14th and 15th February, 2025
Kaapelitehdas, Helsinki Finland
Is this it: Does DevOps development style decrease the security of software and it’s development?
Anne Honkaranta
Tiina Leppänen
The DevOps methodology has become dominant on the software development field. It’s benefits have been praised for years. In 2022, we carried out a literature review on DevOps security postures and greatest challenges for software development. The BSIMM framework was used for organizing the data.
Synopsis corporation has gathered data from over 130 organizations by using the BSIMM software security maturity framework. This provided us a chance to compare findings from our study using the academic sources with those from real industry, and also with regard to timeline covering 2019-2024.
Top findings of our academic literature review on 2022 were:
1) People have been complaining about security being considered too late on the software development cycle for ages, still we did not identify that security postures would cover the whole development cycle.
2) DevOps development is carried out on a multi-complex environment.
3) DevOps style even brings in novel challenges for software security.
In this talk,
1) First, challenges and common postures for software security from the2022 literature review are summarized; the findings related to DevOps development style are discussed in more detail than in the original research.
2) Secondly, we compare the results with the findings of the most recent BSIMM research.
3) Thirdly, we discuss the trend of integrating security into DevOps in the light of this analysis covering 4 years.
By our analysis, we conclude that
-it seems that DevOps brings additional challenges to secure software development
-It seems that security is still not taken into consideration in a wholistic way
-As more and more software is produced by using AI, uttermost care should be taken to train the AI with the code models that take security into consideration.
We challenge you to:
Disagree – what contrasting evidence do you have? (on the brief discussion after the presentation)
Make a world better – one software development project at time (this happens when you go home and see anyone forgetting the security on their software development postures).
Synopsis corporation has gathered data from over 130 organizations by using the BSIMM software security maturity framework. This provided us a chance to compare findings from our study using the academic sources with those from real industry, and also with regard to timeline covering 2019-2024.
Top findings of our academic literature review on 2022 were:
1) People have been complaining about security being considered too late on the software development cycle for ages, still we did not identify that security postures would cover the whole development cycle.
2) DevOps development is carried out on a multi-complex environment.
3) DevOps style even brings in novel challenges for software security.
In this talk,
1) First, challenges and common postures for software security from the2022 literature review are summarized; the findings related to DevOps development style are discussed in more detail than in the original research.
2) Secondly, we compare the results with the findings of the most recent BSIMM research.
3) Thirdly, we discuss the trend of integrating security into DevOps in the light of this analysis covering 4 years.
By our analysis, we conclude that
-it seems that DevOps brings additional challenges to secure software development
-It seems that security is still not taken into consideration in a wholistic way
-As more and more software is produced by using AI, uttermost care should be taken to train the AI with the code models that take security into consideration.
We challenge you to:
Disagree – what contrasting evidence do you have? (on the brief discussion after the presentation)
Make a world better – one software development project at time (this happens when you go home and see anyone forgetting the security on their software development postures).
