Security for Devops Deployment Processes: Defenses, Risks, Research Directions

Norman Wilde, Brian Eddy, Khyati Patel, Nathan Cooper, Valeria Gamboa, Bhavyansh Mishra, Keenal Shah
<span title="2016-11-30">2016</span> <i title="Academy and Industry Research Collaboration Center (AIRCC)"> <a target="_blank" rel="noopener" href="https://fatcat.wiki/container/73sz3v7aezhnvhsb3x3ywuicae" style="color: black;">International Journal of Software Engineering &amp; Applications</a> </i> &nbsp;
DevOps is an emerging collection of software management practices intended to shorten time to market for new software features and to reduce the risk of costly deployment errors. In this paper we examine the security implications of two of the key DevOps practices, automation of the deployment pipeline using a deployment toolchain and infrastructure-as-code to specify the environment of the deployed software. We focus on identifying what changes when an organization moves from manual
more &raquo; ... to DevOps automated deployment processes. We reviewed the literature and conducted three case studies using simple configurations of common DevOps tools. This allowed us to identify specific: • Positive influences on security where automation enhances defenses. • Negative influences, where automation enables different kinds of attacks and increases the attack surface. • Research directions that look promising to support this new approach to software management. • Recommendations for DevOps adopters A DevOps continuous deployment pipeline is an automated toolchain. When code is checked in by a developer, a series of steps take place with little or no manual intervention. The new software is built by one set of tools and deployed to a test environment which is provisioned by another set of tools. Other tools run the tests and, if these pass, the new code may then be released to staging and production environments [4] . DevOps is enabled by cloud computing and, indeed, would be almost inconceivable without infrastructure-as-a-service clouds. DevOps requires multiple near-identical execution environments, so that developers, testers, security analysts and so on see essentially the same environment as the end-user facing production.
<span class="external-identifiers"> <a target="_blank" rel="external noopener noreferrer" href="https://doi.org/10.5121/ijsea.2016.7601">doi:10.5121/ijsea.2016.7601</a> <a target="_blank" rel="external noopener" href="https://fatcat.wiki/release/u3ayin7nl5chbpg5m6i54cg65q">fatcat:u3ayin7nl5chbpg5m6i54cg65q</a> </span>
<a target="_blank" rel="noopener" href="https://web.archive.org/web/20170623121211/http://aircconline.com:80/ijsea/V7N6/7616ijsea01.pdf" title="fulltext PDF download" data-goatcounter-click="serp-fulltext" data-goatcounter-title="serp-fulltext"> <button class="ui simple right pointing dropdown compact black labeled icon button serp-button"> <i class="icon ia-icon"></i> Web Archive [PDF] <div class="menu fulltext-thumbnail"> <img src="https://blobs.fatcat.wiki/thumbnail/pdf/8f/2c/8f2ca1fd43770dfbfdbed9850fd7dfbb6bb85010.180px.jpg" alt="fulltext thumbnail" loading="lazy"> </div> </button> </a> <a target="_blank" rel="external noopener noreferrer" href="https://doi.org/10.5121/ijsea.2016.7601"> <button class="ui left aligned compact blue labeled icon button serp-button"> <i class="external alternate icon"></i> Publisher / doi.org </button> </a>