SecDevOps is a paradigm for integrating the software development and operation processes considering security and compliance requirements. Organizations are reluctant to transform their development and operation processes to SecDevOps because of the expectation of incompatibility between security and DevOps. This paper reports about a study performed at IBM on transformation of five Business Intelligence (BI) projects to SecDevOps. The study revealed that main security concerns for the automation of the deployment process are: separation of roles, enforcement of access controls, manual security tests, audit, security guidelines, management of security issues, and participation of the security team. The major recommended best practices for a transformation of current processes to SecDevOps are: good documentation and logging, strong collaboration and communication, automation of the processes, and enforcement of separation of roles. Based on the empirical results, we conclude that separation of roles is the main aspect to be considered when planning to automate deployment processes. The results of the study are being used by IBM BI Unit and may be used by other organizations when planning to migrate to SecDevOps, especially for BI projects.
Available at: http://works.bepress.com/lotfi-benothmane/3/
This is a manuscript of a proceeding published as Mohan, Vaishnavi, Lotfi ben Othmane, and Andre Kres. "BP: Security Concerns and Best Practices for Automation of Software Deployment Processes: An Industrial Case Study." In 2018 IEEE Cybersecurity Development Conference (SecDev 2018), (2018) 21-28. DOI: 10.1109/SecDev.2018.00011. Posted with permission.