research-article

Open access

VeriDevOps Software Methodology: Security Verification and Validation for DevOps Practices

Authors:

Eduard Paul Enoiu,

Dragos Truscan,

Andrey Sadovykh,

Wissam MallouliAuthors Info & Claims

ARES '23: Proceedings of the 18th International Conference on Availability, Reliability and Security

Article No.: 135, Pages 1 - 9

https://doi.org/10.1145/3600160.3605054

Published: 29 August 2023 Publication History

All formats PDF

Abstract

VeriDevOps offers a methodology and a set of integrated mechanisms that significantly improve automation in DevOps to protect systems at operations time and prevent security issues at development time by (1) specifying security requirements, (2) generating trace monitors, (3) locating root causes of vulnerabilities, and (4) identifying security flaws in code and designs. This paper presents a methodology that enhances productivity and enables the continuous integration/delivery of trustworthy systems. We outline the methodology, its application to relevant scenarios, and offer recommendations for engineers and managers adopting the VeriDevOps approach. Practitioners applying the VeriDevOps methodology should include security modeling in the DevOps process, integrate security verification throughout all stages, utilize automated test generation tools for security requirements, and implement a comprehensive security monitoring system, with regular review and update procedures to maintain relevance and effectiveness.

References

[1]

Tanwir Ahmad and Dragos Truscan. 2022. Early GitHub Repository. https://github.com/VeriDevOps/Earlytool

[2]

Tanwir Ahmad, Dragos Truscan, Juri Vain, and Ivan Porres. 2021. Early Detection of Network Attacks Using Deep Learning. In IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSWT). IEEE, Online. https://doi.org/10.1109/ICSTW55395.2022.00020

[3]

Matteo Avalle, Alfredo Pironti, and Riccardo Sisto. 2014. Formal verification of security protocol implementations: a survey. Formal Aspects of Computing 26 (2014), 99–123.

Digital Library

[4]

Mikael Ebrahimi Salari, Eduard Paul Enoiu, Wasif Afzal, and Cristina Seceleanu. 2023. PyLC: A Framework for Transforming and Validating PLC Software using Python and Pynguin Test Generator. In Proceedings of the 38th ACM/SIGAPP Symposium on Applied Computing. 1476–1485.

Digital Library

[5]

Vahid Garousi and Frank Elberzhager. 2017. Test automation: not just for test execution. IEEE Software 34, 2 (2017), 90–96.

Digital Library

[6]

Daniele Granata, Massimiliano Rak, and Giovanni Salzillo. 2022. MetaSEnD: A Security Enabled Development Life Cycle Meta-Model. In Proceedings of the 17th International Conference on Availability, Reliability and Security. 1–10.

Digital Library

[7]

Vladimir Ivanov, Andrey Sadovykh, Alexandr Naumchev, Alessandra Bagnato, and Kirill Yakovlev. 2022. Extracting Software Requirements from Unstructured Documents. In Recent Trends in Analysis of Images, Social Networks and Texts(Communications in Computer and Information Science), Evgeny Burnaev, Dmitry I. Ignatov, Sergei Ivanov, Michael Khachay, Olessia Koltsova, Andrei Kutuzov, Sergei O. Kuznetsov, Natalia Loukachevitch, Amedeo Napoli, Alexander Panchenko, Panos M. Pardalos, Jari Saramäki, Andrey V. Savchenko, Evgenii Tsymbalov, and Elena Tutubalina (Eds.). Springer International Publishing, Cham, 17–29. https://doi.org/10.1007/978-3-031-15168-2_2

[8]

Tomas Kulik, Brijesh Dongol, Peter Gorm Larsen, Hugo Daniel Macedo, Steve Schneider, Peter WV Tran-Jørgensen, and James Woodcock. 2022. A survey of practical formal methods for security. Formal Aspects of Computing 34, 1 (2022), 1–39.

Digital Library

[9]

Leonardo Leite, Carla Rocha, Fabio Kon, Dejan Milojicic, and Paulo Meirelles. 2019. A survey of DevOps concepts and challenges. ACM Computing Surveys (CSUR) 52, 6 (2019), 1–35.

Digital Library

[10]

M Mahalakshmi and Mukund Sundararajan. 2013. Traditional SDLC vs scrum methodology–a comparative study. International Journal of Emerging Technology and Advanced Engineering 3, 6 (2013), 192–196.

[11]

Vaishnavi Mohan and Lotfi Ben Othmane. 2016. Secdevops: Is it a marketing buzzword?-mapping research on security in devops. In 2016 11th international conference on availability, reliability and security (ARES). IEEE, 542–547.

[12]

Ildar Nigmatullin, Andrey Sadovykh, Nan Messe, Sophie Ebersold, and Jean-Michel Bruel. 2022. RQCODE – Towards Object-Oriented Requirements in the Software Security Domain. In 2022 IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW). 2–6. https://doi.org/10.1109/ICSTW55395.2022.00015 ISSN: 2159-4848.

[13]

Rick Rabiser, Sam Guinea, Michael Vierhauser, Luciano Baresi, and Paul Grünbacher. 2017. A comparison framework for runtime monitoring approaches. Journal of Systems and Software 125 (2017), 309–321.

Digital Library

[14]

Kostadin Rajkovic and Eduard Enoiu. 2022. Nalabs: Detecting bad smells in natural language requirements and test specifications. arXiv preprint arXiv:2202.05641 (2022).

[15]

Andrey Sadovykh, Gunnar Widforss, Dragos Truscan, Eduard Paul Enoiu, Wissam Mallouli, Rosa Iglesias, Alessandra Bagnto, and Olga Hendel. 2021. VeriDevOps: Automated Protection and Prevention to Meet Security Requirements in DevOps. In 2021 Design, Automation Test in Europe Conference Exhibition (DATE). 1330–1333. https://doi.org/10.23919/DATE51398.2021.9474185 ISSN: 1558-1101.

[16]

Ina Schieferdecker, Juergen Grossmann, and Martin Schneider. 2012. Model-based security testing. arXiv preprint arXiv:1202.6118 (2012).

[17]

Gaadha Sudheerbabu, Tanwir Ahmad, Filip Sebek, Dragos Truscan, Jüri Vain, and Ivan Porres. 2022. A Two-phase Metamorphic Approach for Testing Industrial Control Systems. In Proceedings of IEEE International Conference on Emerging Technologies and Factory Automation, ETFA 2022. IEEE, Stuttgart, Germany. https://doi.org/NA

Digital Library

Cited By

Brito ECastillo FPullonen-Raudvere PWerner S(2025)TrustOps: Continuously Building Trustworthy SoftwareEnterprise Design, Operations, and Computing. EDOC 2024 Workshops10.1007/978-3-031-79059-1_4(53-67)Online publication date: 9-Feb-2025
https://doi.org/10.1007/978-3-031-79059-1_4
Bhardwaj AHs SPareek PBhujang RKhan ZSrinivas C(2023)Managing the full Lifecycle of Power Information Systems using HCSOA based LSTM-GRU Model in DevOps practices2023 International Conference on Integrated Intelligence and Communication Systems (ICIICS)10.1109/ICIICS59993.2023.10421536(1-7)Online publication date: 24-Nov-2023
https://doi.org/10.1109/ICIICS59993.2023.10421536

Recommendations

Automated Security Findings Management: A Case Study in Industrial DevOps
ICSE-SEIP '24: Proceedings of the 46th International Conference on Software Engineering: Software Engineering in Practice

In recent years, DevOps, the unification of development and operation workflows, has become a trend for the industrial software development lifecycle. Security activities turned into an essential field of application for DevOps principles as they are a ...
Software security in DevOps: synthesizing practitioners' perceptions and practices
CSED '16: Proceedings of the International Workshop on Continuous Software Evolution and Delivery

In organizations that use DevOps practices, software changes can be deployed as fast as 500 times or more per day. Without adequate involvement of the security team, rapidly deployed software changes are more likely to contain vulnerabilities due to ...
Weaving Security into DevOps Practices in Highly Regulated Environments

In this article, the authors discuss enhancing a DevOps implementation in a highly regulated environment (HRE) with security principles. DevOps has become a standard option for entities seeking to streamline and increase participation by all ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '23: Proceedings of the 18th International Conference on Availability, Reliability and Security

August 2023

1440 pages

ISBN:9798400707728

DOI:10.1145/3600160

Copyright © 2023 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 29 August 2023

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

European Commission

Conference

ARES 2023

ARES 2023: The 18th International Conference on Availability, Reliability and Security

August 29 - September 1, 2023

Benevento, Italy

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
576
Total Downloads

Downloads (Last 12 months)378
Downloads (Last 6 weeks)48

Reflects downloads up to 08 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Brito ECastillo FPullonen-Raudvere PWerner S(2025)TrustOps: Continuously Building Trustworthy SoftwareEnterprise Design, Operations, and Computing. EDOC 2024 Workshops10.1007/978-3-031-79059-1_4(53-67)Online publication date: 9-Feb-2025
https://doi.org/10.1007/978-3-031-79059-1_4
Bhardwaj AHs SPareek PBhujang RKhan ZSrinivas C(2023)Managing the full Lifecycle of Power Information Systems using HCSOA based LSTM-GRU Model in DevOps practices2023 International Conference on Integrated Intelligence and Communication Systems (ICIICS)10.1109/ICIICS59993.2023.10421536(1-7)Online publication date: 24-Nov-2023
https://doi.org/10.1109/ICIICS59993.2023.10421536

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten