short-paper

Open access

Security in DevSecOps: Applying Tools and Machine Learning to Verification and Monitoring Steps

Authors:

Dejan StepecAuthors Info & Claims

ICPE '23 Companion: Companion of the 2023 ACM/SPEC International Conference on Performance Engineering

Pages 201 - 205

https://doi.org/10.1145/3578245.3584943

Published: 15 April 2023 Publication History

PDF eReader

Abstract

Security represents one of the crucial concerns when it comes to DevOps methodology-empowered software development and service delivery process. Considering the adoption of Infrastructure as Code (IaC), even minor flaws could potentially cause fatal consequences, especially in sensitive domains such as healthcare and maritime applications. However, most of the existing solutions tackle either Static Application Security Testing (SAST) or run-time behavior analysis distinctly. In this paper, we propose a) IaC Scan Runner, an open-source solution developed in Python for inspecting a variety of state-of-the-art IaC languages in application design time and b) the run time anomaly detection tool called LOMOS. Both tools work in synergy and provide a valuable contribution to a DevSecOps tool set. The proposed approach is demonstrated and their results will be demonstrated on various case studies showcasing the capabilities of static analysis tool IaC Scan Runner combined with LOMOS - log analysis artificial intelligence-enabled framework.

References

[1]

Juncal Alonso, Christophe Joubert, Leire Orue-Echevarria, Matteo Pradella, and Daniel Vladu?ic. 2021. Programming trustworthy Infrastructure As Code in a Secure Framework. In First SWForum workshop on Trustworthy Software and Open Source 2021. 1--8.

Google Scholar

[2]

Juncal Alonso, Radoslaw Piliszek, and Matija Cankar. 2023. Embracing IaC Through the DevSecOps Philosophy: Concepts, Challenges, and a Reference Framework. IEEE Software 40, 1 (2023), 56--62. https://doi.org/10.1109/MS.2022.3212194

Crossref

Google Scholar

[3]

Song Chen and Hai Liao. 2022. BERT-Log: Anomaly Detection for System Logs Based on Pre-trained Language Model. Applied Artificial Intelligence 36, 1 (2022), 2145642.

Crossref

Google Scholar

[4]

Dario Di Nucci, Fabio Palomba, Damian A. Tamburri, Alexander Serebrenik, and Andrea De Lucia. 2018. Detecting code smells using machine learning techniques: Are we there yet?. In 2018 IEEE 25th International Conference on Software Analysis, Evolution and Reengineering (SANER). 612--621. https://doi.org/10.1109/SANER.2018.8330266

Crossref

Google Scholar

[5]

Amir FarzadT and Aaron Gulliver. 2020. Unsupervised log message anomaly detection. ICT Express 6, 3 (2020), 229--237.

Crossref

Google Scholar

[6]

Kerim Goztepe. 2012. Designing Fuzzy Rule Based Expert System for Cyber Security. International Journal of Information Security Science 1 (01 2012), 13--19.

Google Scholar

[7]

Haixuan Guo, Shuhan Yuan, and Xintao Wu. 2021. LogBERT: Log Anomaly Detection via BERT. https://doi.org/10.48550/ARXIV.2103.04475

Crossref

Google Scholar

[8]

Jingquan Jin and Xin Lin. 2022. Web Log Analysis and Security Assessment Method Based on Data Mining. Computational Intelligence and Neuroscience 2022 (08 2022), 1--9. https://doi.org/10.1155/2022/8485014

Crossref

Google Scholar

[9]

Sean Kauffman. 2022. Log Analysis and System Monitoring with nfer. Science of Computer Programming 225 (11 2022), 102909. https://doi.org/10.1016/j.scico.2022.102909

Digital Library

Google Scholar

[10]

Lukas Layer, Daniel Abercrombie, Hamed Bakhshiansohi, Jennifer Adelman-McCarthy, Sharad Agarwal, Andres Hernandez, Weinan Si, and Jean-Roch Vlimant. 2020. Automatic log analysis with NLP for the CMS workflow handling. EPJ Web of Conferences 245 (01 2020), 03006. https://doi.org/10.1051/epjconf/202024503006

Crossref

Google Scholar

[11]

Nenad Petrovic, Matija Cankar, and An?e Luzar. 2022. Automated Approach to IaC Code Inspection Using Python-Based DevSecOps Tool. 1--4. https://doi.org/10.1109/TELFOR56187.2022.9983681

Crossref

Google Scholar

[12]

Jina Kim Yukyung Lee and Pilsung Kang. 2021. LAnoBERT: System Log Anomaly Detection based on BERT Masked Language Model. arXiv preprint 211109564 (2021).

Google Scholar

Cited By

View all

Rustemi AAtanasovski VRisteski AIdrizi FAngelkoska V(2024)Theoretical Approach Of Implementing Blockchain And Artificial Intelligence For Diploma Verification2024 13th Mediterranean Conference on Embedded Computing (MECO)10.1109/MECO62516.2024.10577813(1-4)Online publication date: 11-Jun-2024
https://doi.org/10.1109/MECO62516.2024.10577813
Boisrond KTardif PJaafar F(2024)Ensuring the Integrity, Confidentiality, and Availability of IoT Data in Industry 5.0: A Systematic Mapping StudyIEEE Access10.1109/ACCESS.2024.343461812(107017-107045)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3434618
Bedoya MPalacios SDíaz-López DLaverde ENespoli P(2024)Enhancing DevSecOps practice with Large Language Models and Security Chaos EngineeringInternational Journal of Information Security10.1007/s10207-024-00909-w23:6(3765-3788)Online publication date: 5-Oct-2024
https://doi.org/10.1007/s10207-024-00909-w
Show More Cited By

Index Terms

Security in DevSecOps: Applying Tools and Machine Learning to Verification and Monitoring Steps
1. Security and privacy
  1. Software and application security
    1. Software security engineering

Recommendations

Security Smells in Ansible and Chef Scripts: A Replication Study
Continuous Special Section: AI and SE

Context: Security smells are recurring coding patterns that are indicative of security weakness and require further inspection. As infrastructure as code (IaC) scripts, such as Ansible and Chef scripts, are used to provision cloud-based servers and ...
Barriers to Using Static Application Security Testing (SAST) Tools: A Literature Review
ASEW '24: Proceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering Workshops

Developers face a challenging problem with no clear solution. Modern software breaches can wreak havoc on businesses and individuals alike. With code vulnerabilities being a leading cause, securing applications must be a priority for developers. Static ...
Selenium Testing Tools Cookbook

Comments

Information & Contributors

Information

Published In

ICPE '23 Companion: Companion of the 2023 ACM/SPEC International Conference on Performance Engineering

April 2023

421 pages

ISBN:9798400700729

DOI:10.1145/3578245

General Chairs:
Marco Vieira
University of Coimbra, Portugal
,
Valeria Cardellini
University of Rome Tor Vergata, Italy
,
Program Chairs:
Antinisca Di Marco
University of L'Aquila, Italy
,
Petr Tuma
Charles University, Czechia

This work is licensed under a Creative Commons Attribution International 4.0 License.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 April 2023

Check for updates

Author Tags

Qualifiers

Short-paper

Funding Sources

Conference

ICPE '23

Sponsor:

ICPE '23: ACM/SPEC International Conference on Performance Engineering

April 15 - 19, 2023

Coimbra, Portugal

Acceptance Rates

Overall Acceptance Rate 252 of 851 submissions, 30%

Upcoming Conference

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
1,398
Total Downloads

Downloads (Last 12 months)645
Downloads (Last 6 weeks)68

Reflects downloads up to 01 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Rustemi AAtanasovski VRisteski AIdrizi FAngelkoska V(2024)Theoretical Approach Of Implementing Blockchain And Artificial Intelligence For Diploma Verification2024 13th Mediterranean Conference on Embedded Computing (MECO)10.1109/MECO62516.2024.10577813(1-4)Online publication date: 11-Jun-2024
https://doi.org/10.1109/MECO62516.2024.10577813
Boisrond KTardif PJaafar F(2024)Ensuring the Integrity, Confidentiality, and Availability of IoT Data in Industry 5.0: A Systematic Mapping StudyIEEE Access10.1109/ACCESS.2024.343461812(107017-107045)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3434618
Bedoya MPalacios SDíaz-López DLaverde ENespoli P(2024)Enhancing DevSecOps practice with Large Language Models and Security Chaos EngineeringInternational Journal of Information Security10.1007/s10207-024-00909-w23:6(3765-3788)Online publication date: 5-Oct-2024
https://doi.org/10.1007/s10207-024-00909-w
Theodoropoulos TRosa LBenzaid CGray PMarin EMakris ACordeiro LDiego FSorokin PGirolamo MBarone PTaleb TTserpes K(2023)Security in Cloud-Native Services: A SurveyJournal of Cybersecurity and Privacy10.3390/jcp30400343:4(758-793)Online publication date: 26-Oct-2023
https://doi.org/10.3390/jcp3040034
Petrović N(2023)Machine Learning-Based Run-Time DevSecOps: ChatGPT Against Traditional Approach2023 10th International Conference on Electrical, Electronic and Computing Engineering (IcETRAN)10.1109/IcETRAN59631.2023.10192161(1-5)Online publication date: 5-Jun-2023
https://doi.org/10.1109/IcETRAN59631.2023.10192161
Petrović N(2023)Chat GPT-Based Design-Time DevSecOps2023 58th International Scientific Conference on Information, Communication and Energy Systems and Technologies (ICEST)10.1109/ICEST58410.2023.10187247(143-146)Online publication date: 29-Jun-2023
https://doi.org/10.1109/ICEST58410.2023.10187247
Antić JCosta JČernivec ACankar MMartinčič TPotočnik AElguezabal GLeligou NBoigues I(2023)Runtime security monitoring by an interplay between rule matching and deep learning-based anomaly detection on logs2023 19th International Conference on the Design of Reliable Communication Networks (DRCN)10.1109/DRCN57075.2023.10108105(1-5)Online publication date: 17-Apr-2023
https://doi.org/10.1109/DRCN57075.2023.10108105

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Security Smells in Ansible and Chef Scripts: A Replication Study

Barriers to Using Static Application Security Testing (SAST) Tools: A Literature Review

Selenium Testing Tools Cookbook