14th and 15th February, 2025
Kaapelitehdas, Helsinki Finland
Is this it: Does DevOps development style decrease the security of software and it’s development?
Anne Honkaranta
The DevOps methodology has become dominant on the software development field. It’s benefits have been praised for years. In 2022, we carried out a literature review on DevOps security postures and greatest challenges for software development. The BSIMM framework was used for organizing the data.
Synopsis corporation has gathered data from over 130 organizations by using the BSIMM software security maturity framework. This provided us a chance to compare findings from our study using the academic sources with those from real industry, and also with regard to timeline covering 2019-2024.
Top findings of our academic literature review on 2022 were:
1) People have been complaining about security being considered too late on the software development cycle for ages, still we did not identify that security postures would cover the whole development cycle.
2) DevOps development is carried out on a multi-complex environment.
3) DevOps style even brings in novel challenges for software security.
In this talk,
1) First, challenges and common postures for software security from the2022 literature review are summarized; the findings related to DevOps development style are discussed in more detail than in the original research.
2) Secondly, we compare the results with the findings of the most recent BSIMM research.
3) Thirdly, we discuss the trend of integrating security into DevOps in the light of this analysis covering 4 years.
By our analysis, we conclude that
-it seems that DevOps brings additional challenges to secure software development
-It seems that security is still not taken into consideration in a wholistic way
-As more and more software is produced by using AI, uttermost care should be taken to train the AI with the code models that take security into consideration.
We challenge you to:
Disagree – what contrasting evidence do you have? (on the brief discussion after the presentation)
Make a world better – one software development project at time (this happens when you go home and see anyone forgetting the security on their software development postures).
Synopsis corporation has gathered data from over 130 organizations by using the BSIMM software security maturity framework. This provided us a chance to compare findings from our study using the academic sources with those from real industry, and also with regard to timeline covering 2019-2024.
Top findings of our academic literature review on 2022 were:
1) People have been complaining about security being considered too late on the software development cycle for ages, still we did not identify that security postures would cover the whole development cycle.
2) DevOps development is carried out on a multi-complex environment.
3) DevOps style even brings in novel challenges for software security.
In this talk,
1) First, challenges and common postures for software security from the2022 literature review are summarized; the findings related to DevOps development style are discussed in more detail than in the original research.
2) Secondly, we compare the results with the findings of the most recent BSIMM research.
3) Thirdly, we discuss the trend of integrating security into DevOps in the light of this analysis covering 4 years.
By our analysis, we conclude that
-it seems that DevOps brings additional challenges to secure software development
-It seems that security is still not taken into consideration in a wholistic way
-As more and more software is produced by using AI, uttermost care should be taken to train the AI with the code models that take security into consideration.
We challenge you to:
Disagree – what contrasting evidence do you have? (on the brief discussion after the presentation)
Make a world better – one software development project at time (this happens when you go home and see anyone forgetting the security on their software development postures).
Anne Honkaranta
I am a seasoned ICT professional with over 25 years of experience on the field.
I am a mix of academic curiosity and strive for customer-friendly, understandable cyber security practices. I finished my doctoral thesis on 2003, and am currently finishing my (second) M.Sc., this time on Cyber Security. My interests lie on information and cyber security and (secure) enterprise architectures.
On my current work position as a principal consultant I enjoy the possibility to mix my interests; work with customers on challenging cyber security projects, and take part in developing our product portfolio and customer-oriented approach. Previously I worked for 15 years in a mid-size software company in many roles and positions, including cyber security manager, security and enterprise architect, and solution design manager in large bidding projects.
While not at work, I play guitar and Ukulele, walk with my dog, train Pilates and go to woods for horseback riding. We have a band with co-workers - 2nd Hand Band - an we enjoy playing, jamming and inventing cyber-security related lyrics to old favorite songs.
