Modeling continuous security: A conceptual model for automated DevSecOps using open-source software over cloud (ADOC)

摘要

Agile software development methodology and DevOps, together, have helped the business to achieve agility and velocity in delivering time-to-market applications and services. Open-source software (OSS) and cloud technologies are taking up business innovation and DevOps at new heights. However, in the quest of agility and velocity, user data security and privacy assurance often get lower priority as they are perceived as a time-consuming activity requiring specialized people, process, and technology. We see this problem being addressed by integrating security in DevOps processes. Security for DevOps has been institutionalized as DevSecOps with practical considerations for a given business context. In this work, we proposed a conceptual security model, ADOC, to facilitate adopting DevSecOps for the business processes capitalizing OSS over the cloud. This work contributes towards the following to integrate continuous security in application and service delivery: (ⅰ) A continuous security conceptual framework proposal based on the requirements elicited from the analysis of challenges in adopting DevSecOps using OSS over the cloud. (ⅱ) An integrationist security model, ADOC, based on the proposed continuous security conceptual framework, integrating development, security, and operation activities through automation of security controls using OSS over the cloud. (ⅲ) A set of inter-working OSS tools for automation of the proposed security controls in ADOC workflow and practices. (ⅳ) A set of metrics for performance measurement of the ADOC model. (v) Mapping of the solutions for the analyzed challenges using the proposed security controls, followed by a use case scenario to adopt the ADOC workflow and continuous practices. The ADOC transforms security being adhoc compliance-oriented activities into continuous assurance-oriented activities by codifying security controls into an automated delivery workflow. Its practical adoption enables businesses to deliver time-to-market security ready applications and services with accelerated velocity and sustainable agility in a cost-effective way.