Е-Публикации
Технически университет - София

Abstract: In the realm of continuous integration and continuous deployment (CI/CD), safeguarding software systems is crucial. Integrating threat modeling into the DevOps pipeline ensures that security considerations are an integral part of the software development process, helping to prevent vulnerabilities from being introduced into production. This study outlines a detailed framework for embedding threat modeling into a Jenkins DevOps pipeline. The framework involves incorporating threat model results into a database and using this data to perform automated security scans. Three challenges are identified in integration of security in DevOps pipeline and discussed against the proposed framework.

References

1. Rajapakse, R. N., Zahedi, M., & Babar, M. A. (2021, October). An empirical analysis of practitioners' perspectives on security tool integration into devops. In Proceedings of the 15th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM) (pp. 1-12)
2. Battina, Dhaya Sindhu. Best practices for ensuring security in Devops: A case study approach. International Journal of Innovations in Engineering Research and Technology, 2017, 4. 11: 38-45.
3. Ur Rahman, Akond Ashfaque; Williams, Laurie. Security practices in DevOps. In: Proceedings of the Symposium and Bootcamp on the Science of Security. 2016. p. 109-111.
4. Rangnau, Thorsten, et al. Continuous security testing: A case study on integrating dynamic security testing tools in ci/cd pipelines. In: 2020 IEEE 24th International Enterprise Distributed Object Computing Conference (EDOC). IEEE, 2020. p. 145-154.
5. Sandu, Arun Kumar. "DevSecOps: Integrating Security into the DevOps Lifecycle for Enhanced Resilience. " Technology & Management Review 6 (2021): 1-19.
6. Abiona, O. O., Oladapo, O. J., Modupe, O. T., Oyeniran, O. C., Adewusi, A. O., and Komolafe, A. M. The emergence and importance of DevSecOps: Integrating and reviewing security practices within the DevOps pipeline. World Journal of Advanced Engineering Technology and Sciences, 11 (2) (2024), 127-133.
7. Marback, A., Do, H., He, K., Kondamarri, S., and Xu, D. A threat model-based approach to security testing. Software: Practice and Experience, 43 (2) (2013), 241-258.
8. Hong, Jin-Keun. "Component Analysis of DevOps and DevSecOps. " Journal of The Korea Convergence Society 10. 9 (2019): 47-53.
9. Sion, L., Van Landuyt, D., Yskout, K., Verreydt, S., and Joosen, W. Automated threat analysis and management in a continuous integration pipeline. In 2021 IEEE Secure Development Conference (SecDev) (pp. 30-37). IEEE (2021, October).
10. Moyon, F., Soares, R., Pinto-Albuquerque, M., Mendez, D., & Beckers, K. (2020). Integration of security standards in devops pipelines: An industry case study. In Product-Focused Software Process Improvement: 21st International Conference, PROFES 2020, Turin, Italy, November 25-27, 2020, Proceedings 21 (pp. 434-452). Springer International Publishing.
11. Rafi, Saima, et al. "Prioritization based taxonomy of DevOps security challenges using PROMETHEE. " IEEE Access 8 (2020): 105426-105446.
12. Wolf, A., Simopoulos, D., D'Avino, L., & Schwaiger, P. The PASTA threat model implementation in the IoT development life cycle. Lecture Notes in Informatics (LNI), 2021.
13. Nikolov, Lyuben Asenov, and Adelina Plamenova Aleksieva-Petrova. "Action Research on the DevSecOps Pipeline. " 2023 International Scientific Conference on Computer Science (COMSCI). IEEE, 2023.
14. UcedaVelez, Tony, and Marco M. Morana. Objectives and Benefits of Threat Modeling. John Wiley & Sons, Incorporated, 2015.: 63-136.

Issue