On DevSecOps and Risk Management in Critical Infrastructures: Practitioners' Insights on Needs and Goals
Authors: 
Xhesika Ramaj, Mary Sánchez-Gordón, Vasileios Gkioulos, Ricardo Colomo-PalaciosAuthors Info & Claims
Xhesika Ramaj, Mary Sánchez-Gordón, Vasileios Gkioulos, Ricardo Colomo-PalaciosAuthors Info & ClaimsPages 45 - 52
Abstract
Risk management is essential for ensuring the sustained viability of organizations over the long term. It plays a pivotal role in business by helping identify potential threats and vulnerabilities, enabling well-informed decision-making. Within the context of critical infrastructures (CIs), it takes on even greater significance. DevSecOps is an innovative approach to bolstering security of software applications. This approach is being heralded as a transformative solution that encourages the adoption of robust security practices, reduces risk, and ensures uninterrupted business continuity. This qualitative study explores the needs and goals of implementing DevSecOps in CIs from the perspective of DevOps, developers, and security experts. Findings show that the relevance of DevSecOps in CIs emerges from the need for proactive work, increased efficiency, automation, monitoring mechanisms, security, and outstanding products and services. Findings also identify the goals for establishing a stronger market presence, increasing revenues, and maintaining a leading position in the market. The study provides valuable insights on DevSevOps in risk management, that can potentially encourage the adoption of DevSecOps and guide practitioners interested in leveraging the inherent benefits of this approach in the context of CIs.
References
[1]
Alberto Avritzer, Felicita Di Giandomenico, Anne Remke, and Martin Riedl. 2012. Assessing Dependability and Resilience in Critical Infrastructures: Challenges and Opportunities. In Resilience Assessment and Evaluation of Computing Systems, Katinka Wolter, Alberto Avritzer, Marco Vieira and Aad van Moorsel (eds.). Springer, Berlin, Heidelberg, 41--63.
[2]
F. Baiardi, S. Suin, C. Telmon, and M. Pioli. 2006. Assessing the Risk of an Information Infrastructure Through Security Dependencies. In Critical Information Infrastructures Security (Lecture Notes in Computer Science), 2006, Berlin, Heidelberg. Springer, Berlin, Heidelberg, 42--54.
[3]
Arjen Boin and Allan McConnell. 2007. Preparing for Critical Infrastructure Breakdowns: The Limits of Crisis Management and the Need for Resilience. Journal of Contingencies and Crisis Management 15, 1 (2007), 50--59.
[4]
Kim Carter. 2017. Francois Raynaud on DevSecOps. IEEE Software 34, 5 (2017), 93--96.
[5]
Sara B. O. Gennari Carturan and Denise Hideko Goya. 2019. A systems-of-systems security framework for requirements definition in cloud environment. In Proceedings of the 13th European Conference on Software Architecture - Volume 2 (ECSA '19), September 09, 2019, New York, NY, USA. Association for Computing Machinery, New York, NY, USA, 235--240.
[6]
Victoria Clarke. 2013. Successful Qualitative Research: A Practical Guide for Beginners. (2013), 1--400.
[7]
John W. Creswell and Cheryl N. Poth. 2016. Qualitative Inquiry and Research Design: Choosing Among Five Approaches. SAGE Publications.
[8]
Michael R. Fox. 2020. IT Governance in a DevOps World. IT Professional 22, 5 (September 2020), 54--61.
[9]
Rune Fredriksen, Monica Kristiansen, Bjørn Axel Gran, Ketil Stølen, Tom Arthur Opperud, and Theo Dimitrakos. 2002. The CORAS Framework for a Model-Based Risk Management Process. In Computer Safety, Reliability and Security (Lecture Notes in Computer Science), 2002, Berlin, Heidelberg. Springer, Berlin, Heidelberg, 94--105.
[10]
Barney G. Glaser. 1978. Theoretical Sensitivity: Advances in the Methodology of Grounded Theory. Sociology Press.
[11]
Lawrence A. Gordon and Martin P. Loeb. 2002. The economics of information security investment. ACM Trans. Inf. Syst. Secur. 5, 4 (November 2002), 438--457.
[12]
Tony Hsiang-Chih Hsu. 2018. Hands-On Security in DevOps: Ensure continuous security, deployment, and delivery with DevSecOps. Packt Publishing Ltd.
[13]
Rakesh Kumar and Rinkaj Goyal. 2020. Modeling continuous security: A conceptual model for automated DevSecOps using open-source software over cloud (ADOC). Computers & Security 97, (October 2020), 101967.
[14]
Ming Li and C.S. Smidts. 2003. A ranking of software engineering measures based on expert opinion. IEEE Transactions on Software Engineering 29, 9 (September 2003), 811--824.
[15]
Vaishnavi Mohan, Lotfi ben Othmane, and Andre Kres. 2018. BP: Security Concerns and Best Practices for Automation of Software Deployment Processes: An Industrial Case Study. In 2018 IEEE Cybersecurity Development (SecDev), September 2018. 21--28.
[16]
Xhesika Ramaj, Ricardo Colomo-Palacios, Mary Sánchez-Gordón, and Vasileios Gkioulos. 2023. Towards a DevSecOps-Enabled Framework for Risk Management of Critical Infrastructures. In Systems, Software and Services Process Improvement (Communications in Computer and Information Science), 2023, Cham. Springer Nature Switzerland, Cham, 47--58.
[17]
Xhesika Ramaj, Mary Sánchez-Gordón, Vasileios Gkioulos, and Ricardo Colomo-Palacios. 2024. On DevSecOps and Risk Management in Critical Infrastructures: Practitioners' Insights on Needs and Goals - Online Appendix. January 22, 2024. figshare.
[18]
Leah Riungu-Kalliosaari, Simo Mäkinen, Lucy Ellen Lwakatare, Juha Tiihonen, and Tomi Männistö. 2016. DevOps Adoption Benefits and Challenges in Practice: A Case Study. In Product-Focused Software Process Improvement (Lecture Notes in Computer Science), 2016, Cham. Springer International Publishing, Cham, 590--597.
[19]
Stuart E. Schechter and Michael D. Smith. 2003. How Much Security Is Enough to Stop a Thief? In Financial Cryptography, Rebecca N. Wright (ed.). Springer Berlin Heidelberg, Berlin, Heidelberg, 122--137.
[20]
Alfred Schutz. 1967. The Phenomenology of the Social World. Northwestern University Press, Chicago. Retrieved from https://nupress.northwestern.edu/9780810168022/phenomenology-of-the-social-world/
[21]
Irving Seidman. 2006. Interviewing as Qualitative Research: A Guide for Researchers in Education and the Social Sciences. Teachers College Press.
[22]
Abhijit Sen. 2021. DevOps, DevSecOps, AIOPS- Paradigms to IT Operations. In Evolving Technologies for Computing, Communication and Smart World (Lecture Notes in Electrical Engineering), 2021, Singapore. Springer, Singapore, 211--221.
[23]
Akond Ashfaque Ur Rahman and Laurie Williams. 2016. Software security in DevOps: synthesizing practitioners' perceptions and practices. In Proceedings of the International Workshop on Continuous Software Evolution and Delivery (CSED '16), May 14, 2016, New York, NY, USA. Association for Computing Machinery, New York, NY, USA, 70--76.
[24]
Hasan Yasar. Overcoming DevSecOps Challenges: A Practical Guide for All Stakeholders.
[25]
Afzaal Ahmad Zeeshan. 2020. Compliance and Security. In DevSecOps for .NET Core: Securing Modern Software Applications, Afzaal Ahmad Zeeshan (ed.). Apress, Berkeley, CA, 265--278.
[26]
2004. Communication from the Commission to the Council and the European Parliament - Critical Infrastructure Protection in the fight against terrorism. Retrieved October 6, 2023 from https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A52004DC0702
[27]
ISO 31000:2018(en), Risk management --- Guidelines. Retrieved October 7, 2023 from https://www.iso.org/obp/ui/en/#iso:std:iso:31000:ed-2:v1:en
Index Terms
- On DevSecOps and Risk Management in Critical Infrastructures: Practitioners' Insights on Needs and Goals
Recommendations
A DevSecOps-enabled framework for risk management of critical infrastructures
ICSE '22: Proceedings of the ACM/IEEE 44th International Conference on Software Engineering: Companion ProceedingsThis paper presents a Ph.D. research plan that focuses on solving the existing problems in risk management of critical infrastructures, by means of a novel DevSecOps-enabled framework. Critical infrastructures are complex physical and cyber-based ...
Risk mitigation strategies for critical infrastructures based on graph centrality analysis
Dependency risk graphs have been proposed as a tool for analyzing cascading failures due to critical infrastructure dependency chains. However, dependency chain analysis is not by itself adequate to develop an efficient risk mitigation strategy - one ...
Product Incremental Security Risk Assessment Using DevSecOps Practices
Computer Security. ESORICS 2022 International WorkshopsAbstractSecurity risk assessment is often a heavy manual process, making it expensive to perform. DevOps, that aims at improving software quality and speed of delivery, as well as DevSecOps that augments DevOps with the automation of security activities, ...
Comments
Information & Contributors
Information
Published In
April 2024
75 pages
ISBN:9798400705656
DOI:10.1145/3643662
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
In-Cooperation
- Faculty of Engineering of University of Porto
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 26 August 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- Research Council of Norway (RCN) in the INTPART program
Conference
EnCyCriS/SVM '24
Sponsor:
Upcoming Conference
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 182Total Downloads
- Downloads (Last 12 months)182
- Downloads (Last 6 weeks)52
Reflects downloads up to 27 Jan 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in