}, {"key": "dc.date.issued", "value": "2019", "language": "", "element": "date", "qualifier": "issued", "schema": "dc"}, {"key": "dc.identifier.uri", "value": "https://jyx.jyu.fi/handle/123456789/67345", "language": null, "element": "identifier", "qualifier": "uri", "schema": "dc"}, {"key": "dc.description.abstract", "value": "Hienostuneiden ja nopeatahtisten kyberhy\u00f6kk\u00e4ysten jatkuvasti lis\u00e4\u00e4ntyv\u00e4 m\u00e4\u00e4r\u00e4 aiheuttaa haasteita tietoturvallisuuden parissa ty\u00f6skenteleville. Miten uudistuvassa toimintaymp\u00e4rist\u00f6ss\u00e4 pystyt\u00e4\u00e4n ehk\u00e4isem\u00e4\u00e4n haavoittuvuuksia, havaitsemaan hy\u00f6kk\u00e4yksi\u00e4 ja reagoimaan tietoturvaongelmiin tehokkaasti? Samaan aikaan toisenlainen aikapaine vaivaa ohjelmistojen kehitt\u00e4ji\u00e4: liiketoimintavaatimusten vuoksi ohjelmistoja halutaan julkaista yh\u00e4 nopeammalla tahdilla. Miten tietoturva varmistetaan kiivaassa kehityssykliss\u00e4? DevOps on viime vuosina saavuttanut vankan aseman ohjelmistojen kehitt\u00e4mismetodina ja sen mahdollistama jatkuva integrointi saa yritykset ty\u00f6nt\u00e4m\u00e4\u00e4n uusia j\u00e4rjestelm\u00e4versioita tuotantoon jopa satoja kertoja p\u00e4iv\u00e4ss\u00e4. Nopeassa kehityssykliss\u00e4 t\u00e4rke\u00e4ksi kysymykseksi nousee, miten voidaan varmistaa ohjelmistojen tietoturva yht\u00e4 nopealla tahdilla. T\u00e4ss\u00e4 ty\u00f6ss\u00e4 tarkasteltiin systemaattisen kirjallisuuskatsauksen kautta, miten tietoturvaa parantavia aktiviteetteja voidaan lis\u00e4t\u00e4 DevOps-kehitt\u00e4misprosesseihin, jotta kehitt\u00e4mismenetelm\u00e4ss\u00e4 p\u00e4\u00e4st\u00e4isiin todelliseen DevSecOps-malliin \uf02d malliin, johon kehitt\u00e4misen (Dev) ja yll\u00e4pidon (Ops) olisi integroitu my\u00f6s tietoturva (Sec). Ty\u00f6ss\u00e4 tutkittiin 18 eri akateemisen artikkelin n\u00e4kemyst\u00e4 siit\u00e4, mit\u00e4 tietoturva-aktiviteetteja DevOps-prosessissa voidaan k\u00e4ytt\u00e4\u00e4 sek\u00e4 mit\u00e4 haasteita DevOps asettaa tietoturvalle. Viitekehyksen\u00e4 ty\u00f6ss\u00e4 k\u00e4ytettiin BSIMM-mallia (Building Security In Maturity Model), jonka avulla kartoitettiin turvallisuusaktiviteettien esiintymist\u00e4 tutkimuksessa. Tutkimuskirjallisuutta tarkasteltiin my\u00f6s DevOpsin nelj\u00e4n periaatteen (kulttuurin, automaation, mittaamisen ja jakamisen) kautta. Tuloksena huomattiin, ett\u00e4 nykytutkimus keskittyy pitk\u00e4lti DevOps-infrastuktuurissa k\u00e4ytettyjen teknologioiden (esim. konttitekniikat, kehitysputki ja pilvi-infrastruktuuri) turvaamiseen. DevOpsin turvallisuushaasteista tutkimus havaitsi suurimmiksi kehitysymp\u00e4rist\u00f6n turvaamisen, turvallisuuden ja nopeiden toimitusten tasapainottamisen sek\u00e4 niin sanotun sis\u00e4isen uhan (eli ty\u00f6ntekij\u00e4v\u00e4\u00e4rink\u00e4yt\u00f6sten) lis\u00e4\u00e4ntymisen mahdollisuuden. Lis\u00e4ksi tutkimus havaitsi, ett\u00e4 tutkijoiden kesken vallitsee edelleen erilaisia n\u00e4kemyksi\u00e4 siit\u00e4, mit\u00e4 DevOps on, sill\u00e4 DevOpsin perusperiaatteet ilmenev\u00e4t heikosti nykytutkimuksesta. Tutkimus antaa yleiskuvan turvallisen DevOps-kehitt\u00e4misen nykytutkimuksesta, edesauttaa DevSecOps-tyylist\u00e4 kehitt\u00e4mist\u00e4 sek\u00e4 tuo esiin tutkimusaukkoja tulevien tutkijoiden tutkittaviksi.", "language": "fi", "element": "description", "qualifier": "abstract", "schema": "dc"}, {"key": "dc.description.abstract", "value": "The constantly growing rate of sophisticated, high-speed cyber-attacks brings new challenges to the people working in cyber defense. How can security prevent vulnerabilities, detect attacks in real time and respond to security incidents effectively? At the same time further down the development pipeline, another kind of time pressure is felt by software developers: business needs are constantly pressing for faster software release cycles. How can security be properly addressed in the ever-increasing pace of modern software development? In the last decade, DevOps has grown steadily as a software development method and its ability to deploy products constantly has made organizations deploy applications up to hundreds of times per day. In the rapid-fire development life cycles, the question becomes, how can security be ensured at the same pace? This Thesis used a Systematic Literature Review to discover how security activities can be added into the core of DevOps development process in order to evolve the development methodology into DevSecOps, i.e., a development methodology that encompasses not only Development (Dev) and Operations (Ops) but also Security (Sec). The research looked at 18 different articles to understand how security activities can be used in DevOps processes as well as what challenges DevOps brings to security. The Building Security In Maturity Model (BSIMM) was used as a framework to chart the activities described in the academic research. The research literature was also reviewed through the four principles of DevOps: Culture, Automation, Measurement and Sharing (CAMS). As a result, it was found that the available research focuses heavily on securing the technologies frequently used in DevOps infrastructures (e.g., containers, development pipelines and cloud infrastructures). Looking at the challenges of security in DevOps, the research found the biggest challenges to be securing the deployment pipeline, balancing security with fast deliveries, as well as combating insider threat. The research also concluded that there are still many conflicting views on what DevOps is, which is shown by the DevOps principles not being reflected in the current research. The research gives an overview of the current state of research of security activities in DevOps, paves the way for DevSecOps style software development and brings forth research gaps for further researchers to explore.", "language": "en", "element": "description", "qualifier": "abstract", "schema": "dc"}, {"key": "dc.description.provenance", "value": "Submitted by Miia Hakanen (mihakane@jyu.fi) on 2020-01-17T05:39:41Z\nNo. of bitstreams: 0", "language": "en", "element": "description", "qualifier": "provenance", "schema": "dc"}, {"key": "dc.description.provenance", "value": "Made available in DSpace on 2020-01-17T05:39:41Z (GMT). No. of bitstreams: 0\n Previous issue date: 2019", "language": "en", "element": "description", "qualifier": "provenance", "schema": "dc"}, {"key": "dc.format.extent", "value": "67", "language": "", "element": "format", "qualifier": "extent", "schema": "dc"}, {"key": "dc.format.mimetype", "value": "application/pdf", "language": null, "element": "format", "qualifier": "mimetype", "schema": "dc"}, {"key": "dc.language.iso", "value": "eng", "language": null, "element": "language", "qualifier": "iso", "schema": "dc"}, {"key": "dc.rights", "value": "In Copyright", "language": "en", "element": "rights", "qualifier": null, "schema": "dc"}, {"key": "dc.subject.other", "value": "devops", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.subject.other", "value": "devsecops", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.subject.other", "value": "turvallinen ohjelmistokehitys", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.subject.other", "value": "tietoturvallinen kehitt\u00e4minen", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.subject.other", "value": "BSIMM", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.title", "value": "DevSecOps : building security into the core of DevOps", "language": "", "element": "title", "qualifier": null, "schema": "dc"}, {"key": "dc.type", "value": "master thesis", "language": null, "element": "type", "qualifier": null, "schema": "dc"}, {"key": "dc.identifier.urn", "value": "URN:NBN:fi:jyu-202001171290", "language": "", "element": "identifier", "qualifier": "urn", "schema": "dc"}, {"key": "dc.type.ontasot", "value": "Pro gradu -tutkielma", "language": "fi", "element": "type", "qualifier": "ontasot", "schema": "dc"}, {"key": "dc.type.ontasot", "value": "Master\u2019s thesis", "language": "en", "element": "type", "qualifier": "ontasot", "schema": "dc"}, {"key": "dc.contributor.faculty", "value": "Informaatioteknologian tiedekunta", "language": "fi", "element": "contributor", "qualifier": "faculty", "schema": "dc"}, {"key": "dc.contributor.faculty", "value": "Faculty of Information Technology", "language": "en", "element": "contributor", "qualifier": "faculty", "schema": "dc"}, {"key": "dc.contributor.department", "value": "Informaatioteknologia", "language": "fi", "element": "contributor", "qualifier": "department", "schema": "dc"}, {"key": "dc.contributor.department", "value": "Information Technology", "language": "en", "element": "contributor", "qualifier": "department", "schema": "dc"}, {"key": "dc.contributor.organization", "value": "Jyv\u00e4skyl\u00e4n yliopisto", "language": "fi", "element": "contributor", "qualifier": "organization", "schema": "dc"}, {"key": "dc.contributor.organization", "value": "University of Jyv\u00e4skyl\u00e4", "language": "en", "element": "contributor", "qualifier": "organization", "schema": "dc"}, {"key": "dc.subject.discipline", "value": "Tietoj\u00e4rjestelm\u00e4tiede", "language": "fi", "element": "subject", "qualifier": "discipline", "schema": "dc"}, {"key": "dc.subject.discipline", "value": "Information Systems Science", "language": "en", "element": "subject", "qualifier": "discipline", "schema": "dc"}, {"key": "yvv.contractresearch.funding", "value": "0", "language": "", "element": "contractresearch", "qualifier": "funding", "schema": "yvv"}, {"key": "dc.type.coar", "value": "http://purl.org/coar/resource_type/c_bdcc", "language": null, "element": "type", "qualifier": "coar", "schema": "dc"}, {"key": "dc.rights.accesslevel", "value": "openAccess", "language": null, "element": "rights", "qualifier": "accesslevel", "schema": "dc"}, {"key": "dc.type.publication", "value": "masterThesis", "language": null, "element": "type", "qualifier": "publication", "schema": "dc"}, {"key": "dc.subject.oppiainekoodi", "value": "601", "language": "", "element": "subject", "qualifier": "oppiainekoodi", "schema": "dc"}, {"key": "dc.subject.yso", "value": "ohjelmistokehitys", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "tietoturva", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "software development", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "data security", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.format.content", "value": "fulltext", "language": null, "element": "format", "qualifier": "content", "schema": "dc"}, {"key": "dc.rights.url", "value": "https://rightsstatements.org/page/InC/1.0/", "language": null, "element": "rights", "qualifier": "url", "schema": "dc"}, {"key": "dc.type.okm", "value": "G2", "language": null, "element": "type", "qualifier": "okm", "schema": "dc"}]
id jyx.123456789_67345
language eng
last_indexed 2025-02-18T10:55:10Z
main_date 2019-01-01T00:00:00Z
main_date_str 2019
online_boolean 1
online_urls_str_mv {"url":"https:\/\/jyx.jyu.fi\/bitstreams\/e3b0033f-fd46-404b-a6bb-de51e9898bb9\/download","text":"URN:NBN:fi:jyu-202001171290.pdf","source":"jyx","mediaType":"application\/pdf"}
publishDate 2019
record_format qdc
source_str_mv jyx
spellingShingle Koskinen, Anna DevSecOps : building security into the core of DevOps devops devsecops turvallinen ohjelmistokehitys tietoturvallinen kehittäminen BSIMM Tietojärjestelmätiede Information Systems Science 601 ohjelmistokehitys tietoturva software development data security
title DevSecOps : building security into the core of DevOps
title_full DevSecOps : building security into the core of DevOps
title_fullStr DevSecOps : building security into the core of DevOps DevSecOps : building security into the core of DevOps
title_full_unstemmed DevSecOps : building security into the core of DevOps DevSecOps : building security into the core of DevOps
title_short DevSecOps
title_sort devsecops building security into the core of devops
title_sub building security into the core of DevOps
title_txtP DevSecOps : building security into the core of DevOps
topic devops devsecops turvallinen ohjelmistokehitys tietoturvallinen kehittäminen BSIMM Tietojärjestelmätiede Information Systems Science 601 ohjelmistokehitys tietoturva software development data security
topic_facet 601 BSIMM Information Systems Science Tietojärjestelmätiede data security devops devsecops ohjelmistokehitys software development tietoturva tietoturvallinen kehittäminen turvallinen ohjelmistokehitys
url https://jyx.jyu.fi/handle/123456789/67345 http://www.urn.fi/URN:NBN:fi:jyu-202001171290
work_keys_str_mv AT koskinenanna devsecopsbuildingsecurityintothecoreofdevops

Similar Items