DevSecOps: Integrating Security into the DevOps Pipeline for Cloud-Native Applications
Keywords:
DevSecOps, cloud-native applications, shift-left securityAbstract
DevOps security impacts cloud-native app development and operation. DevSecOps safeguards cloud-native CI/CD pipelines. Cloud-native and microservices developers must prioritize security. Discussed include shift-left security, continuous security testing, and automated cloud-native application security compliance tests.
DevSecOps shift-left security integrates security into development to detect and solve vulnerabilities early. This preventative strategy reduces late-stage security expenditures and complexity. Automatic CI/CD pipeline security testing safeguard code contributions and deployments. Continuous security testing tools SAST, DAST, and IAST.
References
A. Bertolino and M. D. A. G. B. Z. Z. Bertolino, "Software Testing and Continuous Integration," IEEE Software, vol. 36, no. 2, pp. 14-20, Mar.-Apr. 2019.
S. Chien, "Securing Cloud-Native Applications: Challenges and Solutions," IEEE Cloud Computing, vol. 7, no. 5, pp. 18-25, Sept.-Oct. 2020.
C. S. Pham, D. S. Kim, and S. H. Lee, "Continuous Security Testing in CI/CD Pipelines: An Empirical Study," IEEE Transactions on Software Engineering, vol. 46, no. 8, pp. 789-802, Aug. 2020.
A. L. R. Madritsch, "Shift-Left Security and the DevSecOps Paradigm," IEEE Security & Privacy, vol. 17, no. 4, pp. 32-41, Jul.-Aug. 2019.
D. P. Li, H. Z. Li, and M. A. K. Ng, "Automated Compliance in Cloud Environments: A Review," IEEE Access, vol. 9, pp. 129012-129031, 2021.
R. P. L. Adams, "Managing Security in Kubernetes: A Comprehensive Approach," IEEE Transactions on Cloud Computing, vol. 8, no. 2, pp. 517-528, Apr.-Jun. 2021.
P. T. Manavoglu and R. M. Wei, "Docker Container Security: Best Practices and Tools," IEEE Transactions on Network and Service Management, vol. 17, no. 3, pp. 155-168, Sept. 2020.
K. J. Hwang, "Infrastructure as Code and Security: Implementing Best Practices with Terraform," IEEE Cloud Computing, vol. 9, no. 1, pp. 60-69, Jan.-Feb. 2022.
H. Zhang and C. Liu, "Automating Security in CI/CD Pipelines: Techniques and Tools," IEEE Software, vol. 39, no. 1, pp. 21-29, Jan.-Feb. 2022.
M. M. Arora and M. L. Guerrero, "Security Challenges and Solutions for Cloud-Native Applications," IEEE Transactions on Information Forensics and Security, vol. 17, no. 6, pp. 1201-1212, Jun. 2022.
L. G. Shih and H. D. Yan, "Integrating Security into DevOps Pipelines: A Systematic Review," IEEE Transactions on Software Engineering, vol. 47, no. 7, pp. 1327-1342, Jul. 2021.
J. K. Ghosh, "Case Studies in DevSecOps: Securing Cloud-Native Applications," IEEE Transactions on Dependable and Secure Computing, vol. 18, no. 4, pp. 945-957, Jul.-Aug. 2021.
V. J. Patel and S. K. Jain, "Shift-Left Security in DevSecOps: A Comparative Study," IEEE Security & Privacy, vol. 18, no. 2, pp. 51-60, Mar.-Apr. 2022.
Z. F. Khan, A. M. Sharma, and A. H. Gupta, "Real-Time Threat Detection Using AI in DevSecOps," IEEE Access, vol. 10, pp. 48547-48558, 2022.
R. P. Smith and C. A. Ordonez, "Automated Compliance Checks in DevSecOps Pipelines," IEEE Transactions on Cloud Computing, vol. 9, no. 3, pp. 1214-1227, Jul.-Sept. 2022.
Y. K. Vong, "Vulnerability Management in Dynamic Cloud Environments," IEEE Transactions on Network and Service Management, vol. 18, no. 1, pp. 65-78, Mar. 2022.
J. A. Becker, "AI and ML in DevSecOps: Emerging Trends and Future Directions," IEEE Transactions on Network and Service Management, vol. 19, no. 2, pp. 213-226, Jun. 2022.
L. M. Ortega and M. J. Chu, "Securing Cloud Infrastructure as Code with Terraform: Challenges and Solutions," IEEE Cloud Computing, vol. 10, no. 4, pp. 40-49, Jul.-Aug. 2023.
R. D. Morris, "Best Practices for DevSecOps: Integrating Security into the DevOps Lifecycle," IEEE Software, vol. 41, no. 3, pp. 45-56, May-June 2024.
E. W. Fong, "Collaborative Security Culture in DevSecOps: Enhancing Organizational Resilience," IEEE Transactions on Software Engineering, vol. 48, no. 5, pp. 1456-1468, May 2024.
