Utilize este identificador para referenciar este registo:
http://hdl.handle.net/10071/23411
Autoria: | Móyon, F. Soares, R. Pinto-Albuquerque, M. Mendez, D. Beckers, K. |
Editor: | Morisio, M., Torchiano, M., and Jedlitschka, A. |
Data: | 2020 |
Título próprio: | Integration of security standards in DevOps pipelines: An industry case study |
Volume: | 12562 |
Paginação: | 69 - 87 |
Título do evento: | 21st International Conference, PROFES 2020 |
ISSN: | 0302-9743 |
ISBN: | 978-3-030-64148-1 |
DOI (Digital Object Identifier): | 10.1007/978-3-030-64148-1_27 |
Palavras-chave: | Secure software engineering Security standards Agile software engineering DevOps pipeline DevSecOps Industrial control systems |
Resumo: | In the last decade, companies adopted DevOps as a fast path to deliver software products according to customer expectations, with well aligned teams and in continuous cycles. As a basic practice, DevOps relies on pipelines that simulate factory swim-lanes. The more automation in the pipeline, the shorter a lead time is supposed to be. However, applying DevOps is challenging, particularly for industrial control systems (ICS) that support critical infrastructures and that must obey to rigorous requirements from security regulations and standards. Current research on security compliant DevOps presents open gaps for this particular domain and in general for systematic application of security standards. In this paper, we present a systematic approach to integrate standard-based security activities into DevOps pipelines and highlight their automation potential. Our intention is to share our experiences and help practitioners to overcome the trade-off between adding security activities into the development process and keeping a short lead time. We conducted an evaluation of our approach at a large industrial company considering the IEC 62443-4-1 security standard that regulates ICS. The results strengthen our confidence in the usefulness of our approach and artefacts, and in that they can support practitioners to achieve security compliance while preserving agility including short lead times. |
Arbitragem científica: | yes |
Acesso: | Acesso Aberto |
Aparece nas coleções: | ISTAR-CRI - Comunicações a conferências internacionais |
Ficheiros deste registo:
Ficheiro | Descrição | Tamanho | Formato | |
---|---|---|---|---|
conferenceobject_77760.pdf | Versão Aceite | 570,56 kB | Adobe PDF | Ver/Abrir |
Todos os registos no repositório estão protegidos por leis de copyright, com todos os direitos reservados.