Development and Evaluation of an Artefact Model to Support Security Compliance for DevSecOps

Abstract: Background. DevOps represents a set of principles and practices of the software development (Dev) and information technology operations (Ops) of the product lifecycle requirements. DevOps has become a buzzword in organizations because it is an agile software development offspring. Now-a-days, there is a shift in organizations from DevOps to DevSecOps, which is bringing in a higher level of security built into software delivery pipelines. DevSecOps ensures security is a core component in the workflow to implement secure development and operations processes of automating every aspect. Security inevitably includes issues like compliance in terms of security standards that are concerning with looming cybersecurity threats. There is little known about different concepts of assessing security compliance in terms of security standards in DevOps pipelines. Understanding the artefacts and their dependencies requirements in the software workflow are fundamental to demonstrate compliance. The thesis study proposes to ensure the IEC 62443-4-1 standard for secure product development in industrial systems is incorporated into the artefact model to capture the information related to security compliance. Objectives. The thesis aims to investigate the artefacts and identify its dependencies to develop and design an artefact model for DevSecOps. This artefact model has the possibility to measure security compliance with the IEC 62443-4-1 standard to ensure traceability in DevOps pipeline and evaluate the usability of it. Methods. In this qualitative research, we have conducted a literature review with snowballing to gather information on artefacts that undergo synthesis to develop and design the artefact model. We have conducted interviews with practitioners to collect the data on the usability of the artefact model. Results. The literature review with snowballing is done to identify ten papers in the final data set. We have identified 100 artefacts from the papers. The artefacts are categorized and matched according to practices and activities descriptions. The synthesis of the literature review artefacts provides the basis for designing the artefact model and its dependencies for DevSecOps workflow. The interview results are thematically coded and we have obtained a list of benefits, challenges, and security compliance barriers with DevOps pipelines. This process evaluates the practitioners’ understanding of the designed artefact model usability in the industry to assess the standard’s security compliance. Conclusions. The research study identifies the artefacts that help with developing the artefact model. It provides the practitioners’ understanding of the usability of the artefact model in the industry to meet the secure software development product life-cycle requirements according to the IEC 62443-4-1 standard. The results demonstrated the evidence of assessing the security compliance for DevSecOps workflow in DevOps pipeline.