Application Security Review Criteria for DevSecOps Processes

Abstract: For several years a trend in agile software development methodologies that connect the development with operations is transforming business activities in the industry. This methodology, that breaks down the formerly separated silos of development and operations is commonly referred to as DevOps. From a security point of view, however, the DevOps methodology lacks a fundamental integration of security in any of its phases. As a result of that, the DevSecOps practice, that intertwines the disciplines of security, development and operations is more and more gaining popularity. The biggest challenge in this shift of practice is the flawless introduction of security methods into existing DevOps processes without disturbing the fast pace and responsiveness of those. Whereas the security integration and processes on how to make DevOps secure are discussed in various preceding studies, this research focuses on an investigation of criteria that can be used to measure application security in DevSecOps integration. Given the lack of a fundamental base of academic literature on the topic, a Multivocal Literature Review (MLR) was conducted. For the study, not only academic research but also gray literature such as blogs and articles from industry practitioners were investigated to extract meaningful review criteria. As applicable, high-level criteria, agreed-upon best-practices and descriptions of security controls were thereby examined and compiled out of the studied literature. The criteria resulting from the conducted MLR process were further analyzed with each criterion's coverage in existing security standards in mind. Additionally, an investigation of a criterion's connection to the fundamental principles of the DevOps methodology was performed. The resulting list of criteria as well as additional, partially classified sub-criteria are presented as the primary contribution of the thesis. Further, a discussion of the results and evaluation of the criteria for measurability and applicability with the help of an expert group from the cooperating company Veriscan Security AB was performed. Lastly, the conducted study highlights the current state of research on the topic, discusses the lack of knowledge for particular areas as well as serves as a foundation and suggestion for several fields of future research. The criteria could, for instance, enable future design science research on DevSecOps security measurement.