Frameworks for software threats and security in secure DevOps

Frameworks for software threats and security in secure DevOps

Tämä artikkeligradu pohjautuu kahteen tietoturvallista ohjelmistokehitystä tutkivaan artikkeliin. Ensimmäisen artikkelin tavoitteena on kehittää kyber-turvallisuuden prosesseja tutkimalla ja arvioimalla valittujen uhkamallien ja haavoittuvuustietovarantojen integroimista. Tutkimuksen kohteena olivat...

Täydet tiedot

Bibliografiset tiedot
Päätekijä: Leppänen, Tiina
Muut tekijät: Informaatioteknologian tiedekunta, Faculty of Information Technology, Informaatioteknologia, Information Technology, Jyväskylän yliopisto, University of Jyväskylä
Aineistotyyppi: Pro gradu
Kieli:eng
Julkaistu: 2022
Aiheet:
software security
security framework
DevOps
threat model
maturity model for software security
Kyberturvallisuus
601
turvallisuus
tietoturva
kyberturvallisuus
ohjelmistokehitys
tietotekniikka
ohjelmistosuunnittelu
ohjelmistotekniikka
safety and security
data security
cyber security
software development
information technology
software design
software technology
Linkit: https://jyx.jyu.fi/handle/123456789/84627
_version_ 1826225738895851520
author Leppänen, Tiina
author2 Informaatioteknologian tiedekunta Faculty of Information Technology Informaatioteknologia Information Technology Jyväskylän yliopisto University of Jyväskylä
author_facet Leppänen, Tiina Informaatioteknologian tiedekunta Faculty of Information Technology Informaatioteknologia Information Technology Jyväskylän yliopisto University of Jyväskylä Leppänen, Tiina Informaatioteknologian tiedekunta Faculty of Information Technology Informaatioteknologia Information Technology Jyväskylän yliopisto University of Jyväskylä
author_sort Leppänen, Tiina
datasource_str_mv jyx
description Tämä artikkeligradu pohjautuu kahteen tietoturvallista ohjelmistokehitystä tutkivaan artikkeliin. Ensimmäisen artikkelin tavoitteena on kehittää kyber-turvallisuuden prosesseja tutkimalla ja arvioimalla valittujen uhkamallien ja haavoittuvuustietovarantojen integroimista. Tutkimuksen kohteena olivat yleisesti käytetyt mallit ja tietovarannot kuten STRIDE ja CWE. Toinen artikkeli käsittelee DevOps-ohjelmistokehitysmenetelmään ja sen tietoturvalliseen käyttöönottoon liittyviä haasteita ja käytänteitä. Tutkimuksen lähtökohtana oli aiemmin tehty tutkimusartikkelikatsaukseen perustuva Pro Gradu -tutkielma. Nyt tehdyn tutkimuksen tulokset vahvistivat tietoturvallisen DevOpsin suurimpien haasteiden liittyvän ohjelmistokehityksen putkiin ja pilviteknologiaan. Tunnistetut tietoturvatoimet luokiteltiin BSIMM-kypsyysmallin avulla ja tuloksia verrattiin BSIMM-projektin julkaisemaan top 10 -toimenpidelistaan. Lopputuloksena havaittiin, että tietoturvallisen ohjelmistokehityksen toimenpidetrendit ovat edelleen teknologialähtöisiä. Lisäksi tutkimuksen tulokset korostavat tietoturva- ja DevOps-asiantuntijoiden yhteistyön merkitystä. Kun organisaatiot tavoittelevat laadukkaita ohjelmistotuotteita nopeilla ja automatisoiduilla ohjelmistokehityskäytänteillä, riskinä on ohjelmistoturvallisuuden jääminen taka-alalle. Takuuvarmoja toimia tietoturva-aukottomien ohjelmistojen kehittämiseen ei ole vielä keksitty, mutta siihen pyritään hyödyntämällä erilaisia malleja, viitekehyksiä ja menetelmiä monipuolisesti. Näitä malleja voidaan soveltaa esim. sanastoina, muistilistoina, mittatikkuina tai lähtökohtina tietoturvallisen ohjelmistokehityksen eri vaiheissa. Tyypillisiä alueita viitekehysten hyödyntämiselle ovat uhkamallinnus ja tietoturvallisuuden kypsyysarviointi. Saavutettavat hyödyt ovat kiistattomia: viitekehyksiä hyödynnetään riskien ja uhkien ennakointiin sekä tietoturvatoimiin liittyvien puutteiden ja katvealueiden tunnistamiseen. This master's thesis is based on two articles on secure software development and utilization of models and frameworks in software development lifecycle. The first article aims to improve the cybersecurity processes by attempting to bridge the gap between threats and weaknesses. In this research the industry-accepted models and databases like STRIDE and CWE were in the main role. The second article deals with security challenges and practices for secure DevOps software development. This research was a review of the data extraction and analysis phase and results of an earlier made Systematic Literature Review (SLR) study. The updated list of challenges confirmed that the biggest challenges of secure DevOps are related to the development pipelines and cloud technology. The BSIMM maturity model was utlizied for classification of the identified security actions. As a result, the trends of security actions were formed and compared to the corresponding list of top 10 activities by the BSIMM project. The analysis of security actions and their trends revealed that the emphasis on technical aspects of software security continues. However, it was also notified that more attention should be paid on collaboration between DevOps and security specialists. As organizations are thriving after good quality software products with the help of automated and fast software development practices, the threat is that software security is too often being left behind. The silver bullet of flawless software has not been invented yet but there are plenty of models, frameworks, methods, and methodologies whose aim is to protect software from invisible and unknown security threats. In this master’s thesis the themes covered in the attached articles are gathered and reviewed from the standpoint of selected models and frameworks used in secure DevOps. The role of these industry-accepted models and frameworks is diverse. They can be applied as, for example, taxonomy, mnemonic, measuring stick or baseline for building security in various phases of software development lifecycle. Threat modeling and information security maturity measurement are popular areas where frameworks are used. In these areas the advantage of frameworks is obvious: they are used to help to tackle even unknown risks and threats by using common databases, and to locate and evaluate the gaps in security practices.
first_indexed 2022-12-29T21:00:29Z
format Pro gradu
fullrecord [{"key": "dc.contributor.advisor", "value": "Costin, Andrei", "language": "", "element": "contributor", "qualifier": "advisor", "schema": "dc"}, {"key": "dc.contributor.author", "value": "Lepp\u00e4nen, Tiina", "language": "", "element": "contributor", "qualifier": "author", "schema": "dc"}, {"key": "dc.date.accessioned", "value": "2022-12-29T07:00:55Z", "language": null, "element": "date", "qualifier": "accessioned", "schema": "dc"}, {"key": "dc.date.available", "value": "2022-12-29T07:00:55Z", "language": null, "element": "date", "qualifier": "available", "schema": "dc"}, {"key": "dc.date.issued", "value": "2022", "language": "", "element": "date", "qualifier": "issued", "schema": "dc"}, {"key": "dc.identifier.uri", "value": "https://jyx.jyu.fi/handle/123456789/84627", "language": null, "element": "identifier", "qualifier": "uri", "schema": "dc"}, {"key": "dc.description.abstract", "value": "T\u00e4m\u00e4 artikkeligradu pohjautuu kahteen tietoturvallista ohjelmistokehityst\u00e4 tutkivaan artikkeliin. Ensimm\u00e4isen artikkelin tavoitteena on kehitt\u00e4\u00e4 kyber-turvallisuuden prosesseja tutkimalla ja arvioimalla valittujen uhkamallien ja haavoittuvuustietovarantojen integroimista. Tutkimuksen kohteena olivat yleisesti k\u00e4ytetyt mallit ja tietovarannot kuten STRIDE ja CWE. Toinen artikkeli k\u00e4sittelee DevOps-ohjelmistokehitysmenetelm\u00e4\u00e4n ja sen tietoturvalliseen k\u00e4ytt\u00f6\u00f6nottoon liittyvi\u00e4 haasteita ja k\u00e4yt\u00e4nteit\u00e4. Tutkimuksen l\u00e4ht\u00f6kohtana oli aiemmin tehty tutkimusartikkelikatsaukseen perustuva Pro Gradu -tutkielma. Nyt tehdyn tutkimuksen tulokset vahvistivat tietoturvallisen DevOpsin suurimpien haasteiden liittyv\u00e4n ohjelmistokehityksen putkiin ja pilviteknologiaan. Tunnistetut tietoturvatoimet luokiteltiin BSIMM-kypsyysmallin avulla ja tuloksia verrattiin BSIMM-projektin julkaisemaan top 10 -toimenpidelistaan. Lopputuloksena havaittiin, ett\u00e4 tietoturvallisen ohjelmistokehityksen toimenpidetrendit ovat edelleen teknologial\u00e4ht\u00f6isi\u00e4. Lis\u00e4ksi tutkimuksen tulokset korostavat tietoturva- ja DevOps-asiantuntijoiden yhteisty\u00f6n merkityst\u00e4.\n\nKun organisaatiot tavoittelevat laadukkaita ohjelmistotuotteita nopeilla ja automatisoiduilla ohjelmistokehitysk\u00e4yt\u00e4nteill\u00e4, riskin\u00e4 on ohjelmistoturvallisuuden j\u00e4\u00e4minen taka-alalle. Takuuvarmoja toimia tietoturva-aukottomien ohjelmistojen kehitt\u00e4miseen ei ole viel\u00e4 keksitty, mutta siihen pyrit\u00e4\u00e4n hy\u00f6dynt\u00e4m\u00e4ll\u00e4 erilaisia malleja, viitekehyksi\u00e4 ja menetelmi\u00e4 monipuolisesti. N\u00e4it\u00e4 malleja voidaan soveltaa esim. sanastoina, muistilistoina, mittatikkuina tai l\u00e4ht\u00f6kohtina tietoturvallisen ohjelmistokehityksen eri vaiheissa. Tyypillisi\u00e4 alueita viitekehysten hy\u00f6dynt\u00e4miselle ovat uhkamallinnus ja tietoturvallisuuden kypsyysarviointi. Saavutettavat hy\u00f6dyt ovat kiistattomia: viitekehyksi\u00e4 hy\u00f6dynnet\u00e4\u00e4n riskien ja uhkien ennakointiin sek\u00e4 tietoturvatoimiin liittyvien puutteiden ja katvealueiden tunnistamiseen.", "language": "fi", "element": "description", "qualifier": "abstract", "schema": "dc"}, {"key": "dc.description.abstract", "value": "This master's thesis is based on two articles on secure software development and utilization of models and frameworks in software development lifecycle. The first article aims to improve the cybersecurity processes by attempting to bridge the gap between threats and weaknesses. In this research the industry-accepted models and databases like STRIDE and CWE were in the main role. The second article deals with security challenges and practices for secure DevOps software development. This research was a review of the data extraction and analysis phase and results of an earlier made Systematic Literature Review (SLR) study. The updated list of challenges confirmed that the biggest challenges of secure DevOps are related to the development pipelines and cloud technology. The BSIMM maturity model was utlizied for classification of the identified security actions. As a result, the trends of security actions were formed and compared to the corresponding list of top 10 activities by the BSIMM project. The analysis of security actions and their trends revealed that the emphasis on technical aspects of software security continues. However, it was also notified that more attention should be paid on collaboration between DevOps and security specialists.\n\nAs organizations are thriving after good quality software products with the help of automated and fast software development practices, the threat is that software security is too often being left behind. The silver bullet of flawless software has not been invented yet but there are plenty of models, frameworks, methods, and methodologies whose aim is to protect software from invisible and unknown security threats. In this master\u2019s thesis the themes covered in the attached articles are gathered and reviewed from the standpoint of selected models and frameworks used in secure DevOps. The role of these industry-accepted models and frameworks is diverse. They can be applied as, for example, taxonomy, mnemonic, measuring stick or baseline for building security in various phases of software development lifecycle. Threat modeling and information security maturity measurement are popular areas where frameworks are used. In these areas the advantage of frameworks is obvious: they are used to help to tackle even unknown risks and threats by using common databases, and to locate and evaluate the gaps in security practices.", "language": "en", "element": "description", "qualifier": "abstract", "schema": "dc"}, {"key": "dc.description.provenance", "value": "Submitted by Paivi Vuorio (paelvuor@jyu.fi) on 2022-12-29T07:00:55Z\nNo. of bitstreams: 0", "language": "en", "element": "description", "qualifier": "provenance", "schema": "dc"}, {"key": "dc.description.provenance", "value": "Made available in DSpace on 2022-12-29T07:00:55Z (GMT). No. of bitstreams: 0\n Previous issue date: 2022", "language": "en", "element": "description", "qualifier": "provenance", "schema": "dc"}, {"key": "dc.format.extent", "value": "73", "language": "", "element": "format", "qualifier": "extent", "schema": "dc"}, {"key": "dc.format.mimetype", "value": "application/pdf", "language": null, "element": "format", "qualifier": "mimetype", "schema": "dc"}, {"key": "dc.language.iso", "value": "eng", "language": null, "element": "language", "qualifier": "iso", "schema": "dc"}, {"key": "dc.rights", "value": "In Copyright", "language": "en", "element": "rights", "qualifier": null, "schema": "dc"}, {"key": "dc.subject.other", "value": "software security", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.subject.other", "value": "security framework", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.subject.other", "value": "DevOps", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.subject.other", "value": "threat model", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.subject.other", "value": "maturity model for software security", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.title", "value": "Frameworks for software threats and security in secure DevOps", "language": "", "element": "title", "qualifier": null, "schema": "dc"}, {"key": "dc.type", "value": "master thesis", "language": null, "element": "type", "qualifier": null, "schema": "dc"}, {"key": "dc.identifier.urn", "value": "URN:NBN:fi:jyu-202212295861", "language": "", "element": "identifier", "qualifier": "urn", "schema": "dc"}, {"key": "dc.type.ontasot", "value": "Pro gradu -tutkielma", "language": "fi", "element": "type", "qualifier": "ontasot", "schema": "dc"}, {"key": "dc.type.ontasot", "value": "Master\u2019s thesis", "language": "en", "element": "type", "qualifier": "ontasot", "schema": "dc"}, {"key": "dc.contributor.faculty", "value": "Informaatioteknologian tiedekunta", "language": "fi", "element": "contributor", "qualifier": "faculty", "schema": "dc"}, {"key": "dc.contributor.faculty", "value": "Faculty of Information Technology", "language": "en", "element": "contributor", "qualifier": "faculty", "schema": "dc"}, {"key": "dc.contributor.department", "value": "Informaatioteknologia", "language": "fi", "element": "contributor", "qualifier": "department", "schema": "dc"}, {"key": "dc.contributor.department", "value": "Information Technology", "language": "en", "element": "contributor", "qualifier": "department", "schema": "dc"}, {"key": "dc.contributor.organization", "value": "Jyv\u00e4skyl\u00e4n yliopisto", "language": "fi", "element": "contributor", "qualifier": "organization", "schema": "dc"}, {"key": "dc.contributor.organization", "value": "University of Jyv\u00e4skyl\u00e4", "language": "en", "element": "contributor", "qualifier": "organization", "schema": "dc"}, {"key": "dc.subject.discipline", "value": "Kyberturvallisuus", "language": "fi", "element": "subject", "qualifier": "discipline", "schema": "dc"}, {"key": "dc.subject.discipline", "value": "Kyberturvallisuus", "language": "en", "element": "subject", "qualifier": "discipline", "schema": "dc"}, {"key": "yvv.contractresearch.funding", "value": "0", "language": "", "element": "contractresearch", "qualifier": "funding", "schema": "yvv"}, {"key": "dc.type.coar", "value": "http://purl.org/coar/resource_type/c_bdcc", "language": null, "element": "type", "qualifier": "coar", "schema": "dc"}, {"key": "dc.rights.accesslevel", "value": "restrictedAccess", "language": null, "element": "rights", "qualifier": "accesslevel", "schema": "dc"}, {"key": "dc.type.publication", "value": "masterThesis", "language": null, "element": "type", "qualifier": "publication", "schema": "dc"}, {"key": "dc.subject.oppiainekoodi", "value": "601", "language": "", "element": "subject", "qualifier": "oppiainekoodi", "schema": "dc"}, {"key": "dc.subject.yso", "value": "turvallisuus", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "tietoturva", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "kyberturvallisuus", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "ohjelmistokehitys", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "tietotekniikka", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "ohjelmistosuunnittelu", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "ohjelmistotekniikka", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "safety and security", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "data security", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "cyber security", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "software development", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "information technology", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "software design", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "software technology", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.format.content", "value": "fulltext", "language": null, "element": "format", "qualifier": "content", "schema": "dc"}, {"key": "dc.rights.url", "value": "https://rightsstatements.org/page/InC/1.0/", "language": null, "element": "rights", "qualifier": "url", "schema": "dc"}, {"key": "dc.rights.accessrights", "value": "The author has not given permission to make the work publicly available electronically. Therefore the material can be read only at the archival workstation at Jyv\u00e4skyl\u00e4 University Library (https://kirjasto.jyu.fi/collections/archival-workstation).", "language": "en", "element": "rights", "qualifier": "accessrights", "schema": "dc"}, {"key": "dc.rights.accessrights", "value": "Tekij\u00e4 ei ole antanut lupaa avoimeen julkaisuun, joten aineisto on luettavissa vain Jyv\u00e4skyl\u00e4n yliopiston kirjaston arkistoty\u00f6semalta. Ks. https://kirjasto.jyu.fi/kokoelmat/arkistotyoasema..", "language": "fi", "element": "rights", "qualifier": "accessrights", "schema": "dc"}, {"key": "dc.type.okm", "value": "G2", "language": null, "element": "type", "qualifier": "okm", "schema": "dc"}]
id jyx.123456789_84627
language eng
last_indexed 2025-02-18T10:55:33Z
main_date 2022-01-01T00:00:00Z
main_date_str 2022
publishDate 2022
record_format qdc
source_str_mv jyx
spellingShingle Leppänen, Tiina Frameworks for software threats and security in secure DevOps software security security framework DevOps threat model maturity model for software security Kyberturvallisuus 601 turvallisuus tietoturva kyberturvallisuus ohjelmistokehitys tietotekniikka ohjelmistosuunnittelu ohjelmistotekniikka safety and security data security cyber security software development information technology software design software technology
title Frameworks for software threats and security in secure DevOps
title_full Frameworks for software threats and security in secure DevOps
title_fullStr Frameworks for software threats and security in secure DevOps Frameworks for software threats and security in secure DevOps
title_full_unstemmed Frameworks for software threats and security in secure DevOps Frameworks for software threats and security in secure DevOps
title_short Frameworks for software threats and security in secure DevOps
title_sort frameworks for software threats and security in secure devops
title_txtP Frameworks for software threats and security in secure DevOps
topic software security security framework DevOps threat model maturity model for software security Kyberturvallisuus 601 turvallisuus tietoturva kyberturvallisuus ohjelmistokehitys tietotekniikka ohjelmistosuunnittelu ohjelmistotekniikka safety and security data security cyber security software development information technology software design software technology
topic_facet 601 DevOps Kyberturvallisuus cyber security data security information technology kyberturvallisuus maturity model for software security ohjelmistokehitys ohjelmistosuunnittelu ohjelmistotekniikka safety and security security framework software design software development software security software technology threat model tietotekniikka tietoturva turvallisuus
url https://jyx.jyu.fi/handle/123456789/84627 http://www.urn.fi/URN:NBN:fi:jyu-202212295861
work_keys_str_mv AT leppänentiina frameworksforsoftwarethreatsandsecurityinsecuredevops

Samankaltaisia teoksia