Automating Cybersecurity Compliance in DevSecOps with Open Information Model for Security as Code
Haverinen, Henry; Janhunen, Tomi; Päivärinta, Tero; Lempinen, Sami; Kaartinen, Suvi; Merilä, Sami (2024-10-22)
ACM
22.10.2024
Henry Haverinen, Tomi Janhunen, Tero Päivärinta, Sami Lempinen, Suvi Kaartinen, and Sami Merilä. 2024. Automating Cybersecurity Compliance in DevSecOps with Open Information Model for Security as Code. In Proceedings of the 4th Eclipse Security, AI, Architecture and Modelling Conference on Data Space (eSAAM '24). Association for Computing Machinery, New York, NY, USA, 93–102. https://doi.org/10.1145/3685651.3686700
https://creativecommons.org/licenses/by/4.0/
© 2024 Copyright held by the owner/author(s). This work is licensed under a Creative Commons Attribution International 4.0 License.
https://creativecommons.org/licenses/by/4.0/
© 2024 Copyright held by the owner/author(s). This work is licensed under a Creative Commons Attribution International 4.0 License.
https://creativecommons.org/licenses/by/4.0/
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:oulu-202411186784
https://urn.fi/URN:NBN:fi:oulu-202411186784
Tiivistelmä
Abstract
Software development teams meet increasing requirements to implement cybersecurity management in compliance with standards and regulations. However, adopting a compliant cybersecurity management system and DevSecOps practices as part of a software development process has turned out to be tedious and expensive in practice. Open-source communities and open ecosystems, which lack tools and realistic practices for compliant cybersecurity management, face these difficulties as well.
This paper suggests a set of requirements and a solution that are based on long-term experience in adopting standard compliant DevSecOps processes in industry. The proposed solution, called Cyberismo, facilitates the adoption of compliance and cybersecurity management, improves collaboration on cybersecurity in company internal projects, cross-company projects, and open-source projects, and automates the compliance and cybersecurity management in software development by way of an open information model representation format, and an open-source tool to manage the information model. As the information model uses a simple plain text format that can be managed by automated DevSecOps tool chains, it can be understood as an instance of the Everything as Code and Security as Code paradigms.
The proposed solution is designed as modular, tailorable to the organisation and its existing tools, and flexible enough to model both process- and technology-related information. It automates both the validation of how compliance requirements have been met and the gathering and archiving of evidence of compliance. The information model is mapped to a logic program conforming to the Answer Set Programming (ASP) paradigm for knowledge representation. The mapping enables flexible query evaluation and reasoning, including the calculation of performance measures and automated policy checks. However, developers, product owners and other end-users of the solution do not necessarily need to know how to write logic programs, as logic programs can be encapsulated in content modules made available for the users. By putting the ease of adoption of compliant DevSecOps processes by the practitioners in the spotlight, this paper concludes that it is both necessary and possible to meet all the proposed requirements.
Software development teams meet increasing requirements to implement cybersecurity management in compliance with standards and regulations. However, adopting a compliant cybersecurity management system and DevSecOps practices as part of a software development process has turned out to be tedious and expensive in practice. Open-source communities and open ecosystems, which lack tools and realistic practices for compliant cybersecurity management, face these difficulties as well.
This paper suggests a set of requirements and a solution that are based on long-term experience in adopting standard compliant DevSecOps processes in industry. The proposed solution, called Cyberismo, facilitates the adoption of compliance and cybersecurity management, improves collaboration on cybersecurity in company internal projects, cross-company projects, and open-source projects, and automates the compliance and cybersecurity management in software development by way of an open information model representation format, and an open-source tool to manage the information model. As the information model uses a simple plain text format that can be managed by automated DevSecOps tool chains, it can be understood as an instance of the Everything as Code and Security as Code paradigms.
The proposed solution is designed as modular, tailorable to the organisation and its existing tools, and flexible enough to model both process- and technology-related information. It automates both the validation of how compliance requirements have been met and the gathering and archiving of evidence of compliance. The information model is mapped to a logic program conforming to the Answer Set Programming (ASP) paradigm for knowledge representation. The mapping enables flexible query evaluation and reasoning, including the calculation of performance measures and automated policy checks. However, developers, product owners and other end-users of the solution do not necessarily need to know how to write logic programs, as logic programs can be encapsulated in content modules made available for the users. By putting the ease of adoption of compliant DevSecOps processes by the practitioners in the spotlight, this paper concludes that it is both necessary and possible to meet all the proposed requirements.
Kokoelmat
- Avoin saatavuus [38824]
Ellei muuten mainita, aineiston lisenssi on https://creativecommons.org/licenses/by/4.0/